About the removal of pinentry.el

About the removal of pinentry.el

[Nicolas Petton]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

Hi,

I wonder why pinentry.el was removed.  I did read the NEWS info about
it, but unless I'm missing something, setting epa-pinentry-mode to
loopback and using pinentry-emacs are two different things.

With the gpg-agent configured to use pinentry-emacs, when using gpg from
external programs the passphrase is asked from within Emacs.

However, AFAIK, setting epa-pinentry-mode to lookpack will only make use
of Emacs when used from within Emacs.

For instance, with pinentry-emacs, when evaluating `echo "foo" | gpg -s`
from a terminal like xterm, the passphrase is asked inside of Emacs
(instead of using another pinentry like pinentry-gtk).

Maybe I'm missing something?

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: About the removal of pinentry.el

[Eli Zaretskii]

> From: Nicolas Petton <nicolas@petton.fr>
> Date: Mon, 08 Jan 2018 22:16:40 +0100
> 
> I wonder why pinentry.el was removed.  I did read the NEWS info about
> it, but unless I'm missing something, setting epa-pinentry-mode to
> loopback and using pinentry-emacs are two different things.

Where do you see a reference to pinentry-emacs in NEWS?  Or maybe I'm
missing something obvious here.

Re: About the removal of pinentry.el

[Nicolas Petton]

[-- Attachment #1: Type: text/plain, Size: 286 bytes --]

Eli Zaretskii <eliz@gnu.org> writes:

> Where do you see a reference to pinentry-emacs in NEWS?  Or maybe I'm
> missing something obvious here.

Isn't pinentry-emacs only working when the pinentry service has been
started with `pinentry-start' (which was defined in pinentry.el)?

Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: About the removal of pinentry.el

[Eli Zaretskii]

> From: Nicolas Petton <nicolas@petton.fr>
> Cc: emacs-devel@gnu.org
> Date: Mon, 08 Jan 2018 22:45:00 +0100
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > Where do you see a reference to pinentry-emacs in NEWS?  Or maybe I'm
> > missing something obvious here.
> 
> Isn't pinentry-emacs only working when the pinentry service has been
> started with `pinentry-start' (which was defined in pinentry.el)?

Once again, the NEWS entry doesn't mention pinentry-emacs at all.  So
I wonder what is it that I'm missing here.

AFAIU, the NEWS entry just says that pinentry.el and the related
features are not needed with GnuPG >= 2.1, and are not very useful
with GnuPG < 2.1.  That's why we removed it: its only effect was to
confuse users.

Re: About the removal of pinentry.el

[Nicolas Petton]

[-- Attachment #1: Type: text/plain, Size: 632 bytes --]

Eli Zaretskii <eliz@gnu.org> writes:

Hi Eli,

I'm putting Daiki Ueno in Cc.

> Once again, the NEWS entry doesn't mention pinentry-emacs at all.

That's why I mentioned it here.  My thought was that pinentry.el might
have been removed while it is still a useful package.

> So I wonder what is it that I'm missing here.

I think that pinentry.el is still useful today for pinentry-emacs, when
configuring gpg-agent to use it.

> AFAIU, the NEWS entry just says that pinentry.el and the related
> features are not needed with GnuPG >= 2.1

Maybe pinentry-emacs can work without pinentry.el, and I'm not aware of
that?

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: About the removal of pinentry.el

[Daiki Ueno]

Nicolas Petton <nicolas@petton.fr> writes:

>> Once again, the NEWS entry doesn't mention pinentry-emacs at all.
>
> That's why I mentioned it here.  My thought was that pinentry.el might
> have been removed while it is still a useful package.
>
>> So I wonder what is it that I'm missing here.
>
> I think that pinentry.el is still useful today for pinentry-emacs, when
> configuring gpg-agent to use it.

It still works, but I don't think it's useful today, given that
epa-pinentry-mode 'loopback exists.  I would suggest the GnuPG upstream
to drop pinentry-emacs and any support for it in GnuPG itself.

Nevertheless, I admit I misremembered as if the package was added in
Emacs 26; it's was actually added in 25.  So it might be safer to
restore it under obsolete, although it is also available on ELPA:
http://elpa.gnu.org/packages/pinentry.html

>> AFAIU, the NEWS entry just says that pinentry.el and the related
>> features are not needed with GnuPG >= 2.1
>
> Maybe pinentry-emacs can work without pinentry.el, and I'm not aware of
> that?

