* GnuPG passphrase in Emacs minibuffer
@ 2022-08-21 4:44 Andrew L. Moore
2022-08-21 5:58 ` Eli Zaretskii
0 siblings, 1 reply; 3+ messages in thread
From: Andrew L. Moore @ 2022-08-21 4:44 UTC (permalink / raw)
To: emacs-devel
To allow a GnuPG passphrase in the Emacs minibuffer, I use the external
Emacs package pinentry.el in loopback mode*:
(setq epg-pinentry-mode 'loopback)
Unfortunately, this doesn't work on Debain-based systems without
upgrading the pinentry source (use: git://git.gnupg.org/pinentry.git).
But it turns out that pinentry.el may not be required any more. It is
enough to add to the file ~/.gnupg/gpg.conf the line:
pinentry-mode loopback
and to ~/.gnupg/gpg-agent.conf:
allow-loopback-pinentry
Restart gpg-agent and that's it. The most obvious difference is that
pinentry.el provides a more informative prompt, e.g.,
[[1399721]@slewsys.org] Please enter the passphrase to unlock the
OpenPGP secret key:
"Andrew L. Moore <alm@slewsys.org>"
255-bit EDDSA key, ID 0x0AB16F2E536D3DB5,
created 2021-11-01.:
versus when GnuPG runs PINEntry in loopback mode:
Enter passphrase:
Notably, the PINEntry manual warns:
Having Emacs get the passphrase is convenient, however, it is a
significant security risk. Emacs is a huge program, which doesn't
provide any process isolation to speak of. As such, having it handle
the passphrase adds a huge chunk of code to the user's trusted
computing base. Because of this concern, Emacs doesn't enable this by
default...
I'm not sure if one of the methods above is more secure in this regard.
------------------------------------------------------------------------
* The full configuration of pinentry.el is as follows:
In ~/.emacs or other config file, add:
(require 'pinentry)
(setq epg-pinentry-mode 'loopback)
(pinentry-start)
In ~/.gnupg/gpg-agent.conf add:
allow-loopback-pinentry
allow-emacs-pinentry
Then restart gpg-agent.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: GnuPG passphrase in Emacs minibuffer
2022-08-21 4:44 GnuPG passphrase in Emacs minibuffer Andrew L. Moore
@ 2022-08-21 5:58 ` Eli Zaretskii
2022-08-21 7:57 ` Andrew L. Moore
0 siblings, 1 reply; 3+ messages in thread
From: Eli Zaretskii @ 2022-08-21 5:58 UTC (permalink / raw)
To: Andrew L. Moore; +Cc: emacs-devel
> Date: Sun, 21 Aug 2022 00:44:25 -0400
> From: "Andrew L. Moore" <slewsys@gmail.com>
>
> To allow a GnuPG passphrase in the Emacs minibuffer, I use the external
> Emacs package pinentry.el in loopback mode*:
>
> (setq epg-pinentry-mode 'loopback)
>
> Unfortunately, this doesn't work on Debain-based systems without
> upgrading the pinentry source (use: git://git.gnupg.org/pinentry.git).
>
> But it turns out that pinentry.el may not be required any more. It is
> enough to add to the file ~/.gnupg/gpg.conf the line:
>
> pinentry-mode loopback
>
> and to ~/.gnupg/gpg-agent.conf:
>
> allow-loopback-pinentry
>
> Restart gpg-agent and that's it. The most obvious difference is that
> pinentry.el provides a more informative prompt, e.g.,
>
> [[1399721]@slewsys.org] Please enter the passphrase to unlock the
> OpenPGP secret key:
> "Andrew L. Moore <alm@slewsys.org>"
> 255-bit EDDSA key, ID 0x0AB16F2E536D3DB5,
> created 2021-11-01.:
>
> versus when GnuPG runs PINEntry in loopback mode:
>
> Enter passphrase:
This is in Emacs NEWS that shipped with Emacs 26, no?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: GnuPG passphrase in Emacs minibuffer
2022-08-21 5:58 ` Eli Zaretskii
@ 2022-08-21 7:57 ` Andrew L. Moore
0 siblings, 0 replies; 3+ messages in thread
From: Andrew L. Moore @ 2022-08-21 7:57 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: emacs-devel
On 8/21/22 01:58, Eli Zaretskii wrote:
>> Date: Sun, 21 Aug 2022 00:44:25 -0400
>> From: "Andrew L. Moore" <slewsys@gmail.com>
>>
>> To allow a GnuPG passphrase in the Emacs minibuffer, I use the external
>> Emacs package pinentry.el in loopback mode*:
>>
>> (setq epg-pinentry-mode 'loopback)
>>
>> Unfortunately, this doesn't work on Debain-based systems without
>> upgrading the pinentry source (use: git://git.gnupg.org/pinentry.git).
>>
>> But it turns out that pinentry.el may not be required any more. It is
>> enough to add to the file ~/.gnupg/gpg.conf the line:
>>
>> pinentry-mode loopback
>>
>> and to ~/.gnupg/gpg-agent.conf:
>>
>> allow-loopback-pinentry
>>
>> Restart gpg-agent and that's it. The most obvious difference is that
>> pinentry.el provides a more informative prompt, e.g.,
>>
>> [[1399721]@slewsys.org] Please enter the passphrase to unlock the
>> OpenPGP secret key:
>> "Andrew L. Moore <alm@slewsys.org>"
>> 255-bit EDDSA key, ID 0x0AB16F2E536D3DB5,
>> created 2021-11-01.:
>>
>> versus when GnuPG runs PINEntry in loopback mode:
>>
>> Enter passphrase:
>
> This is in Emacs NEWS that shipped with Emacs 26, no?
The Emacs 26 etc/NEWS article about removing pinentry.el appears to be
incomplete. I only see mentioned that:
allow-emacs-pinentry
should be removed from ~/.gnupg/gpg-agent.conf. This is necessary but
insufficient. And reference to the variable `epg-pinentry-mode' affects
only EasyPG, not other contexts like signing commits with Magit.
To allow Magit and other packages to enter a GnuPG passphrase in the
Emacs minibuffer, the critical step is to add to ~/.gnupg/gpg.conf:
pinentry-mode loopback
This works for EasyPG as well, without having to set the
epg-pinentry-mode variable.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-21 7:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-21 4:44 GnuPG passphrase in Emacs minibuffer Andrew L. Moore
2022-08-21 5:58 ` Eli Zaretskii
2022-08-21 7:57 ` Andrew L. Moore
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).