* Missing pinentry-emacs for gpg-agent?
@ 2018-03-27 6:17 Pierre Neidhardt
2018-03-27 9:53 ` Ludovic Courtès
0 siblings, 1 reply; 13+ messages in thread
From: Pierre Neidhardt @ 2018-03-27 6:17 UTC (permalink / raw)
To: help-guix
[-- Attachment #1: Type: text/plain, Size: 479 bytes --]
Somewhat surprisingly, pinentry-emacs does not seem to be in the repo.
Is it intentional? I'd love to have it back.
On a related topic, is it possible to share a gpg-agent.conf between a
Guix-based system and another system?
What I mean here is that the following line in gpg-agent.conf:
pinentry-program /home/ambrevar/.guix-profile/bin/pinentry
won't work on other systems (/usr/bin/pinentry on other systems is
somewhat more universal, but hey...).
--
Pierre Neidhardt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-27 6:17 Missing pinentry-emacs for gpg-agent? Pierre Neidhardt
@ 2018-03-27 9:53 ` Ludovic Courtès
2018-03-27 15:45 ` Alex Kost
2018-03-27 15:50 ` Oleg Pykhalov
0 siblings, 2 replies; 13+ messages in thread
From: Ludovic Courtès @ 2018-03-27 9:53 UTC (permalink / raw)
To: Pierre Neidhardt; +Cc: help-guix
Pierre Neidhardt <ambrevar@gmail.com> skribis:
> Somewhat surprisingly, pinentry-emacs does not seem to be in the repo.
> Is it intentional? I'd love to have it back.
I didn’t know its existence. :-)
Please do submit a package!
https://www.gnu.org/software/guix/manual/html_node/Submitting-Patches.html
> On a related topic, is it possible to share a gpg-agent.conf between a
> Guix-based system and another system?
> What I mean here is that the following line in gpg-agent.conf:
>
> pinentry-program /home/ambrevar/.guix-profile/bin/pinentry
>
> won't work on other systems (/usr/bin/pinentry on other systems is
> somewhat more universal, but hey...).
I can’t think of any solution to that problem… apart from installing
Guix on the other systems. :-)
Ludo’.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-27 9:53 ` Ludovic Courtès
@ 2018-03-27 15:45 ` Alex Kost
2018-03-27 15:50 ` Oleg Pykhalov
1 sibling, 0 replies; 13+ messages in thread
From: Alex Kost @ 2018-03-27 15:45 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: help-guix
Ludovic Courtès (2018-03-27 11:53 +0200) wrote:
> Pierre Neidhardt <ambrevar@gmail.com> skribis:
>
>> Somewhat surprisingly, pinentry-emacs does not seem to be in the repo.
>> Is it intentional? I'd love to have it back.
>
> I didn’t know its existence. :-)
>
> Please do submit a package!
>
> https://www.gnu.org/software/guix/manual/html_node/Submitting-Patches.html
>
>> On a related topic, is it possible to share a gpg-agent.conf between a
>> Guix-based system and another system?
>> What I mean here is that the following line in gpg-agent.conf:
>>
>> pinentry-program /home/ambrevar/.guix-profile/bin/pinentry
>>
>> won't work on other systems (/usr/bin/pinentry on other systems is
>> somewhat more universal, but hey...).
>
> I can’t think of any solution to that problem… apart from installing
> Guix on the other systems. :-)
I use another solution: I just run "gpg-agent" with "--pinentry-program"
option (instead of adding "pinentry-program ..." line to the conf-file).
--
Alex
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-27 9:53 ` Ludovic Courtès
2018-03-27 15:45 ` Alex Kost
@ 2018-03-27 15:50 ` Oleg Pykhalov
2018-03-27 18:28 ` Pierre Neidhardt
2018-03-27 20:22 ` Vladimir Sedach
1 sibling, 2 replies; 13+ messages in thread
From: Oleg Pykhalov @ 2018-03-27 15:50 UTC (permalink / raw)
To: Pierre Neidhardt; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 922 bytes --]
ludo@gnu.org (Ludovic Courtès) writes:
> Pierre Neidhardt <ambrevar@gmail.com> skribis:
>
>> Somewhat surprisingly, pinentry-emacs does not seem to be in the repo.
>> Is it intentional? I'd love to have it back.
>
> I didn’t know its existence. :-)
I'm sorry to steal a potential contribution to Guix, but you could try:
‘M-x view-emacs-news’:
* New Modes and Packages in Emacs 25.1
** pinentry.el allows GnuPG passphrase to be prompted through the
minibuffer instead of a graphical dialog, depending on whether the
gpg command is called from Emacs (i.e., INSIDE_EMACS environment
variable is set). This feature requires newer versions of GnuPG
(2.1.5 or later) and Pinentry (0.9.5 or later). To use this
feature, add "allow-emacs-pinentry" to "~/.gnupg/gpg-agent.conf" and
reload the configuration with "gpgconf --reload gpg-agent".
