bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

I was originally trying to sign e-mail messages with S/MIME using
mml-secure-sign-smime followed by message-send, which fails when I
customize epg-pinentry-mode as loopback.

The problem also occurs with epa-sign-file, which is easier to reproduce
(because it doesn't need as much configuration). So I am reporting the
bug for this command.

To reproduce, emacs -Q, then execute in the *scratch* buffer:

   (write-region "hello\n" nil "hello.txt")
   (require 'epa)

   (let ((epg-pinentry-mode 'loopback)
         (epa-protocol 'CMS))
     (epa-sign-file
      "hello.txt"
      (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t)
      'normal))

This asks interactively to select a key. After doing so, it fails with
the following error (shown in an "*Error* (EPA Info)" buffer):

   Error while signing with "/usr/bin/gpgsm":

   gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE'
   gpgsm: error creating signature: No passphrase given <GPG Agent>

Debugger *Backtrace* (key IDs x-ed out):

   Debugger entered--Lisp error: (epg-error "Sign failed" "")
     signal(epg-error ("Sign failed" ""))
     epa-sign-file("hello.txt" (#s(epg-key :owner-trust nil :sub-key-list (#s(epg-sub-key :validity nil :capability (encrypt sign) :secret-p nil :algorithm 1 :length 4096 :id "XXXXXXXXXXXXXXXX" :creation-time 20231107 :expiration-time 20251106 :fingerprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")) :user-id-list (#s(epg-user-id :validity nil :string (("CN" . "Ulrich Müller") ("OU" . "Institut fuer Kernphysik") ("O" . "Johannes Gutenberg-Universitaet Mainz") ("L" . "Mainz") ("ST" . "Rheinland-Pfalz") ("C" . "DE")) :signature-list nil) #s(epg-user-id :validity nil :string "<ulm@uni-mainz.de>" :signature-list nil)))) normal)
     (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal))
     (progn (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal)))
     eval((progn (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal))) t)
     elisp--eval-last-sexp(t)
     eval-last-sexp(t)
     eval-print-last-sexp(nil)
     funcall-interactively(eval-print-last-sexp nil)
     call-interactively(eval-print-last-sexp nil nil)
     command-execute(eval-print-last-sexp)

When I change epg-pinentry-mode to ask or epa-protocol to OpenPGP in
the let-binding, things work as expected. In other words, only the
combination of S/MIME and pinentry loopback fails.

   |          | OpenPGP | CMS   |
   |----------+---------+-------|
   | ask      | works   | works |
   | loopback | works   | fails |

I use pinentry-gnome3, in case this should matter:

   $ readlink /usr/bin/pinentry
   pinentry-gnome3


In GNU Emacs 29.1 (build 1, x86_64-pc-linux-gnu, X toolkit, cairo
 version 1.18.0) of 2023-10-24 built on localhost
Windowing system distributor 'The X.Org Foundation', version 11.0.12101009
System Description: Gentoo Linux

Configured using:
 'configure --prefix=/usr --build=x86_64-pc-linux-gnu
 --host=x86_64-pc-linux-gnu --mandir=/usr/share/man
 --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
 --localstatedir=/var/lib --datarootdir=/usr/share
 --disable-silent-rules --docdir=/usr/share/doc/emacs-29.1-r5
 --htmldir=/usr/share/doc/emacs-29.1-r5/html --libdir=/usr/lib64
 --program-suffix=-emacs-29 --includedir=/usr/include/emacs-29
 --infodir=/usr/share/info/emacs-29 --localstatedir=/var
 --enable-locallisppath=/etc/emacs:/usr/share/emacs/site-lisp
 --without-compress-install --without-hesiod --without-pop
 --with-file-notification=inotify --with-pdumper --enable-acl
 --with-dbus --with-modules --with-gameuser=:gamestat --with-libgmp
 --with-gpm --without-native-compilation --without-json
 --without-kerberos --without-kerberos5 --with-lcms2 --with-xml2
 --without-mailutils --without-selinux --with-small-ja-dic
 --without-sqlite3 --with-gnutls --without-libsystemd --with-threads
 --without-tree-sitter --without-wide-int --with-sound=alsa --with-zlib
 --with-x --without-pgtk --without-ns --without-gconf --with-gsettings
 --without-toolkit-scroll-bars --with-xpm --with-xft --with-cairo
 --with-harfbuzz --with-libotf --with-m17n-flt --with-x-toolkit=lucid
 --with-xaw3d --with-gif --with-jpeg --with-png --with-rsvg --with-tiff
 --without-webp --with-imagemagick --with-dumping=pdumper
 'CFLAGS=-march=native -ggdb -O2 -pipe' 'LDFLAGS=-Wl,-O1
 -Wl,--as-needed''

Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM GSETTINGS HARFBUZZ
IMAGEMAGICK JPEG LCMS2 LIBOTF LIBXML2 M17N_FLT MODULES NOTIFY INOTIFY
PDUMPER PNG RSVG SECCOMP SOUND THREADS TIFF X11 XAW3D XDBE XIM XINPUT2
XPM LUCID ZLIB

