Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Michael Heerdegen]

Hi,

since some days ago, epg-gpg-program defaults to gpg2 (when installed)
in emacs-25.

With that new default, when Gnus tries to open my "~/.authinfo.gpg", I'm
prompted for its password in a separate popup (X) window.  With
epg-gpg-program -> "gpg", Emacs itself prompted for the password.  That's
the behavior I prefer.

Is there any way to get the old behavior back?


Thanks,

Michael.

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Teemu Likonen]

[-- Attachment #1: Type: text/plain, Size: 836 bytes --]

Michael Heerdegen [2016-02-08 15:44:19+01] wrote:

> since some days ago, epg-gpg-program defaults to gpg2 (when installed)
> in emacs-25.
>
> With that new default, when Gnus tries to open my "~/.authinfo.gpg",
> I'm prompted for its password in a separate popup (X) window. With
> epg-gpg-program -> "gpg", Emacs itself prompted for the password.
> That's the behavior I prefer.

The present and the future of GPG (version 2.x and above) is to use
gpg-agent and pinentry. I think there's no way to escape that. And it's
better. But it seems that there are pinentry implementation(s) for
Emacs. There is one in GNU Elpa and I also found this:

https://github.com/ecraven/pinentry-emacs

-- 
/// Teemu Likonen   - .-..   <https://github.com/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Michael Heerdegen]

Teemu Likonen <tlikonen@iki.fi> writes:

> The present and the future of GPG (version 2.x and above) is to use
> gpg-agent and pinentry. I think there's no way to escape that. And it's
> better. But it seems that there are pinentry implementation(s) for
> Emacs. There is one in GNU Elpa [...]

Ok, thanks.  (BTW, part of the problem is that when I get the X popup,
Emacs is in an unresponsive state.  And I need Emacs to get the
password.  So I need to run a second Emacs instance, or get the password
before calling Gnus.)

I tried pinentry.el from Gnu Elpa.  What do I need to add exactly to
"~/.gnupg/gpg-agent.conf"?  Just "allow-emacs-pinentry" as the package's
doc tells doesn't work.

I could figure it out myself I guess, but I decided to CC the author and
hope we can improve the package's doc instead.


Thanks,

Michael.

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Joakim Jalap]

Michael Heerdegen <michael_heerdegen@web.de> writes:

> Teemu Likonen <tlikonen@iki.fi> writes:
>
>> The present and the future of GPG (version 2.x and above) is to use
>> gpg-agent and pinentry. I think there's no way to escape that. And it's
>> better. But it seems that there are pinentry implementation(s) for
>> Emacs. There is one in GNU Elpa [...]
>
> Ok, thanks.  (BTW, part of the problem is that when I get the X popup,
> Emacs is in an unresponsive state.  And I need Emacs to get the
> password.  So I need to run a second Emacs instance, or get the password
> before calling Gnus.)
>
> I tried pinentry.el from Gnu Elpa.  What do I need to add exactly to
> "~/.gnupg/gpg-agent.conf"?  Just "allow-emacs-pinentry" as the package's
> doc tells doesn't work.
>
> I could figure it out myself I guess, but I decided to CC the author and
> hope we can improve the package's doc instead.

FWIW, this is what I have in my config regarding Gnupg:

**** GPG

     So, this was a bit of a pain to get working, but now it works. For some
     inexplicable reason, pinentry-emacs isn't built by default on
     either FreeBSD or Arch, so one has to build it from source, and add
     =--enable-pinentry-emacs=. Then add "allow-pinentry-emacs" to
     =~/.gnupg/gpg-agent.conf=.
     Then one simply does:
     #+BEGIN_SRC emacs-lisp
       (require 'pinentry)
       (pinentry-start)
       (setenv "INSIDE_EMACS" "YES")
     #+END_SRC

I also have the cache time set to some ridiculously high value so I
don't have to enter my password all the time, but I guess that's another story.

>
> Thanks,
>
> Michael.

Hope it helps :)

Joakim

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Michael Heerdegen]

Hi Joakim,

> FWIW, this is what I have in my config regarding Gnupg:
>
> **** GPG
>
>      So, this was a bit of a pain to get working, but now it
> works. For some
>      inexplicable reason, pinentry-emacs isn't built by default on
>      either FreeBSD or Arch, so one has to build it from source, and add
>      =--enable-pinentry-emacs=. Then add "allow-pinentry-emacs" to
>      =~/.gnupg/gpg-agent.conf=.
>      Then one simply does:
>
>      #+BEGIN_SRC emacs-lisp
>        (require 'pinentry)
>        (pinentry-start)
>        (setenv "INSIDE_EMACS" "YES")
>      #+END_SRC
> [...]

