[Users] claws-mail does not remember password even though the "Remember with password manager" option is checked

lmfrm lmfrm at nanogroup.xyz
Wed Mar 9 14:23:40 CET 2022 

"DM: I am not sure if gnome-keyring necessarily controls this behavior
or whether it's just a program that stores and handles whatever the
broader system tells it to."

It's clear to me now the password I'm being prompted for isn't the
account password. It's the PGP key password. I know this because the
prompt that arises follows the rules I set in ~/.gnupg/gpg-agent.conf.

Further, I can tell for a fact that with a PGP-enabled account, as
configured per Configuration -> Edit accounts -> [account] / Edit ->
Plugins / GPG / S/MIME -> Sign key / [radio button] Specify key
manually -> [User or key ID]-- that Claws must necessarily obtain the
PGP keys from gpg-agent per the specified key ID, and it cannot fetch
the associated keys without entering the password. That's just how
gnupg works. The passwords are there to protect private keys from being
accessed by just anyone.

I don't know about other distros, but for Linux Mint, removing gnupg /
gpg-agent is not an option. Doing so removes all kinds of dependencies,
including many popular software packages, and even basic
functionalities of Linux Mint including the signing keys for the repos.
I would test remove it just to see how Claws reacts but I can already
tell that it would have no way of obtaining the keys because the gnupg
keyring is the only place these keys are stored and you can only access
them with a password, hence the prompt.

Based on these facts, logic demands you can't say Claws isn't
consulting gnupg / gpg-agent. It must consult some kind of gpg keyring,
whether gnupg or something else--whatever the distro ships with or
whatever the user installs. Somehow it must connect to a keyring to
obtain the keys. If that is not the case, then please tell me where is
Claws storing my private keys? Claws is not storing the PGP keys
anywhere. It only stores the key IDs, and I don't believe it's caching
the PGP keys, because if that's where it's getting them gnupg would not
be prompting me. There is nothing in my system that is interfering with
Claws. Gnupg is responding to a request from Claws, whether or not
Claws is aware of the exact source. Claws knows the system stores the
keys somewhere, and obviously asks the system for it. In my case, the
password prompt I'm getting is unmistakenly from gnupg. Changing the
'pinentry-program' setting in ~/.gnupg/gpg-agent.conf proves this, as
it alters the behavior of the prompt I'm getting. Also, Claws behavior
is the same regardless of whether gnome-keyring is even installed or
not.

So the question is, how does Claws know where to fetch the PGP keys?
You know, to decrypt and encrypt e-mails? Somewhere in the code it must
ask the system, "What is the default installed PGP keyring?" and,
"Please request the key associated with key ID ########." Before gnupg
can supply it, it prompts for the password with its own window, or with
'pinentry-program' set to '/usr/bin/pinentry-tty' it prompts for the
password in the terminal. The key ID is the short format, which you can
derive with 'gpg --list-secret-keys --keyid-format short'. The key IDs
are stored in ~/.claws-mail/accountrc setting
'privacy_prefs=gpg=[blob],smime=[blob]' and are per account.

So passwordrc only stores the account password, not to be confused with
the gpg password, and accountrc stores only the key ID. The PGP key and
associated passwords are not stored anywhere in ~/.claws-mail that I'm
aware. If somehow I'm mistaken please let me know and show me exactly
where. The directory contents are very simple and I would see it if it
were there. It would stick out like a sore thumb because PGP keys are
big. Even if they were stored there you'd still need a password prompt
to encrypt/decrypt using those keys (unless none was specified) and I
don't believe that PGP password is stored with Claws.


...Now, if there is a way to force Claws to use gnome-keyring that
would seem to eliminate the password prompt issue. Someone e-mailed the
mailing list already:

https://users.claws-mail.narkive.com/kygShbnv/claws-mail-and-gnome-keyring-manager-seahorse

If there were any replies to that please forward them to me; they might
help me resolve my issue. From my research, it does not appear there is
a way to bypass the gnupg password unless you strip the password from
the PGP key, which of course is not secure. Though, neither is storing
the key with gnome-keyring and having it share the key freely with any
application run as the logged in user. But I might be willing to do
that if there's a way to solve the issue in the above link.

The only other thing to research is if there's a way to get gnupg to
fetch the PGP key password from KeePassXC. If that can be done, then
problem solved.

Re: logs. ~/.claws-mail/claws.log shows:
"[2022-03-09 05:31:25] * message: Account '[account_name]': Connecting
to IMAP server: [imap_server]:993... [2022-03-09 05:31:27] IMAP< * OK
[CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
[2022-03-09 05:31:27] * message: IMAP connection is un-authenticated
[2022-03-09 05:31:27] IMAP> 1 CAPABILITY [2022-03-09 05:31:27] IMAP< *
CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN [2022-03-09 05:31:27]
IMAP< 1 OK Pre-login capabilities listed, post-login capabilities have
more. [2022-03-09 05:31:27] IMAP> Logging [account_name] to
[imap_server] using CRAM-MD5 [2022-03-09 05:31:32] IMAP< Logged in
[2022-03-09 05:31:32] IMAP< Login to [imap_server] successful"

I can't make any sense of the above. There are no system logs
containing any info about Claws or gnupg / gpg-agent, otherwise I would
post them here.