Important settings:
  value of $LC_CTYPE: en_GB.UTF-8
  value of $LC_TIME: en_GB.UTF-8
  value of $LANG: POSIX
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  show-paren-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  line-number-mode: t
  indent-tabs-mode: t
  transient-mark-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug org-element org-persist org-id
org-refile avl-tree generator oc-basic ol-eww eww xdg url-queue mm-url
ol-rmail ol-mhe ol-irc ol-info ol-gnus nnselect gnus-art mm-uu mml2015
mm-view mml-smime smime gnutls dig gnus-sum shr pixel-fill kinsoku
url-file svg dom browse-url url url-proxy url-privacy url-expand
url-methods url-history url-cookie generate-lisp-file url-domsuf
url-util url-parse auth-source cl-seq eieio eieio-core cl-macs json map
url-vars gnus-group gnus-undo gnus-start gnus-dbus dbus xml gnus-cloud
nnimap nnmail mail-source utf7 nnoo parse-time gnus-spec gnus-int
gnus-range message sendmail mailcap yank-media puny rfc822 mml mml-sec
password-cache mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047
rfc2045 ietf-drums mailabbrev gmm-utils mailheader gnus-win gnus
nnheader gnus-util mail-utils range mm-util mail-prsvr wid-edit
ol-docview doc-view filenotify jka-compr image-mode exif dired
dired-loaddefs ol-bibtex bibtex iso8601 ol-bbdb ol-w3m ol-doi
org-link-doi org ob ob-tangle ob-ref ob-lob ob-table ob-exp org-macro
org-src ob-comint org-pcomplete pcomplete comint ansi-osc ansi-color
ring org-list org-footnote org-faces org-entities noutline outline icons
ob-emacs-lisp ob-core ob-eval org-cycle org-table ol rx org-fold
org-fold-core org-keys oc org-loaddefs cal-menu calendar cal-loaddefs
org-version org-compat org-macs format-spec misearch multi-isearch
epa-file thingatpt shortdoc text-property-search cl-extra help-fns
radix-tree cl-print byte-opt gv bytecomp byte-compile debug backtrace
help-mode find-func time-date subr-x cl-loaddefs cl-lib epa derived epg
rfc6068 epg-config rmc iso-transl tooltip cconv eldoc paren electric
uniquify ediff-hook vc-hooks lisp-float-type elisp-mode mwheel
term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode lisp-mode
prog-mode register page tab-bar menu-bar rfn-eshadow isearch easymenu
timer select scroll-bar mouse jit-lock font-lock syntax font-core
term/tty-colors frame minibuffer nadvice seq simple cl-generic
indonesian philippine cham georgian utf-8-lang misc-lang vietnamese
tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek
romanian slovak czech european ethiopic indian cyrillic chinese
composite emoji-zwj charscript charprop case-table epa-hook
jka-cmpr-hook help abbrev obarray oclosure cl-preloaded button loaddefs
theme-loaddefs faces cus-face macroexp files window text-properties
overlay sha1 md5 base64 format env code-pages mule custom widget keymap
hashtable-print-readable backquote threads dbusbind inotify lcms2
dynamic-setting system-font-setting font-render-setting cairo x-toolkit
xinput2 x multi-tty make-network-process emacs)

Memory information:
((conses 16 251336 23421)
 (symbols 48 19880 0)
 (strings 32 72160 3511)
 (string-bytes 1 2156491)
 (vectors 16 36926)
 (vector-slots 8 414217 18678)
 (floats 8 337 164)
 (intervals 56 2847 255)
 (buffers 976 16))

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

Investigating a little further, I see that gpgsm is invoked like this:

   /usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --sign -u XXXXXXXXXXXXXXXX -- hello.txt

I believe that the --passphrase-fd option is missing there.

Trying from the command line, the following works:

   $ /usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --passphrase-fd 0 --sign -u XXXXXXXXXXXXXXXX -- hello.txt

It expects a passphrase from stdin (without a prompt), and after
entering that, signing will succeed.

Then again, when I hack function epg--start to add "--passphrase-fd" "0"
to args, the error no longer occurs, but now gpgsm hangs (waiting for
input)? Also Emacs doesn't prompt for a passphrase.

So looks like something else is still missing.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Eli Zaretskii]

> From: Ulrich Mueller <ulm@gentoo.org>
> Date: Thu, 09 Nov 2023 10:46:08 +0100
> 
> Investigating a little further, I see that gpgsm is invoked like this:
> 
>    /usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --sign -u XXXXXXXXXXXXXXXX -- hello.txt
> 
> I believe that the --passphrase-fd option is missing there.
> 
> Trying from the command line, the following works:
> 
>    $ /usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --passphrase-fd 0 --sign -u XXXXXXXXXXXXXXXX -- hello.txt
> 
> It expects a passphrase from stdin (without a prompt), and after
> entering that, signing will succeed.
> 
> Then again, when I hack function epg--start to add "--passphrase-fd" "0"
> to args, the error no longer occurs, but now gpgsm hangs (waiting for
> input)? Also Emacs doesn't prompt for a passphrase.

Isn't this one more manifestation of the GnuPG 2.4.1?  See the entry
in etc/PROBLEMS whose heading is "Saving a file encrypted with GnuPG
via EasyPG hangs".

IOW, if you downgrade to an older version of GnuPG, do both problems
go away?

Thanks.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

>>>>> On Thu, 09 Nov 2023, Eli Zaretskii wrote:

> Isn't this one more manifestation of the GnuPG 2.4.1?  See the entry
> in etc/PROBLEMS whose heading is "Saving a file encrypted with GnuPG
> via EasyPG hangs".

AFAICS this is a different problem.

> IOW, if you downgrade to an older version of GnuPG, do both problems
> go away?