Thanks for answering!

What is pinentry-emacs - this one?

    https://github.com/ecraven/pinentry-emacs

Do you mean I need to install this to be able to use pinentry.el (which,
I found out, already comes with Emacs 25)?


Regards,

Michael.

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Joakim Jalap]

Michael Heerdegen <michael_heerdegen@web.de> writes:

>
> What is pinentry-emacs - this one?
>
>     https://github.com/ecraven/pinentry-emacs
>

No, pinentry-emacs is a binary which can be built when building pinentry
from source. It's been a long time since I dug into this, but I managaed
to find what I found then :)

If you clone the pinentry repo:

git clone git://git.gupg.org/pinentry.git

And run ./autogen.sh and the ./configure --help

You will see the option --enable-pinentry-emacs. So that's what you
should build with :)

There's also the option --enable-inside-emacs, but I think this will be
set by --enable-pinentry-emacs.

> Do you mean I need to install this to be able to use pinentry.el (which,
> I found out, already comes with Emacs 25)?

Well, I guess. I don't really know, sorry. But I think you need some
program for entering the password, and I guess this is the official way
to do it. But the gnupg maintainers really don't seem to like it, which
is why Arch and FreeBSD don't build it by default I guess.

Hope it helps :)

Joakim

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Michael Heerdegen]

Joakim Jalap <joakim.jalap@fastmail.com> writes:


> No, pinentry-emacs is a binary which can be built when building pinentry
> from source. It's been a long time since I dug into this, but I managaed
> to find what I found then :)
>
> If you clone the pinentry repo:
>
> git clone git://git.gupg.org/pinentry.git
>
> And run ./autogen.sh and the ./configure --help
>
> You will see the option --enable-pinentry-emacs. So that's what you
> should build with :)
>
> There's also the option --enable-inside-emacs, but I think this will be
> set by --enable-pinentry-emacs.

I see.


> > Do you mean I need to install this to be able to use pinentry.el (which,
> > I found out, already comes with Emacs 25)?
>
> Well, I guess. I don't really know, sorry. But I think you need some
> program for entering the password, and I guess this is the official way
> to do it. But the gnupg maintainers really don't seem to like it, which
> is why Arch and FreeBSD don't build it by default I guess.

Same on Debian obviously.

Is it bad to get "Emacs in contact with the password", do I lose
security (question to all)?  The main advantage of pinentry seems to be
that it avoids to leave a password in the swap partition.

Is using pinentry via pinentry.el in Emacs similarly secure as using a
different pinentry dialog?


Michael.

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Joakim Jalap]

Michael Heerdegen <michael_heerdegen@web.de> writes:

> Same on Debian obviously.

Yeah, nobody seems to like it, I guess the only reason they still keep
it around is because of Emacs' special status in the GNU project.

> Is it bad to get "Emacs in contact with the password", do I lose
> security (question to all)?  The main advantage of pinentry seems to be
> that it avoids to leave a password in the swap partition.
>
> Is using pinentry via pinentry.el in Emacs similarly secure as using a
> different pinentry dialog?

There's some discussion on the matter here:

https://bugs.gnupg.org/gnupg/issue2034

I don't really care too much about security anyway, I'm more on the
level of "if I forget my laptop on the tube all my passwords shouldn't
be out in the open". So as long as they are in an encrypted file that's
all I ask :)

> Michael.

Joakim

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Michael Heerdegen]

Joakim Jalap <joakim.jalap@fastmail.com> writes:

> I don't really care too much about security anyway, I'm more on the
> level of "if I forget my laptop on the tube all my passwords shouldn't
> be out in the open". So as long as they are in an encrypted file that's
> all I ask :)

Dunno.  Maybe it's easy to extract a password for an encrypted file
from the swap partition if it is included there.

Michael.

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Lars Ingebrigtsen]

Perhaps pinentry.el and the pinentry program should be included in
Emacs?  Having this stuff work out of the box would be nice.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Daiki Ueno]

Michael Heerdegen <michael_heerdegen@web.de> writes:

> I tried pinentry.el from Gnu Elpa.  What do I need to add exactly to
> "~/.gnupg/gpg-agent.conf"?  Just "allow-emacs-pinentry" as the package's
> doc tells doesn't work.

pinentry.el requires GnuPG >= 2.1.5 and Pinentry >= 0.9.8, as mentioned
in the header comment.  Is the version requirement met on your system?

If it is all fine, try reloading the configuration with:

  gpgconf --reload gpg-agent

as gpg-agent doesn't automatically reload the configuration.

