interjecting a custom epa passphrase prompt

interjecting a custom epa passphrase prompt

[ken manheimer]

[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]

hi!  i'm working on migrating allout.el topic encryption to the epg.el
interface to gpg, but am encountering a problem.  i would like to continue
to maintain some unique passphrase features unique to working with multiple
entries in a single file, but i'm failing to substitute my custom passphrase
prompting for the epg passphrase callback mechanisms, and i wonder what i'm
doing wrong.

specifically, i am trying to use 'epg-context-set-passphrase-callback' to
adjust the context for encryption to try to interject my own prompting, but
it's having no effect.  i see that 'epg-passphrase-callback-function' has
been marked obsolete, but that looks like a separate provision from the
context-specific callback.  in fact, i'm hoping so, because without a way to
explicitly reuse a passphrase i have no way to do verification of a
symmetric passphrase against one associated with all topics in the file, or
to present a similarly associated passphrase hint.  (i also figure
that 'epg-context-set-passphrase-callback' would have been removed, or at
least conspicuously marked as ineffective, if it no longer works!)

has all provision for custom passphrase prompting in epg been eliminated?
-- 
ken
http://myriadicity.net

[-- Attachment #2: Type: text/html, Size: 1435 bytes --]

Re: interjecting a custom epa passphrase prompt

[Daiki Ueno]

ken manheimer <ken.manheimer@gmail.com> writes:

> i am trying to use 'epg-context-set-passphrase-callback' to adjust the
> context for encryption to try to interject my own prompting, but it's
> having no effect.

Most likely you are using GnuPG 2, which does not ask passphrase on tty
or on status FD, unlike GnuPG 1.  Try:

$ gpg --version

Assuming that:

> has all provision for custom passphrase prompting in epg been
> eliminated?

Still you could use GnuPG 1 for your custom passphrase prompting, since
GnuPG 2 is not a newer version of GnuPG, but a separate product.

Regards,
-- 
Daiki Ueno

Re: interjecting a custom epa passphrase prompt

[ken manheimer]

On Wed, Dec 1, 2010 at 9:26 PM, Daiki Ueno <ueno@unixuser.org> wrote:
>
> ken manheimer <ken.manheimer@gmail.com> writes:
>
> > i am trying to use 'epg-context-set-passphrase-callback' to adjust the
> > context for encryption to try to interject my own prompting, but it's
> > having no effect.
>
> Most likely you are using GnuPG 2, which does not ask passphrase on tty
> or on status FD, unlike GnuPG 1.  Try:
>
> $ gpg --version

you're right, i was using gnupg v2.

> Assuming that:
>
> > has all provision for custom passphrase prompting in epg been
> > eliminated?
>
> Still you could use GnuPG 1 for your custom passphrase prompting, since
> GnuPG 2 is not a newer version of GnuPG, but a separate product.

well, i'm surprised!  the passphrase callback does become effective
when i switch to using gnupg v1.  i'm very glad i have an avenue to
preserve the allout features.  it's a mixed situation, though,
requiring user intervention make a configuration choice that has
unclear security and other implications.

i think i understand that epg design decision, though - epg uses the
discretion for prompting that the underlying gnupg implementation
makes available, in a sense deferring responsibility for that security
exposure to that underlying gnupg implementation.

i guess i can tell allout users that they can get passphrase hinting
and verification if they configure epg to use gnupg v1 rather than
gnupg v2, but to realize that that involves passphrase handling in
emacs lisp code, which is more susceptible to subvention than
containing it solely in the gnupg execution.

one thing i notice would have been helpful would be to have some clear
warning about this underlying gnupg behavior dependence in the epg.el
code, somehow associated with the passphrase callback code.  if
situated well and clearly, this could help developers using the epg
library a lot in making choices connected with somewhat special uses
like mine, in allout.

i want to thank you very much for the speedy response, by the way!
that was very helpful - i could quickly confirm that i could reap some
results from my efforts to that point, and continue forward, which was
very reassuring.  i'm sorry i didn't reply sooner - the little time i
had available was spent confirming and scoping out how i would use the
passphrase callback.  i hope to have some more time, soon, to complete
allout's switchover to epg.

> Regards,
> --
> Daiki Ueno

--
ken
http://myriadicity.net

Re: interjecting a custom epa passphrase prompt

[Thomas Lynch]

Ah, this is awful. I am writing am writing an automated program where many
passphrases are being generated, but the call back to get the passphrase is not
working. Why would someone who doesn't know my needs make a design decision that
can't even be worked around and break my code?  The SUSE update distribution has
dependencies on gpg 2 and looks like other things will break if I uninstall it.

Re: interjecting a custom epa passphrase prompt

[Daiki Ueno]

Thomas Lynch <dimitrisdad@gmail.com> writes:

> The SUSE update distribution has dependencies on gpg 2 and looks like
> other things will break if I uninstall it.

You don't need to uninstall gpg 2, but you can install gpg 1 as well.
They can reside simultaneously in a single system.

Re: interjecting a custom epa passphrase prompt

[Tom Lynch]

Well it is good that both can be installed, but how?