My original report was with gnupg-2.4.3. I've tried again after
downgrading to gnupg-2.2.41, but the behaviour is basically the same.
The only difference is an additional line in the error message:

   Error while signing with "/usr/bin/gpgsm":

   gpgsm: DBG: adding certificates at level -2
   gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE'
   gpgsm: error creating signature: No passphrase given <GPG Agent>

I see no change either when I add --passphrase-fd 0 to the args in
epg--start. That is, gpgsm still hangs as reported above.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Eli Zaretskii]

> From: Ulrich Mueller <ulm@gentoo.org>
> Date: Thu, 09 Nov 2023 07:56:47 +0100
> 
> I was originally trying to sign e-mail messages with S/MIME using
> mml-secure-sign-smime followed by message-send, which fails when I
> customize epg-pinentry-mode as loopback.
> 
> The problem also occurs with epa-sign-file, which is easier to reproduce
> (because it doesn't need as much configuration). So I am reporting the
> bug for this command.
> 
> To reproduce, emacs -Q, then execute in the *scratch* buffer:
> 
>    (write-region "hello\n" nil "hello.txt")
>    (require 'epa)
> 
>    (let ((epg-pinentry-mode 'loopback)
>          (epa-protocol 'CMS))
>      (epa-sign-file
>       "hello.txt"
>       (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t)
>       'normal))
> 
> This asks interactively to select a key. After doing so, it fails with
> the following error (shown in an "*Error* (EPA Info)" buffer):
> 
>    Error while signing with "/usr/bin/gpgsm":
> 
>    gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE'
>    gpgsm: error creating signature: No passphrase given <GPG Agent>
> 
> Debugger *Backtrace* (key IDs x-ed out):
> 
>    Debugger entered--Lisp error: (epg-error "Sign failed" "")
>      signal(epg-error ("Sign failed" ""))
>      epa-sign-file("hello.txt" (#s(epg-key :owner-trust nil :sub-key-list (#s(epg-sub-key :validity nil :capability (encrypt sign) :secret-p nil :algorithm 1 :length 4096 :id "XXXXXXXXXXXXXXXX" :creation-time 20231107 :expiration-time 20251106 :fingerprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")) :user-id-list (#s(epg-user-id :validity nil :string (("CN" . "Ulrich Müller") ("OU" . "Institut fuer Kernphysik") ("O" . "Johannes Gutenberg-Universitaet Mainz") ("L" . "Mainz") ("ST" . "Rheinland-Pfalz") ("C" . "DE")) :signature-list nil) #s(epg-user-id :validity nil :string "<ulm@uni-mainz.de>" :signature-list nil)))) normal)
>      (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal))
>      (progn (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal)))
>      eval((progn (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal))) t)
>      elisp--eval-last-sexp(t)
>      eval-last-sexp(t)
>      eval-print-last-sexp(nil)
>      funcall-interactively(eval-print-last-sexp nil)
>      call-interactively(eval-print-last-sexp nil nil)
>      command-execute(eval-print-last-sexp)
> 
> When I change epg-pinentry-mode to ask or epa-protocol to OpenPGP in
> the let-binding, things work as expected. In other words, only the
> combination of S/MIME and pinentry loopback fails.
> 
>    |          | OpenPGP | CMS   |
>    |----------+---------+-------|
>    | ask      | works   | works |
>    | loopback | works   | fails |
> 
> I use pinentry-gnome3, in case this should matter:
> 
>    $ readlink /usr/bin/pinentry
>    pinentry-gnome3

Michael, could you please look into this?

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Michael Albinus]

Eli Zaretskii <eliz@gnu.org> writes:

Hi Eli,

> Michael, could you please look into this?

I could try, but I don't know what qualifies me for this. Do you mean
somebody else?

Btw, debbugs.gnu.org isn't reachable today. I've tried to contact Bob
Proulx (who takes care of basic admin tasks), but no answer yet.

Perhaps I need to contact FSF sysadmins.

Best regards, Michael.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Michael Albinus]

Michael Albinus <michael.albinus@gmx.de> writes:

Hi Eli,

> Btw, debbugs.gnu.org isn't reachable today. I've tried to contact Bob
> Proulx (who takes care of basic admin tasks), but no answer yet.
>
> Perhaps I need to contact FSF sysadmins.

I did. They are superfast, the server is back.

Best regards, Michael.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Eli Zaretskii]

> From: Michael Albinus <michael.albinus@gmx.de>
> Cc: Ulrich Mueller <ulm@gentoo.org>,  67012@debbugs.gnu.org
> Date: Wed, 15 Nov 2023 16:07:48 +0100
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> Hi Eli,
> 
> > Michael, could you please look into this?
> 
> I could try, but I don't know what qualifies me for this. Do you mean
> somebody else?

Sorry, I thought you knew more than I do about GnuPG and epg.

> Btw, debbugs.gnu.org isn't reachable today. I've tried to contact Bob
> Proulx (who takes care of basic admin tasks), but no answer yet.
> 
> Perhaps I need to contact FSF sysadmins.

Yes, it was down, but seems to be back up now.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Michael Albinus]

Eli Zaretskii <eliz@gnu.org> writes:

Hi Eli,

>> > Michael, could you please look into this?
>>
>> I could try, but I don't know what qualifies me for this. Do you mean
>> somebody else?
>
> Sorry, I thought you knew more than I do about GnuPG and epg.

Not really. I can try to debug, but don't expect too much. Terra
incognita.

And tomorrow I'm almost OOO. My daughter will hijack my office.