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Perhaps pinentry.el and the pinentry program should be included in
> Emacs?  Having this stuff work out of the box would be nice.

pinentry.el is actually in lisp/net/ already.  For the pinentry program,
I don't think it is feasible, since there isn't (and won't be) a way to
use a custom pinentry program from the gpg command line:
https://lists.gnupg.org/pipermail/gnupg-devel/2015-May/029862.html

Regards,
-- 
Daiki Ueno

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Lars Ingebrigtsen]

Daiki Ueno <ueno@gnu.org> writes:

> pinentry.el is actually in lisp/net/ already.  For the pinentry program,
> I don't think it is feasible, since there isn't (and won't be) a way to
> use a custom pinentry program from the gpg command line:
> https://lists.gnupg.org/pipermail/gnupg-devel/2015-May/029862.html

Hm...  I don't know much about this stuff, but I'm not sure I
understand.  :-)  There exists a program already called pinentry-emacs,
somebody said?  That allows us to enter passwords from Emacs, sort of?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Daiki Ueno]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Daiki Ueno <ueno@gnu.org> writes:
>
>> pinentry.el is actually in lisp/net/ already.  For the pinentry program,
>> I don't think it is feasible, since there isn't (and won't be) a way to
>> use a custom pinentry program from the gpg command line:
>> https://lists.gnupg.org/pipermail/gnupg-devel/2015-May/029862.html
>
> Hm...  I don't know much about this stuff, but I'm not sure I
> understand.  :-)  There exists a program already called pinentry-emacs,
> somebody said?  That allows us to enter passwords from Emacs, sort of?

It allows you to enter passwords _only_ from Emacs.  That could be
acceptable for those who do everything in Emacs, but wouldn't for most
others.  For example, suppose one use Emacs for editing and Thunderbird
for mailing.  When he opens an encrypted mail in Thunderbird, he will be
asked passphrase from an Emacs window; I think that would be too
annoying.

Now that the upstream Pinentry has a proper diversion mechanism (Emacs
-> gnome-shell/GTK+/Qt -> curses), I don't see any benefit of
maintaining our own version of the pinentry program which only works
with Emacs.

Regards,
-- 
Daiki Ueno

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[tomas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Feb 09, 2016 at 10:11:07AM +0100, Joakim Jalap wrote:
> Michael Heerdegen <michael_heerdegen@web.de> writes:
> 
> > Dunno.  Maybe it's easy to extract a password for an encrypted file
> > from the swap partition if it is included there.
> 
> Well, that depends on your definition of easy :) First of all it would
> require you to know that there is such a thing as a swap partition. I
> think that rules out about 99% of the people who might find my laptop on
> a train :)
> 
> But I totally understand if you want more security than that,
> personally I just think that anyone with that level of sofistication
> (can dump a swap partition and analyze it to get my password) will be
> able to hack me anyway, if they wanted to.

If that's your threat model, I'd rather recommend using encrypted
file systems (yes, swap too). Don't lose a "running" laptop.

(yes, a bit off-topic, but as a reminder that to have some grip on
those things you have to try to develop threat models you care about,
otherwise it's just waving hands: necessary at the beginning, but
not yet the point at which you should rush to implement stuff).

- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAla5qjoACgkQBcgs9XrR2kbR8wCeNujIol3Zng48OS6LXQuLUeuY
lNMAnjKk1WUX3NZpwKRRDF8gmfxeOyqJ
=PSvg
-----END PGP SIGNATURE-----

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Joakim Jalap]

Michael Heerdegen <michael_heerdegen@web.de> writes:

> Dunno.  Maybe it's easy to extract a password for an encrypted file
> from the swap partition if it is included there.

Well, that depends on your definition of easy :) First of all it would
require you to know that there is such a thing as a swap partition. I
think that rules out about 99% of the people who might find my laptop on
a train :)

But I totally understand if you want more security than that,
personally I just think that anyone with that level of sofistication
(can dump a swap partition and analyze it to get my password) will be
able to hack me anyway, if they wanted to.

Joakim

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Joakim Jalap]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Daiki Ueno <ueno@gnu.org> writes:
>
>> pinentry.el is actually in lisp/net/ already.  For the pinentry program,
>> I don't think it is feasible, since there isn't (and won't be) a way to
>> use a custom pinentry program from the gpg command line:
>> https://lists.gnupg.org/pipermail/gnupg-devel/2015-May/029862.html

Interesting to see that discussion :) I was looking at this months ago
when I tried to get it working in Emacs, but I never really found that thread.

> Hm...  I don't know much about this stuff, but I'm not sure I
> understand.  :-)  There exists a program already called pinentry-emacs,
> somebody said?  That allows us to enter passwords from Emacs, sort of?

pinentry-emacs can be built from the pintry repo at
git.gnupg.org/pintry.git.