No.

Regards,
-- 
Daiki Ueno

Re: About the removal of pinentry.el

[Nicolas Petton]

[-- Attachment #1: Type: text/plain, Size: 842 bytes --]

Daiki Ueno <ueno@gnu.org> writes:

> It still works, but I don't think it's useful today, given that
> epa-pinentry-mode 'loopback exists.

It is at least really useful to me :-)  I'm calling gpg outside of Emacs
a lot.

Correct me if I'm wrong, but setting epa-pinentry-mode to 'loopback
won't have any effect if I evaluate:

  (shell-command-to-string "echo 'foo' | gpg -s")

> I would suggest the GnuPG upstream to drop pinentry-emacs and any
> support for it in GnuPG itself.

That'd be a shame IMO, I use pinentry-emacs daily.

> Nevertheless, I admit I misremembered as if the package was added in
> Emacs 26; it's was actually added in 25.  So it might be safer to
> restore it under obsolete, although it is also available on ELPA:
> http://elpa.gnu.org/packages/pinentry.html

Is the ELPA version the same as the one in Emacs?

Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: About the removal of pinentry.el

[John Wiegley]

>>>>> "NP" == Nicolas Petton <nicolas@petton.fr> writes:

>> Nevertheless, I admit I misremembered as if the package was added in Emacs
>> 26; it's was actually added in 25. So it might be safer to restore it under
>> obsolete, although it is also available on ELPA:
>> http://elpa.gnu.org/packages/pinentry.html

NP> Is the ELPA version the same as the one in Emacs?

I would prefer this be moved to ELPA; would that work for you Nicolas?

-- 
John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2

Re: About the removal of pinentry.el

[Nicolas Petton]

[-- Attachment #1: Type: text/plain, Size: 275 bytes --]

John Wiegley <johnw@gnu.org> writes:

> I would prefer this be moved to ELPA; would that work for you Nicolas?

It's already in ELPA, and that would be fine with me, if we don't make
it obsolete, and if we don't suggest the GnuPG maintainers to drop
support for Emacs.

Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: About the removal of pinentry.el

[Nicolas Petton]

[-- Attachment #1: Type: text/plain, Size: 172 bytes --]

John Wiegley <johnw@gnu.org> writes:

> I would prefer this be moved to ELPA; would that work for you Nicolas?

I guess we should change the NEWS entry then as well?

Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: About the removal of pinentry.el

[John Wiegley]

>>>>> Nicolas Petton <nicolas@petton.fr> writes:

>> I would prefer this be moved to ELPA; would that work for you Nicolas?

> I guess we should change the NEWS entry then as well?

Sounds like it.

-- 
John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2

Re: About the removal of pinentry.el

[Matthew Carter]

John Wiegley <johnw@gnu.org> writes:

>>>>>> Nicolas Petton <nicolas@petton.fr> writes:
>
>>> I would prefer this be moved to ELPA; would that work for you Nicolas?
>
>> I guess we should change the NEWS entry then as well?
>
> Sounds like it.

I'm not sure if this is the direct cause, but I built 26.0.x 
and 27.0.50 from source last night, and my use case seems to have broke,
as compared to how things function under the shipped Emacs 25.x.x in Arch Linux.

My previous use case/configuration was as follows:

In ~/.gnupg/gpg-agent.conf I had the following (gpg v2.1):

allow-emacs-pinentry
pinentry-program /usr/bin/pinentry-curses

I did *not* have the epa-pinentry-mode set to 'loopback in Emacs.

I would be able to run: "epa-decrypt-file ~/.mailpass.gpg /dev/null" in
an Eshell session (a file signed with my secret key) and be prompted by
the readpasswd prompt in Emacs to decrypt the file (this is with Emacs
in tty mode).  

With the Emacs 26/27 builds, instead of prompting, it would call up the
curses input (likewise for any of the GUI inputs if using an X session). 

Changing to epa-pinentry-mode 'loopback did not change this behavior for
epa-decrypt-file, however it did change it for a symmetric decryption of
~/.authinfo.gpg when I called M-x gnus (perhaps gnus uses a different
 decryption call?)
 
Can anyone suggest a way in which I can retain the functionality of
having Emacs decrypt gpg files while running a system without an X session? 