Best regards, Michael.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

When executing gpg2 from the command line, but with the same arguments
that are passed from Emacs, I see the following output:

   $ /usr/bin/gpg2 --no-tty --status-fd 1 --yes --enable-progress-filter --command-fd 0 --output hello.txt.gpg --pinentry-mode loopback --sign -u XXXXXXXXXXXXXXXX -- hello.txt 2>/dev/null
   [GNUPG:] KEYEXPIRED 1546257620
   [GNUPG:] KEYEXPIRED 1533081541
   [GNUPG:] KEY_CONSIDERED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
   [GNUPG:] PROGRESS hello.txt ? 0 6 B
   [GNUPG:] BEGIN_SIGNING H8
   [GNUPG:] PROGRESS hello.txt ? 6 6 B
   [GNUPG:] USERID_HINT XXXXXXXXXXXXXXXX Ulrich Müller <ulm@gentoo.org>
   [GNUPG:] NEED_PASSPHRASE XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX 1 0
   [GNUPG:] INQUIRE_MAXLEN 100
   [GNUPG:] GET_HIDDEN passphrase.enter
   ****  <-- passphrase input
   [GNUPG:] GOT_IT
   [GNUPG:] SIG_CREATED S 1 8 00 1700077951 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

IIUC, function epg--process-filter looks for status output from GnuPG
and calls the matching epg--status-* functions. The passphrase is read
in epg--status-GET_HIDDEN.


For gpgsm (same arguments as passed from Emacs, plus --passphrase-fd 0)
output is this:

   $ /usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --passphrase-fd 0 --sign -u XXXXXXXXXXXXXXXX -- hello.txt 2>/dev/null
   ****  <-- passphrase input
   [GNUPG:] PROGRESS starting_agent ? 0 0
   [GNUPG:] SIG_CREATED S 1 8 00 20231115T195756 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Note that gpgsm is way less chatty than gpg2. Especially, the passphrase
is expected before the first status message appears, and function
epg--status-GET_HIDDEN is never called. So this would have to be handled
in a different way.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

Until there's a proper fix (not anytime soon, I suppose?), could we
please disable pinentry loopback with gpgsm? See patch below.

That way, the user could still set epg-pinentry-mode to loopback for use
with gpg2, and with gpgsm it would fall back to passphrase input through
the pinentry program (i.e. in the GUI). This seems to be better than
erroring out.

(In fact, I use gpgsm with pinentry.el from Emacs 25.3 as a workaround.
Unfortunately, that package has been removed as a fix for bug #27445.)


From b1cbdfc8f4890c6cb31cc8d59b347aedfb2f7f5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@gentoo.org>
Date: Fri, 17 Nov 2023 12:16:54 +0100
Subject: [PATCH] Don't enable pinentry loopback mode for gpgsm

* lisp/epg.el (epg--start): Passphrase entry through the
minibuffer is currently not supported with gpgsm, therefore don't
pass "--pinentry-mode loopback" as an argument when the protocol
is CMS.  (Bug#67012)
---
 lisp/epg.el | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lisp/epg.el b/lisp/epg.el
index aae9b9444b4..b994c1b9ca2 100644
--- a/lisp/epg.el
+++ b/lisp/epg.el
@@ -595,7 +595,12 @@ epg--start
 		       (if (epg-context-textmode context) '("--textmode"))
 		       (if (epg-context-output-file context)
 			   (list "--output" (epg-context-output-file context)))
-		       (if (epg-context-pinentry-mode context)
+		       (if (and (epg-context-pinentry-mode context)
+				(not
+				 ;; loopback doesn't work with gpgsm
+				 (and (eq (epg-context-protocol context) 'CMS)
+				      (eq (epg-context-pinentry-mode context)
+					  'loopback))))
 			   (list "--pinentry-mode"
 				 (symbol-name (epg-context-pinentry-mode
 					       context))))
-- 
2.42.1

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Eli Zaretskii]

> From: Ulrich Mueller <ulm@gentoo.org>
> Cc: Eli Zaretskii <eliz@gnu.org>,  Michael Albinus <michael.albinus@gmx.de>
> Date: Fri, 17 Nov 2023 12:40:05 +0100
> 
> Until there's a proper fix (not anytime soon, I suppose?), could we
> please disable pinentry loopback with gpgsm? See patch below.
> 
> That way, the user could still set epg-pinentry-mode to loopback for use
> with gpg2, and with gpgsm it would fall back to passphrase input through
> the pinentry program (i.e. in the GUI). This seems to be better than
> erroring out.
> 
> (In fact, I use gpgsm with pinentry.el from Emacs 25.3 as a workaround.
> Unfortunately, that package has been removed as a fix for bug #27445.)

I have difficulty making a decision about this, as I don't feel I
understand the situation well enough.  Can you please help me by
answering the following questions:

  . are we talking about a single problem or about several ones? the
    original report was about invoking gpgsm, but then you started
    talking about gpg2 as well?
  . is this a recent regression in Emacs, or did this problem exist in
    older versions of Emacs as well? or is this due to some recent
    change in GnuPG?

Thanks.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

>>>>> On Sun, 19 Nov 2023, Eli Zaretskii wrote:

>> From: Ulrich Mueller <ulm@gentoo.org>
>> Cc: Eli Zaretskii <eliz@gnu.org>,  Michael Albinus <michael.albinus@gmx.de>
>> Date: Fri, 17 Nov 2023 12:40:05 +0100
>> 
>> Until there's a proper fix (not anytime soon, I suppose?), could we
>> please disable pinentry loopback with gpgsm? See patch below.
>> 
>> That way, the user could still set epg-pinentry-mode to loopback for use
>> with gpg2, and with gpgsm it would fall back to passphrase input through
>> the pinentry program (i.e. in the GUI). This seems to be better than
>> erroring out.
>> 
>> (In fact, I use gpgsm with pinentry.el from Emacs 25.3 as a workaround.
>> Unfortunately, that package has been removed as a fix for bug #27445.)

> I have difficulty making a decision about this, as I don't feel I
> understand the situation well enough.  Can you please help me by
> answering the following questions:

>   . are we talking about a single problem or about several ones? the
>     original report was about invoking gpgsm, but then you started
>     talking about gpg2 as well?