Together with the correct envvars set, this allows us to input passwords
from Emacs, yes :)

However this seems to be seen as a sort of hack, and it's disabled by
default on Arch Linux, FreeBSD and Debian as it seems, so I have had to
build it from source. I guess that alienates a lot of users though :/

I agree it would be nice to have this working out of the box. Figuring
out all the steps took me quite a lot of time and effort actually (I
discovered pinentry-emacs by chance while looking at some changelog
entry in the pinentry repo, I think, and the figured out what it was by
reading the configure.ac file) and I don't think it qualifies as user
friendly. The reason I decided to look it up in the first place was that
while the gtk popup diolog works fine on an X display, I wanted
something that would work in a terminal as well. And unfortunately it
seems pinentry-curses can't be run through Emacs, well I didn't manage
anyway :)

Joakim

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Lars Ingebrigtsen]

Daiki Ueno <ueno@gnu.org> writes:

> It allows you to enter passwords _only_ from Emacs.  That could be
> acceptable for those who do everything in Emacs, but wouldn't for most
> others.  For example, suppose one use Emacs for editing and Thunderbird
> for mailing.  When he opens an encrypted mail in Thunderbird, he will be
> asked passphrase from an Emacs window; I think that would be too
> annoying.

Oh, I see.  Yeah, that doesn't sound very useful in general.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Barry Fishman]

On 2016-02-09 10:54:30 +0100, Joakim Jalap wrote:
> pinentry-emacs can be built from the pintry repo at
> git.gnupg.org/pintry.git.
>
> Together with the correct envvars set, this allows us to input passwords
> from Emacs, yes :)
>
> However this seems to be seen as a sort of hack, and it's disabled by
> default on Arch Linux, FreeBSD and Debian as it seems, so I have had to
> build it from source. I guess that alienates a lot of users though :/

But it *is* enabled by default in Arch, and included as a separate
package in Fedora.

For Arch, its even part of core:

$ pacman -Ss pinentry
core/pinentry 0.9.7-1 [installed]
    Collection of simple PIN or passphrase entry dialogs which utilize the
    Assuan protocol
$ pacman -Qo /usr/bin/pinentry-emacs
/usr/bin/pinentry-emacs is owned by pinentry 0.9.7-1

--
Barry Fishman

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Joakim Jalap]

Barry Fishman <barry@ecubist.org> writes:

> On 2016-02-09 10:54:30 +0100, Joakim Jalap wrote:
>> pinentry-emacs can be built from the pintry repo at
>> git.gnupg.org/pintry.git.
>>
>> Together with the correct envvars set, this allows us to input passwords
>> from Emacs, yes :)
>>
>> However this seems to be seen as a sort of hack, and it's disabled by
>> default on Arch Linux, FreeBSD and Debian as it seems, so I have had to
>> build it from source. I guess that alienates a lot of users though :/
>
> But it *is* enabled by default in Arch, and included as a separate
> package in Fedora.
>
> For Arch, its even part of core:
>
> $ pacman -Ss pinentry
> core/pinentry 0.9.7-1 [installed]
>     Collection of simple PIN or passphrase entry dialogs which utilize the
>     Assuan protocol
> $ pacman -Qo /usr/bin/pinentry-emacs
> /usr/bin/pinentry-emacs is owned by pinentry 0.9.7-1
>
> --
> Barry Fishman

Oh cool!

Seems it was added in December last year, so that's probably after my
escapades :)

I actually mailed the maintainer of the FreeBSD port about it, and he
said he would enable it if I could get it to work, but unfortunately I
couldn't get the ports Makefile magic right :(

Joakim

Re: Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

[Lele Gaifax]

Michael Heerdegen <michael_heerdegen@web.de> writes:

> since some days ago, epg-gpg-program defaults to gpg2 (when installed)
> in emacs-25.
>
> With that new default, when Gnus tries to open my "~/.authinfo.gpg", I'm
> prompted for its password in a separate popup (X) window.

While on the subject, is there any way to tell Emacs to "inject" the related
file name into that popup, or even in the minibuffer password prompt?

I often use the desktop.el facility: it may happen that I have several
gpg-encoded files open at the same time, and when restarting the Emacs session
I was prompted for a keyword for each of them, and it's been a challenge to
blindly insert the right one, having no hint about which file was being open.

Thank you,
ciao, lele.
-- 
nickname: Lele Gaifax | Quando vivrò di quello che ho pensato ieri
real: Emanuele Gaifas | comincerò ad aver paura di chi mi copia.
lele@metapensiero.it  |                 -- Fortunato Depero, 1929.