[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Missing pinentry-emacs for gpg-agent?
From: |
Vladimir Sedach |
Subject: |
Re: Missing pinentry-emacs for gpg-agent? |
Date: |
Tue, 27 Mar 2018 13:22:23 -0700 |
User-agent: |
mu4e 1.0-alpha3; emacs 25.3.1 |
> I'm sorry to steal a potential contribution to Guix, but you could try:
>
> ‘M-x view-emacs-news’:
>
> * New Modes and Packages in Emacs 25.1
>
> ** pinentry.el allows GnuPG passphrase to be prompted through the
> minibuffer instead of a graphical dialog, depending on whether the
> gpg command is called from Emacs (i.e., INSIDE_EMACS environment
> variable is set). This feature requires newer versions of GnuPG
> (2.1.5 or later) and Pinentry (0.9.5 or later). To use this
> feature, add "allow-emacs-pinentry" to "~/.gnupg/gpg-agent.conf" and
> reload the configuration with "gpgconf --reload gpg-agent".
The two work together, and using pinentry-emacs in my experience seems
to be the only reliable way to have pinentry work with the Emacs
minibuffer.
With pinentry-curses and allow-emacs-pinentry and
allow-loopback-pinentry gpg-agent options, I would still have
gpg-agent prompt for the passphrase in a curses box on the Linux
virtual terminal when running Emacs in X on Debian, whenever the agent
cache TTL would expire (so it would prompt in the minibuffer when
first started, then would prompt in the VT where X was started from on
later attempts).
pinentry-emacs is part of the standard pinentry sources, but its build
is disabled by default. Apparently everyone thinks that Emacs is a
"significant security risk," so no distributions seem to ship it. Here
is a discussion about the issue in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854797
To me the arguments presented in that discussion against
pinentry-emacs are total nonsense. Any other software the user loads
or that gets compromised to allow remote execution can query gpg-agent
and read all your encrypted files. Same deal with installing an X11
key logger to capture the secret key passphrase. Some of the arguments
are just bogus (e.g., "/tmp/emacs$UID/pinentry is not a sensible
choice of paths, since it is within a world-writable directory" <- has
that person ever heard of mktemp?).
My recommendation, as a heavy user of Emacs and GPG, is for Guix to
build pinentry with --enable-pinentry-emacs, which provides the
pinentry-emacs executable as an option for users.
Vladimir
- Missing pinentry-emacs for gpg-agent?, Pierre Neidhardt, 2018/03/27
- Re: Missing pinentry-emacs for gpg-agent?, Ludovic Courtès, 2018/03/27
- Re: Missing pinentry-emacs for gpg-agent?, Alex Kost, 2018/03/27
- Re: Missing pinentry-emacs for gpg-agent?, Oleg Pykhalov, 2018/03/27
- Re: Missing pinentry-emacs for gpg-agent?, Pierre Neidhardt, 2018/03/27
- Re: Missing pinentry-emacs for gpg-agent?,
Vladimir Sedach <=
- Re: Missing pinentry-emacs for gpg-agent?, Pierre Neidhardt, 2018/03/28
- Re: Missing pinentry-emacs for gpg-agent?, Oleg Pykhalov, 2018/03/28
- Re: Missing pinentry-emacs for gpg-agent?, Pierre Neidhardt, 2018/03/28
- Re: Missing pinentry-emacs for gpg-agent?, Pierre Neidhardt, 2018/03/28
- Re: Missing pinentry-emacs for gpg-agent?, Oleg Pykhalov, 2018/03/29
- Re: Missing pinentry-emacs for gpg-agent?, Oleg Pykhalov, 2018/03/29
- Re: Missing pinentry-emacs for gpg-agent?, Pierre Neidhardt, 2018/03/29