Single problem, and it affects only gpgsm. I've mentioned gpg2 only
for the reason that any fix or workaround shouldn't change existing
behaviour with gpg2. (So, for example, omitting "--pinentry-mode
loopback" should be conditional on the CMS protocol.)

>   . is this a recent regression in Emacs, or did this problem exist in
>     older versions of Emacs as well? or is this due to some recent
>     change in GnuPG?

AFAICS it is an old problem, not related to any recent changes in Emacs
or GnuPG. And IIUC properly fixing it would require major changes for
either EasyPG or gpgsm, because the design of EasyPG relies on the
status messages output by gpg2 with the --status-fd option. gpgsm
doesn't output most of these messages (see the examples in message #32
above).

It looks like bug #59178 is about the same issue (but that report was
somewhat sidetracked). Sorry that I hadn't noticed before filing this
report.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Eli Zaretskii]

> From: Ulrich Mueller <ulm@gentoo.org>
> Cc: 67012@debbugs.gnu.org,  michael.albinus@gmx.de
> Date: Sun, 19 Nov 2023 12:13:08 +0100
> 
> >>>>> On Sun, 19 Nov 2023, Eli Zaretskii wrote:
> 
> > I have difficulty making a decision about this, as I don't feel I
> > understand the situation well enough.  Can you please help me by
> > answering the following questions:
> 
> >   . are we talking about a single problem or about several ones? the
> >     original report was about invoking gpgsm, but then you started
> >     talking about gpg2 as well?
> 
> Single problem, and it affects only gpgsm. I've mentioned gpg2 only
> for the reason that any fix or workaround shouldn't change existing
> behaviour with gpg2. (So, for example, omitting "--pinentry-mode
> loopback" should be conditional on the CMS protocol.)
> 
> >   . is this a recent regression in Emacs, or did this problem exist in
> >     older versions of Emacs as well? or is this due to some recent
> >     change in GnuPG?
> 
> AFAICS it is an old problem, not related to any recent changes in Emacs
> or GnuPG. And IIUC properly fixing it would require major changes for
> either EasyPG or gpgsm, because the design of EasyPG relies on the
> status messages output by gpg2 with the --status-fd option. gpgsm
> doesn't output most of these messages (see the examples in message #32
> above).

OK, thanks.  So please install this on the master branch.

Should we perhaps have something about this in etc/PROBLEMS?  That is,
after you install your changes?  If so, feel free to add there
whatever you think is appropriate.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

>>>>> On Sat, 25 Nov 2023, Eli Zaretskii wrote:

> OK, thanks.  So please install this on the master branch.

Done. I've also added a short note in doc/misc/epa.texi.

> Should we perhaps have something about this in etc/PROBLEMS?  That is,
> after you install your changes?  If so, feel free to add there
> whatever you think is appropriate.

This ok?

   *** EasyPG loopback pinentry does not work with gpgsm.

   This happens with the 'gpgsm' command from all versions of GnuPG.
   EasyPG relies on the machine-parseable interface that is provided by
   'gpg2' with option '--status-fd', but gpgsm does not support this.

   As a workaround, input the passphrase with a GUI-capable pinentry
   program like 'pinentry-gnome' or 'pinentry-qt5'.  Alternatively, you
   can use the 'pinentry' package from Emacs 25.

Add to etc/PROBLEMS in master or emacs-29 branch?

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Michael Albinus]

Ulrich Mueller <ulm@gentoo.org> writes:

Hi Ulrich,

>    As a workaround, input the passphrase with a GUI-capable pinentry
>    program like 'pinentry-gnome' or 'pinentry-qt5'.  Alternatively, you
>    can use the 'pinentry' package from Emacs 25.

I have no idea what I'm speaking about. However, on GNU ELPA there is
the package pinentry 0.1 from Daiki Ueno <ueno@gnu.org>. Same is for
Emacs 25. Shouldn't we advertise the GNU ELPA package?

However, there are differences. On GNU ELPA, thetr is

--8<---------------cut here---------------start------------->8---
;; Copyright (C) 2015 Free Software Foundation, Inc.
--8<---------------cut here---------------end--------------->8---

In Emacs 25, there is

--8<---------------cut here---------------start------------->8---
;; Copyright (C) 2015-2017 Free Software Foundation, Inc.
--8<---------------cut here---------------end--------------->8---

Looks like the version in Emacs 25 is more up-to-date, although both say

--8<---------------cut here---------------start------------->8---
;; Version: 0.1
--8<---------------cut here---------------end--------------->8---

Shouldn't we upgrade the GNU ELPA version?

Best regards, Michael.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 817 bytes --]

>>>>> On Sat, 25 Nov 2023, Michael Albinus wrote:

> I have no idea what I'm speaking about. However, on GNU ELPA there is
> the package pinentry 0.1 from Daiki Ueno <ueno@gnu.org>. Same is for
> Emacs 25. Shouldn't we advertise the GNU ELPA package?

I am aware that there's a package on ELPA, but looks like it's very
outdated.

> However, there are differences. [...]

There are quite a few differences, see full diff attached.

> Shouldn't we upgrade the GNU ELPA version?

Probably. Gentoo also has a (rather trivial) patch that fixes some
warnings with newer Emacs versions:
https://gitweb.gentoo.org/repo/gentoo.git/tree/app-emacs/pinentry/files/pinentry-emacs-29.patch

(I still don't entirely understand why pinentry.el was dropped from
Emacs proper, but I won't challenge the decision made in bug #27445.)


[-- Attachment #2: pinentry.el.diff --]
[-- Type: text/plain, Size: 14791 bytes --]

--- pinentry-0.1.el
+++ emacs-25.3/lisp/net/pinentry.el
@@ -1,6 +1,6 @@
 ;;; pinentry.el --- GnuPG Pinentry server implementation -*- lexical-binding: t -*-
 
-;; Copyright (C) 2015 Free Software Foundation, Inc.
+;; Copyright (C) 2015-2017 Free Software Foundation, Inc.
 