FWIW, I have a setenv call setting GPG_AGENT_INFO to empty string as
well (removing did not have an effect).


-- 
Matthew Carter (m@ahungry.com)
http://ahungry.com

Re: About the removal of pinentry.el

[Nicolas Petton]

[-- Attachment #1: Type: text/plain, Size: 1147 bytes --]

John Wiegley <johnw@gnu.org> writes:

> Sounds like it.

I updated the package on ELPA with the changes from the Emacs
repository.

What about the following NEWS entry?

  ** The pinentry.el library has been removed.
  The package is still available through ELPA.  With 'epa-pinentry-mode'
  set to the symbol 'loopback', epa can now redirect Pinentry queries to
  Emacs instead of an external Pinentry program.
  
  pinentry.el is still useful together with the 'pinentry-emacs' program
  to always use Emacs minibuffer to prompt for passphrases, even when
  using GnuPG outside of Emacs.
  
  Note that previously, it was said that passphrase input through
  minibuffer would be much less secure than other graphical pinentry
  programs.  However, these days the difference is insignificant: the
  'read-password' function sufficiently protects input from leakage to
  message logs.  Emacs still doesn't use secure memory to protect
  passphrases, but it was also removed from other pinentry programs as
  the attack is unrealistic on modern computer systems which don't
  utilize swap memory usually.

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: About the removal of pinentry.el

[Eli Zaretskii]

> From: Nicolas Petton <nicolas@petton.fr>
> Cc: Daiki Ueno <ueno@gnu.org>, Eli Zaretskii <eliz@gnu.org>, emacs-devel@gnu.org
> Date: Tue, 16 Jan 2018 14:19:05 +0100
> 
> I updated the package on ELPA with the changes from the Emacs
> repository.
> 
> What about the following NEWS entry?

It's okay, but I'd prefer not to remove the paragraph that explained
why the package was removed.  Without it the removal sounds rather
arbitrary.

Thanks.

Re: About the removal of pinentry.el

[Nicolas Petton]

[-- Attachment #1: Type: text/plain, Size: 362 bytes --]

Eli Zaretskii <eliz@gnu.org> writes:

> It's okay, but I'd prefer not to remove the paragraph that explained
> why the package was removed.  Without it the removal sounds rather
> arbitrary.

It does say that epa-pinentry-mode can now be set to loopback in which
case pinentry.el is not needed anymore for epa to use Emacs' minibuffer
to prompt for passphrases.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: About the removal of pinentry.el

[Eli Zaretskii]

> From: Nicolas Petton <nicolas@petton.fr>
> Cc: johnw@gnu.org, ueno@gnu.org, emacs-devel@gnu.org
> Date: Tue, 16 Jan 2018 18:16:54 +0100
> 
> > It's okay, but I'd prefer not to remove the paragraph that explained
> > why the package was removed.  Without it the removal sounds rather
> > arbitrary.
> 
> It does say that epa-pinentry-mode can now be set to loopback in which
> case pinentry.el is not needed anymore for epa to use Emacs' minibuffer
> to prompt for passphrases.

Yes, but that's just part of the story, and it isn't immediately
apparent how that explains the removal.

Re: About the removal of pinentry.el

[Filipp Gunbin]

Nicolas, thanks for your work.

Maybe explicitly mention in NEWS that `allow-emacs-pinentry' in
gpg-agent.conf is now not needed for epa queries inside Emacs?

For those who continue to use pinentry.el for gpg usage outside emacs -
pinentry package mentions that setting.

Filipp

Re: About the removal of pinentry.el

[Kaushal Modi]

[-- Attachment #1: Type: text/plain, Size: 482 bytes --]

On Wed, Jan 17, 2018 at 10:05 AM Filipp Gunbin <fgunbin@fastmail.fm> wrote:

> Maybe explicitly mention in NEWS that `allow-emacs-pinentry' in
> gpg-agent.conf is now not needed for epa queries inside Emacs?
>

That was helpful!

1. Delete the line with allow-emacs-pinentry from the gpg-agent.conf
2. Leave the epa-pinentry-mode at the default value of nil (i.e. do NOT set
it to loopback).

With that, I was able to access my gpg encrypted documents once again.
-- 

Kaushal Modi

[-- Attachment #2: Type: text/html, Size: 913 bytes --]