"I think the clue to your problem is in the transfer of your settings.

Check the permissions of you .claws-mail directory, perhaps something
is not writable"

Although the switch to a new OS is when it started prompting me heavily
for the pass, I don't think the transfer of settings is the culprit...

When I backup my settings I preserve permissions so whatever
permissions were there before are here now, whether I use 'cp -rp' or
rsync with equivalent setting. Also, given my above observations it
would appear this isn't related; it looks like a gnupg / gpg-agent
issue, and with a major OS upgrade (from a years old version to a brand
spanking new version) it wouldn't surprise me at all if the new gpg
behaves very different.

Nonetheless, the permissions are mostly -rw------- for all Claws
settings and my user owns every file, folder, and everything. I don't
know what group members or others would need access but just in case,
I'm making all files -rw-rw-r-- (chmod 664). The directories are all
drwx------ but I'm making them all drwxrwx--- (chmod 770). As expected
this doesn't solve the issue.

On Wed, 9 Mar 2022 10:02:19 +0600
Dustin Miller <dustbiz at gmail.com> wrote:

> 
> 
> --- Start of PGP/Inline encrypted data ---
> On Tue, 8 Mar 2022 20:26:46 -0600
> lmfrm <lmfrm at nanogroup.xyz> wrote:
> 
> > No response from the Mint forum. This claws mailing list was my last
> > hope.
> > 
> > I removed gnome-keyring and it did not stop the behavior.
> > 
> DM: I am not sure if gnome-keyring necessarily controls this behavior
> or whether it's just a program that stores and handles whatever the
> broader system tells it to.
> > 
> > Gpg-agent is essential ...
> > 
> > If that is causing this behavior there's nothing I can do except try
> > to contact gnupg, ...
> > 
> > If Claws did not have an explicit dependency on other packages such
> > as keyrings or gnupg then it should not consult them for passwords
> > or keys.
> > 
> DM: Since you've installed Claws in the broader system, it's possible
> that Claws is not the one consulting them. It could be that it is
> simply trying to do something, but the overall system is configured in
> such a way that that action triggers the system (or some other
> program) to give you the window you're seeing. (For example,
> sometimes when I open my browser to go to a website, the system (not
> the browser) pops up a window requesting me to enter a password in
> order to access the network.
> 
> DM: My guess is that you'll be 'spinning your wheels' a bit on this
> until you figure out what is actually causing the behavior you don't
> want. Perhaps your system has logs that you could check for that? You
> could try running Claws from the command-line in order to see output
> in the terminal, in case that helps. You could do the same and add the
> '--debug' option for possibly more output. I think it will be hard for
> someone else to figure out what's causing the issue unless they have
> access to your system or you're able to provide more detailed info.
> HTH, ---Dustin
> > 
> > 
> > On Wed, 9 Mar 2022 07:40:01 +0600
> > Dustin Miller <dustbiz at gmail.com> wrote:
> > 
> > > 
> > > 
> > > --- Start of PGP/Inline encrypted data ---
> > > On Tue, 8 Mar 2022 15:53:33 -0600
> > > lmfrm <lmfrm at nanogroup.xyz> wrote:
> > >   
> > > > "Remember with password manager" is not from Claws Mail. This
> > > > sentence appears nowhere in Claws Mail. So whatever is asking to
> > > > remember your password is not Claws Mail."
> > > >   
> > > DM: I use Linux Mint as well, and I'm guessing this is related to
> > > gnome-keyring or something similar that is system-wide and is
> > > meant to work as a built-in password manager storage area. I
> > > don't really use anything like that, so I don't know much about
> > > it, other than that sometimes (often) on my system's first
> > > attempt (of a session) to access the network / internet (by
> > > whatever program) I have to enter the password that it 'forced'
> > > me to create. I think there are ways to disable it, but I haven't
> > > found any that are 'easy' and/or seemed 'secure', so I just put
> > > up with it.  
> > > > 
> > > > "Claws Mail is not a gnome program and has nothing to do with
> > > > gnome-keyring...Your gpg-agent settings will control your
> > > > interaction with gpg on your system, not specifically in Claws
> > > > Mail."
> > > > 
> > > > Well something is causing Claws to use gnome-keyring and/or
> > > > gpg-agent when it's installed. I don't know enough about how my
> > > > system works under the hood to comment further on that aspect.
> > > > All I see is what's going on on the surface.
> > > >   
> > > DM: I would guess you should focus on finding out what is causing
> > > what. It's possible that this is not a Claws issue, so you might
> > > find better help / advice elsewhere. ---Dustin
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.claws-mail.org
> > > https://lists.claws-mail.org/cgi-bin/mailman/listinfo/users
> > > --- End of PGP/Inline encrypted data ---
> > > 
> > >   
> > 
> > _______________________________________________
> > Users mailing list
> > Users at lists.claws-mail.org
> > https://lists.claws-mail.org/cgi-bin/mailman/listinfo/users
> 
> _______________________________________________
> Users mailing list
> Users at lists.claws-mail.org
> https://lists.claws-mail.org/cgi-bin/mailman/listinfo/users
> --- End of PGP/Inline encrypted data ---
> 
>

More information about the Users mailing list