 ;; Author: Daiki Ueno <ueno@gnu.org>
 ;; Version: 0.1
@@ -19,16 +19,15 @@
 ;; GNU General Public License for more details.
 
 ;; You should have received a copy of the GNU General Public License
-;; along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.
+;; along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.
 
 ;;; Commentary:
 
 ;; This package allows GnuPG passphrase to be prompted through the
-;; minibuffer instead of graphical dialog.  As of June 2015, this
-;; feature requires newer versions of GnuPG (2.1.5 or later) and
-;; Pinentry (not yet released).
+;; minibuffer instead of graphical dialog.
 ;;
-;; To use, add allow-emacs-pinentry to ~/.gnupg/gpg-agent.conf, and
+;; To use, add "allow-emacs-pinentry" to "~/.gnupg/gpg-agent.conf",
+;; reload the configuration with "gpgconf --reload gpg-agent", and
 ;; start the server with M-x pinentry-start.
 ;;
 ;; The actual communication path between the relevant components is
@@ -41,12 +40,34 @@
 ;;
 ;;   ${TMPDIR-/tmp}/emacs$(id -u)/pinentry
 ;;
-;; under the same directory as server.el uses.  The protocol is a
+;; under the same directory which server.el uses.  The protocol is a
 ;; subset of the Pinentry Assuan protocol described in (info
 ;; "(pinentry) Protocol").
+;;
+;; NOTE: As of August 2015, this feature requires newer versions of
+;; GnuPG (2.1.5+) and Pinentry (0.9.5+).
 
 ;;; Code:
 
+(eval-when-compile (require 'cl-lib))
+
+(defgroup pinentry nil
+  "The Pinentry server"
+  :version "25.1"
+  :group 'external)
+
+(defcustom pinentry-popup-prompt-window t
+  "If non-nil, display multiline prompt in another window."
+  :type 'boolean
+  :group 'pinentry)
+
+(defcustom pinentry-prompt-window-height 5
+  "Number of lines used to display multiline prompt."
+  :type 'integer
+  :group 'pinentry)
+
+(defvar pinentry-debug nil)
+(defvar pinentry-debug-buffer nil)
 (defvar pinentry--server-process nil)
 (defvar pinentry--connection-process-list nil)
 
@@ -55,6 +76,8 @@
 (defvar pinentry--read-point nil)
 (put 'pinentry--read-point 'permanent-local t)
 
+(defvar pinentry--prompt-buffer nil)
+
 ;; We use the same location as `server-socket-dir', when local sockets
 ;; are supported.
 (defvar pinentry--socket-dir
@@ -79,34 +102,90 @@
 
 (autoload 'server-ensure-safe-dir "server")
 
+(defvar pinentry-prompt-mode-map
+  (let ((keymap (make-sparse-keymap)))
+    (define-key keymap "q" 'quit-window)
+    keymap))
+
+(define-derived-mode pinentry-prompt-mode special-mode "Pinentry"
+  "Major mode for `pinentry--prompt-buffer'."
+  (buffer-disable-undo)
+  (setq truncate-lines t
+	buffer-read-only t))
+
+(defun pinentry--prompt (labels query-function &rest query-args)
+  (let ((desc (cdr (assq 'desc labels)))
+        (error (cdr (assq 'error labels)))
+        (prompt (cdr (assq 'prompt labels))))
+    (when (string-match "[ \n]*\\'" prompt)
+      (setq prompt (concat
+                    (substring
+                     prompt 0 (match-beginning 0)) " ")))
+    (when error
+      (setq desc (concat "Error: " (propertize error 'face 'error)
+                         "\n" desc)))
+    (if (and desc pinentry-popup-prompt-window)
+      (save-window-excursion
+        (delete-other-windows)
+	(unless (and pinentry--prompt-buffer
+                     (buffer-live-p pinentry--prompt-buffer))
+	  (setq pinentry--prompt-buffer (generate-new-buffer "*Pinentry*")))
+	(if (get-buffer-window pinentry--prompt-buffer)
+	    (delete-window (get-buffer-window pinentry--prompt-buffer)))
+	(with-current-buffer pinentry--prompt-buffer
+	  (let ((inhibit-read-only t)
+		buffer-read-only)
+	    (erase-buffer)
+	    (insert desc))
+	  (pinentry-prompt-mode)
+	  (goto-char (point-min)))
+	(if (> (window-height)
+	       pinentry-prompt-window-height)
+	    (set-window-buffer (split-window nil
+                                             (- (window-height)
+                                                pinentry-prompt-window-height))
+			       pinentry--prompt-buffer)
+	  (pop-to-buffer pinentry--prompt-buffer)
+	  (if (> (window-height) pinentry-prompt-window-height)
+	      (shrink-window (- (window-height)
+                                pinentry-prompt-window-height))))
+        (prog1 (apply query-function prompt query-args)
+          (quit-window)))
+      (apply query-function (concat desc "\n" prompt) query-args))))
+
 ;;;###autoload
-(defun pinentry-start ()
+(defun pinentry-start (&optional quiet)
   "Start a Pinentry service.
 