I'm looking through the repositories at software.opensuse.org and via
YAST on my system.

I already have libgpgme11 installed.   Neither gpg nor gpg 2 appear in
the requirements list.  I am compiling with 'gpgme-config --libs
--cflags' and it is clearly pulling in gpg 2 stuff.

There is another gpgme package listed (without the '11') - but it
clearly lists 'gpg 2' as a package required dependency.

A search for 'gpg 1' comes up empty.  When doing a search for 'gpg'
and looking through the whole list, there is nothing that talks about
anything except gpg2

So where does one find 'gpg 1' ?  How do you convince gpgme to use it?





On 5/20/11, Daiki Ueno <ueno@unixuser.org> wrote:
> Thomas Lynch <dimitrisdad@gmail.com> writes:
>
>> The SUSE update distribution has dependencies on gpg 2 and looks like
>> other things will break if I uninstall it.
>
> You don't need to uninstall gpg 2, but you can install gpg 1 as well.
> They can reside simultaneously in a single system.
>

Re: interjecting a custom epa passphrase prompt

[Daiki Ueno]

Tom Lynch <dimitrisdad@gmail.com> writes:

> Well it is good that both can be installed, but how?
>
> I'm looking through the repositories at software.opensuse.org and via
> YAST on my system.

From a quick Web search with keywords "opensuse gpg1":

http://sinewalker.wordpress.com/2011/03/17/using-emacs-easypg-in-text-terminals/

Re: interjecting a custom epa passphrase prompt

[Tom Lynch]

On the repository search site  "gpg1" shows up with nothing.  On a
google search 'gpg1' shows a build log as having failed for 11.3, and
nothing listed for 11.4:

Drive_go openSUSE_11.3
Repository has been published i586 failed
Repository has been published x86_64 failed
Drive_go openSUSE_Factory
Repository has been published i586 failed
Repository has been published x86_64 ailed

I went to the site http://www.gnupg.org/download/index.en.html  and
downloaded the sources for GnuPG 1.4.11   and GPGME
gpgme-1.3.0.tar.bz2, installed them in the /usr/local tree and then
linked my program against them.   I was surprised when it compiled
without errors as I had to change the syntax to compile against gpg2
-- has the syntax been changed for updates of gpg1 also?  When I run
my program, it still does not do the call back to get the passphrase.

Note,

> /usr/local/bin/gpgme-config --libs
-L/usr/local/lib -lgpgme -lassuan -lgpg-error -lgpg-error

That is the right tree /usr/local/lib -- but where does gpme pick up
gpg?  It it actually calling the binary as one would from the counsel
rather than calling a library routine?  How do I tell gpgme to use
gpg1?

FYI when I ask my program to check the gpgme version it comes back
saying it was the 1.3, the version I just built from sources in the
local tree.

compounding this problem is that the debian installer for Suse crashes
with an error on the 11.4 install, so yet another option has been cut
off ..

Re: interjecting a custom epa passphrase prompt

[Tom Lynch]

Ok, all in the local directory now.

I compiled gpgme with:

 # ./configure --prefix=/usr/local --with-gpg=/usr/local/bin/gpg

Note:

 # /usr/local/bin/gpg --version
gpg (GnuPG) 1.4.11
Copyright (C) 2010 Free Software Foundation, Inc.

I added this code to my program to print out the engine info:

    gpgme_engine_info_t infop;
     if(gpgme_get_engine_info (&infop) != GPG_ERR_NO_ERROR || !infop){
       std::cout << "could not determine engine info" << std::endl;
     }else{
       std::cout << "engines available: ";
       do{
         std::cout << std::endl;
         if(infop->file_name)   std::cout << "file:"        <<
infop->file_name    << " ";
         if(infop->home_dir)    std::cout << "home:"        <<
infop->home_dir     << " ";
         if(infop->version)     std::cout << "version:"     <<
infop->version      << " ";
         if(infop->req_version) std::cout << "req_version:" <<
infop->req_version  << " ";
       infop = infop->next;
       }while(infop);
       std::cout << std::endl;
     }

I compiled, it does this:

g++ -c baz.cc -g -D_FILE_OFFSET_BITS=64 -DLARGEFILE_SOURCE=1
`/usr/local/bin/gpgme-config --cflags`
g++ -o baz baz.o `/usr/local/bin/gpgme-config --libs`

and run the program and get:

> ./baz
using gpgme lib version: 1.3.0
engines available:
file:/usr/bin/gpg2 version:2.0.16 req_version:2.0.10
<************* why, how???
file:/usr/bin/gpgsm version:2.0.16 req_version:2.0.10
file:/usr/bin/gpgconf version:2.0.16 req_version:2.0.10
file:/tmp/gpg-4q60GX/S.gpg-agent home:!GPG_AGENT version:1.0 req_version:1.0


note:
- Hide quoted text -
> /usr/local/bin/gpgme-config --libs
-L/usr/local/lib -lgpgme -lassuan -lgpg-error -lgpg-error
> /usr/local/bin/gpgme-config --libs
-L/usr/local/lib -lgpgme -lassuan -lgpg-error -lgpg-error