Pinentry in emacs without X doesn't work reliably

Pinentry in emacs without X doesn't work reliably

[Tassilo Horn]

Hi all,

at work, I'm blocked from important information sources such as IRC and
the usenet.  To work around that limitation, I ssh to some server of
mine (and did I mention that I have to tunnel the ssh connection thru
HTTPS using corkscrew to access my server?!), and that server has a
current emacs master checkout which I use for Gnus and rcirc.

So far, so good.  My problem is that the server obviously has no X
server, but my connection information for gnus/rcirc are in files
encrypted using GnuPG (I use the same config files on all my machines).
When I fire up Gnus or rcirc, emacs will try to decrypt those files
transparently using EasyPG.

With my laptop, some X11/GTK/GNOME pinentry dialog pops up where I can
type in my password.  On the server, I get this (curses?) dialog:

       ┌────────────────────────────────────────────────────────────────┐
       │ Please enter the passphrase to unlock the OpenPGP secret key:  │
       │ "Tassilo Horn <my@mail.invalid>"                               │
       │ XXXX-bit ELG key, ID XXXXXXXXXXXXXXXX,                         │
       │ created 20XX-XX-XX (main key ID XXXXXXXXXXXXXXXX).             │
       │                                                                │
       │                                                                │
       │ Passphrase: __________________________________________________ │
       │                                                                │
       │         <OK>                                    <Cancel>       │
       └────────────────────────────────────────────────────────────────┘

Now the problem is, that my keyboard input doesn't seem to get thru to
that pinentry dialog reliably.  For examply, I type "geheimnis" and what
the dialog shows is, e.g., "**" as if it had only received two
characters.

So basically what I do is I type

  gggggggg
  ee
  hhhhhhhhhhhhhhhh
  eeeeee
  i
  mmmmmmm
  nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
  iiiiiiiiiiiiiiiiiii
  ssss

that is, I repeat every password char as long as no additional * shows
up at the password prompt.

Sometimes, that quirky workaround doesn't even help.  I can type "g" as
often as I want and nothing appears at the dialog.

I think I encountered that problem for quite some time now but it hasn't
been important enough to complain.  Well, now it is.

The server is running gnupg-2.1.13 and pinentry-0.9.7 where the latter
has the following pinentry programs (not sure which is used):

  /usr/bin/pinentry-curses
  /usr/bin/pinentry-emacs
  /usr/bin/pinentry-gnome3
  /usr/bin/pinentry-gtk-2
  /usr/bin/pinentry-qt
  /usr/bin/pinentry-tty

Any idea how to fix or debug that issue?

Thanks,
Tassilo

Re: Pinentry in emacs without X doesn't work reliably

[HASM]

> Now the problem is, that my keyboard input doesn't seem to get thru to
> that pinentry dialog reliably.

Did you install gnugp-1 on your system?

Did you have or create this file
  ~/.gnupg/gpg-agent.conf
and have/add these lines into it:
  allow-emacs-pinentry
  pinentry-program /usr/bin/pinentry-emacs
(replace the path above to where your pinentry-emacs is)?

Did you add these lines to your emacs initialization:
  (load "pinentry")
  (pinentry-start)
  (setq epg-gpg-program "gpg")
(or use customize instead of the last line)?

Hopefully I didn't forget anything above.  With that setup I get a
pinentry dialog within emacs and no curses or gtk crap.

-- HASM

  
 

Re: Pinentry in emacs without X doesn't work reliably

[Tassilo Horn]

HASM <hasm@example.invalid> writes:

Hi HASM,

>> Now the problem is, that my keyboard input doesn't seem to get thru
>> to that pinentry dialog reliably.
>
> Did you install gnugp-1 on your system?

Nope, but that should work with GnuPG-2, too.

> Did you have or create this file
>   ~/.gnupg/gpg-agent.conf
> and have/add these lines into it:
>   allow-emacs-pinentry
>   pinentry-program /usr/bin/pinentry-emacs
> (replace the path above to where your pinentry-emacs is)?

Ah, cool.  That and installing the pinentry ELPA package made the thing
work!  Now my ~/.gnupg/gpg-agent.conf on the server is

--8<---------------cut here---------------start------------->8---
daemon
allow-emacs-pinentry
enable-ssh-support
max-cache-ttl 14400
max-cache-ttl-ssh 14400
default-cache-ttl 7200
default-cache-ttl-ssh 14400
pinentry-program /usr/bin/pinentry-emacs
--8<---------------cut here---------------end--------------->8---

> Did you add these lines to your emacs initialization:
>   (load "pinentry")
>   (pinentry-start)
>   (setq epg-gpg-program "gpg")
> (or use customize instead of the last line)?

Since I installed it via ELPA, I can just call (pinentry-start) without
loading before.  And `epg-gpg-program' is "gpg2" here.

But I wonder if

  pinentry-program /usr/bin/pinentry-emacs

is the right thing to do.  What if some other program needs a pinentry?
The pinentry ELPA package description doesn't say I need that line.

  https://elpa.gnu.org/packages/pinentry.html

However, when I remove that line, I get an error that there's no
pinentry program.

I hoped that allow-emacs-pinentry would somehow use pinentry-emacs if
running inside emacs and some other pinentry program for non-emacs
programs.

Daiki, since you've made the thing, do you have a clue what else I might
need?  I'm running gnupg-2.1.13 and pinentry-0.9.7, so according to the
pinentry ELPA package docs, those versions should be recent enough.  Or
maybe it's the other way round and pinentry-emacs spawns the right
pinentry depending on if we're running inside emacs?  Then that we need
to also set the pinentry-program to pinentry-emacs should be documented.

Bye,
Tassilo