 Once the environment is properly set, subsequent invocations of
-the gpg command will interact with Emacs for passphrase input."
+the gpg command will interact with Emacs for passphrase input.
+
+If the optional QUIET argument is non-nil, messages at startup
+will not be shown."
   (interactive)
   (unless (featurep 'make-network-process '(:family local))
     (error "local sockets are not supported"))
   (if (process-live-p pinentry--server-process)
-      (message "Pinentry service is already running")
+      (unless quiet
+        (message "Pinentry service is already running"))
     (let* ((server-file (expand-file-name "pinentry" pinentry--socket-dir)))
       (server-ensure-safe-dir pinentry--socket-dir)
       ;; Delete the socket files made by previous server invocations.
       (ignore-errors
         (let (delete-by-moving-to-trash)
           (delete-file server-file)))
-      (setq pinentry--server-process
-            (make-network-process
-             :name "pinentry"
-             :server t
-             :noquery t
-             :sentinel #'pinentry--process-sentinel
-             :filter #'pinentry--process-filter
-             :coding 'no-conversion
-             :family 'local
-             :service server-file))
-      (process-put pinentry--server-process :server-file server-file))))
+      (cl-letf (((default-file-modes) ?\700))
+        (setq pinentry--server-process
+              (make-network-process
+               :name "pinentry"
+               :server t
+               :noquery t
+               :sentinel #'pinentry--process-sentinel
+               :filter #'pinentry--process-filter
+               :coding 'no-conversion
+               :family 'local
+               :service server-file))
+        (process-put pinentry--server-process :server-file server-file)))))
 
 (defun pinentry-stop ()
   "Stop a Pinentry service."
@@ -224,6 +303,13 @@
         (setq pinentry--read-point (point-min))
         (make-local-variable 'pinentry--labels))))
   (with-current-buffer (process-buffer process)
+    (when pinentry-debug
+      (with-current-buffer
+          (or pinentry-debug-buffer
+              (setq pinentry-debug-buffer (generate-new-buffer
+                                           " *pinentry-debug*")))
+        (goto-char (point-max))
+        (insert input)))
     (save-excursion
       (goto-char (point-max))
       (insert input)
@@ -248,32 +334,15 @@
 		 (ignore-errors
 		   (process-send-string process "OK\n")))
                 ("GETPIN"
-                 (let ((prompt
-                        (or (cdr (assq 'desc pinentry--labels))
-                            (cdr (assq 'prompt pinentry--labels))
-                            ""))
-		       (confirm (not (null (assq 'repeat pinentry--labels))))
-                       entry)
-                   (if (setq entry (assq 'error pinentry--labels))
-                       (setq prompt (concat "Error: "
-                                            (propertize
-                                             (copy-sequence (cdr entry))
-                                             'face 'error)
-                                            "\n"
-                                            prompt)))
-                   (if (setq entry (assq 'title pinentry--labels))
-                       (setq prompt (format "[%s] %s"
-                                            (cdr entry) prompt)))
-                   (if (string-match ":?[ \n]*\\'" prompt)
-                       (setq prompt (concat
-                                     (substring
-                                      prompt 0 (match-beginning 0)) ": ")))
-                   (let (passphrase escaped-passphrase encoded-passphrase)
-                     (unwind-protect
-                         (condition-case nil
-                             (progn
-                               (setq passphrase
-				     (read-passwd prompt confirm))
+                 (let ((confirm (not (null (assq 'repeat pinentry--labels))))
+                       passphrase escaped-passphrase encoded-passphrase)
+                   (unwind-protect
+                       (condition-case err
+                           (progn
+                             (setq passphrase
+                                   (pinentry--prompt
+                                    pinentry--labels
+                                    #'read-passwd confirm))
                                (setq escaped-passphrase
                                      (pinentry--escape-string
                                       passphrase))
@@ -284,7 +353,8 @@
 				 (pinentry--send-data
 				  process encoded-passphrase)
 				 (process-send-string process "OK\n")))
-                           (error
+                         (error
+                          (message "GETPIN error %S" err)
 			    (ignore-errors
 			      (pinentry--send-error
 			       process
@@ -295,59 +365,55 @@
                            (clear-string escaped-passphrase))
                        (if encoded-passphrase
                            (clear-string encoded-passphrase))))
-                   (setq pinentry--labels nil)))
+                   (setq pinentry--labels nil))
                 ("CONFIRM"
                  (let ((prompt
-                        (or (cdr (assq 'desc pinentry--labels))
-                            ""))
+                        (or (cdr (assq 'prompt pinentry--labels))
+                            "Confirm? "))
                        (buttons
-                        (pinentry--labels-to-shortcuts
-                         (list (cdr (assq 'ok pinentry--labels))
-                               (cdr (assq 'notok pinentry--labels))
-			       (cdr (assq 'cancel pinentry--labels)))))
+                        (delq nil
+                              (pinentry--labels-to-shortcuts
+                               (list (cdr (assq 'ok pinentry--labels))
+                                     (cdr (assq 'notok pinentry--labels))
+                                     (cdr (assq 'cancel pinentry--labels))))))
                        entry)
-                   (if (setq entry (assq 'error pinentry--labels))
-                       (setq prompt (concat "Error: "
-                                            (propertize
-                                             (copy-sequence (cdr entry))
-                                             'face 'error)
-                                            "\n"
-                                            prompt)))
-                   (if (setq entry (assq 'title pinentry--labels))
-                       (setq prompt (format "[%s] %s"
-                                            (cdr entry) prompt)))
-                   (if (remq nil buttons)
+                   (if buttons
                        (progn
                          (setq prompt
                                (concat prompt " ("
-                                       (mapconcat #'cdr (remq nil buttons)
+                                       (mapconcat #'cdr buttons
                                                   ", ")
                                        ") "))
+                         (if (setq entry (assq 'prompt pinentry--labels))
+                             (setcdr entry prompt)
+                           (setq pinentry--labels (cons (cons 'prompt prompt)
+                                                        pinentry--labels)))
                          (condition-case nil
-                             (let ((result (read-char prompt)))
+                             (let ((result (pinentry--prompt pinentry--labels
+                                                             #'read-char)))
                                (if (eq result (caar buttons))
-				   (ignore-errors
-				     (process-send-string process "OK\n"))
+                                   (ignore-errors
+                                     (process-send-string process "OK\n"))
                                  (if (eq result (car (nth 1 buttons)))
-				     (ignore-errors
-				       (pinentry--send-error
-					process
-					pinentry--error-not-confirmed))
-				   (ignore-errors
-				     (pinentry--send-error
-				      process
-				      pinentry--error-cancelled)))))
+                                     (ignore-errors
+                                       (pinentry--send-error
+                                        process
+                                        pinentry--error-not-confirmed))
+                                   (ignore-errors
+                                     (pinentry--send-error
+                                      process
+                                      pinentry--error-cancelled)))))
                            (error
-			    (ignore-errors
+                            (ignore-errors
 			      (pinentry--send-error
 			       process
 			       pinentry--error-cancelled)))))
-                     (if (string-match "[ \n]*\\'" prompt)
-                         (setq prompt (concat
-                                       (substring
-                                        prompt 0 (match-beginning 0)) " ")))
+                     (if (setq entry (assq 'prompt pinentry--labels))
+                         (setcdr entry prompt)
+                       (setq pinentry--labels (cons (cons 'prompt prompt)
+                                                    pinentry--labels)))
                      (if (condition-case nil
-                             (y-or-n-p prompt)
+                             (pinentry--prompt pinentry--labels #'y-or-n-p)
                            (quit))
 			 (ignore-errors
 			   (process-send-string process "OK\n"))
@@ -389,15 +455,6 @@
        (ignore-errors
 	 (delete-file (process-get process :server-file)))))
 
-;;;; ChangeLog:
-
-;; 2015-06-12  Daiki Ueno	<ueno@gnu.org>
-;; 
-;; 	Merge commit '32b1944d5f0a65aa10c6768f4865f7ed1de8eb49' as
-;; 	'packages/pinentry'
-;; 
-
-
 (provide 'pinentry)
 
 ;;; pinentry.el ends here

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Eli Zaretskii]

> From: Ulrich Mueller <ulm@gentoo.org>
> Cc: 67012@debbugs.gnu.org,  michael.albinus@gmx.de
> Date: Sat, 25 Nov 2023 12:16:50 +0100
> 
> >>>>> On Sat, 25 Nov 2023, Eli Zaretskii wrote:
> 
> > OK, thanks.  So please install this on the master branch.
> 
> Done. I've also added a short note in doc/misc/epa.texi.
> 
> > Should we perhaps have something about this in etc/PROBLEMS?  That is,
> > after you install your changes?  If so, feel free to add there
> > whatever you think is appropriate.
> 
> This ok?

Yes.

>    *** EasyPG loopback pinentry does not work with gpgsm.
> 
>    This happens with the 'gpgsm' command from all versions of GnuPG.
>    EasyPG relies on the machine-parseable interface that is provided by
>    'gpg2' with option '--status-fd', but gpgsm does not support this.
> 
>    As a workaround, input the passphrase with a GUI-capable pinentry
>    program like 'pinentry-gnome' or 'pinentry-qt5'.  Alternatively, you
>    can use the 'pinentry' package from Emacs 25.
> 
> Add to etc/PROBLEMS in master or emacs-29 branch?

On emacs-29, I think.

Thanks.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

>>>>> On Sat, 25 Nov 2023, Ulrich Mueller wrote:

>>>>> On Sat, 25 Nov 2023, Michael Albinus wrote:
>> Shouldn't we upgrade the GNU ELPA version?

> Probably.

So who can make a new release of the GNU ELPA package? Except for the
mentioned comment change in the copyright and license notices, the tip
of https://github.com/ueno/pinentry-el is identical to the last version
in the Emacs master branch, before the file was removed in
commit b407c521f24b.

> Gentoo also has a (rather trivial) patch that fixes some warnings with
> newer Emacs versions:
> https://gitweb.gentoo.org/repo/gentoo.git/tree/app-emacs/pinentry/files/pinentry-emacs-29.patch

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Michael Albinus]

Ulrich Mueller <ulm@gentoo.org> writes:

Hi Ulrich,

>>>>>> On Sat, 25 Nov 2023, Michael Albinus wrote:
>>> Shouldn't we upgrade the GNU ELPA version?
>
>> Probably.
>
> So who can make a new release of the GNU ELPA package? Except for the
> mentioned comment change in the copyright and license notices, the tip
> of https://github.com/ueno/pinentry-el is identical to the last version
> in the Emacs master branch, before the file was removed in
> commit b407c521f24b.

pinentry.el is synced from <https://github.com/ueno/pinentry-el>. Perhaps
we shall ask Daiki Ueno <ueno@gnu.org> to merge the patches, and
increase the version to 0.2.

Would you like to contact him? I have no idea about this package, so I
cannot discuss seriously with him.

Best regards, Michael.

bug#67012: 29.1; epa-sign-file pinentry loopback mode does not work with S/MIME

[Ulrich Mueller]

>>>>> On Sat, 25 Nov 2023, Michael Albinus wrote:

> pinentry.el is synced from <https://github.com/ueno/pinentry-el>.
> Perhaps we shall ask Daiki Ueno <ueno@gnu.org> to merge the patches,
> and increase the version to 0.2.

> Would you like to contact him? I have no idea about this package, so I
> cannot discuss seriously with him.

I have filed a pull request:
https://github.com/ueno/pinentry-el/pull/6

For now, the etc/PROBLEMS entry mentions Emacs 25. It can be updated to
say GNU ELPA when a new version appears there.