[…]
Oleg.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-27 15:50 ` Oleg Pykhalov
@ 2018-03-27 18:28 ` Pierre Neidhardt
2018-03-27 20:22 ` Vladimir Sedach
1 sibling, 0 replies; 13+ messages in thread
From: Pierre Neidhardt @ 2018-03-27 18:28 UTC (permalink / raw)
To: Oleg Pykhalov; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 928 bytes --]
Oleg Pykhalov <go.wigust@gmail.com> writes:
> I'm sorry to steal a potential contribution to Guix, but you could try:
>
> ‘M-x view-emacs-news’:
>
> * New Modes and Packages in Emacs 25.1
>
> ** pinentry.el allows GnuPG passphrase to be prompted through the
> minibuffer instead of a graphical dialog, depending on whether the
> gpg command is called from Emacs (i.e., INSIDE_EMACS environment
> variable is set). This feature requires newer versions of GnuPG
> (2.1.5 or later) and Pinentry (0.9.5 or later). To use this
> feature, add "allow-emacs-pinentry" to "~/.gnupg/gpg-agent.conf" and
> reload the configuration with "gpgconf --reload gpg-agent".
Unless I'm mistaken, this won't work without pinentry-emacs when gpg is
used to decrypt data, e.g. `gpg -d FILE`. I do not know about a
INSIDE_EMACS environment variable. How is it set?
--
Pierre Neidhardt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-27 15:50 ` Oleg Pykhalov
2018-03-27 18:28 ` Pierre Neidhardt
@ 2018-03-27 20:22 ` Vladimir Sedach
2018-03-28 4:49 ` Pierre Neidhardt
1 sibling, 1 reply; 13+ messages in thread
From: Vladimir Sedach @ 2018-03-27 20:22 UTC (permalink / raw)
To: Oleg Pykhalov; +Cc: help-guix
> I'm sorry to steal a potential contribution to Guix, but you could try:
>
> ‘M-x view-emacs-news’:
>
> * New Modes and Packages in Emacs 25.1
>
> ** pinentry.el allows GnuPG passphrase to be prompted through the
> minibuffer instead of a graphical dialog, depending on whether the
> gpg command is called from Emacs (i.e., INSIDE_EMACS environment
> variable is set). This feature requires newer versions of GnuPG
> (2.1.5 or later) and Pinentry (0.9.5 or later). To use this
> feature, add "allow-emacs-pinentry" to "~/.gnupg/gpg-agent.conf" and
> reload the configuration with "gpgconf --reload gpg-agent".
The two work together, and using pinentry-emacs in my experience seems
to be the only reliable way to have pinentry work with the Emacs
minibuffer.
With pinentry-curses and allow-emacs-pinentry and
allow-loopback-pinentry gpg-agent options, I would still have
gpg-agent prompt for the passphrase in a curses box on the Linux
virtual terminal when running Emacs in X on Debian, whenever the agent
cache TTL would expire (so it would prompt in the minibuffer when
first started, then would prompt in the VT where X was started from on
later attempts).
pinentry-emacs is part of the standard pinentry sources, but its build
is disabled by default. Apparently everyone thinks that Emacs is a
"significant security risk," so no distributions seem to ship it. Here
is a discussion about the issue in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854797
To me the arguments presented in that discussion against
pinentry-emacs are total nonsense. Any other software the user loads
or that gets compromised to allow remote execution can query gpg-agent
and read all your encrypted files. Same deal with installing an X11
key logger to capture the secret key passphrase. Some of the arguments
are just bogus (e.g., "/tmp/emacs$UID/pinentry is not a sensible
choice of paths, since it is within a world-writable directory" <- has
that person ever heard of mktemp?).
My recommendation, as a heavy user of Emacs and GPG, is for Guix to
build pinentry with --enable-pinentry-emacs, which provides the
pinentry-emacs executable as an option for users.
Vladimir
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-27 20:22 ` Vladimir Sedach
@ 2018-03-28 4:49 ` Pierre Neidhardt
2018-03-28 7:04 ` Oleg Pykhalov
0 siblings, 1 reply; 13+ messages in thread
From: Pierre Neidhardt @ 2018-03-28 4:49 UTC (permalink / raw)
To: Vladimir Sedach; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 291 bytes --]
Vladimir Sedach <vas@oneofus.la> writes:
> Apparently everyone thinks that Emacs is a "significant security
> risk," so no distributions seem to ship it.
Well, at least Arch Linux, Gentoo and Void Linux ship it!
Not tht uncommon!
I agree with all your other points.
--
Pierre Neidhardt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-28 4:49 ` Pierre Neidhardt
@ 2018-03-28 7:04 ` Oleg Pykhalov
2018-03-28 7:17 ` Pierre Neidhardt
0 siblings, 1 reply; 13+ messages in thread
From: Oleg Pykhalov @ 2018-03-28 7:04 UTC (permalink / raw)
To: Pierre Neidhardt; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 288 bytes --]
Pierre Neidhardt <ambrevar@gmail.com> writes:
> Well, at least Arch Linux, Gentoo and Void Linux ship it!
> Not tht uncommon!
Then could you add a flag Vladimir talked about and send a patch? ;-)
See https://www.gnu.org/software/guix/manual/html_node/Contributing.html
Thanks,
Oleg.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-28 7:04 ` Oleg Pykhalov
@ 2018-03-28 7:17 ` Pierre Neidhardt
2018-03-28 8:29 ` Pierre Neidhardt
2018-03-29 7:23 ` Oleg Pykhalov
0 siblings, 2 replies; 13+ messages in thread
From: Pierre Neidhardt @ 2018-03-28 7:17 UTC (permalink / raw)
To: Oleg Pykhalov; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 2001 bytes --]
Oleg Pykhalov <go.wigust@gmail.com> writes:
> Then could you add a flag Vladimir talked about and send a patch? ;-)
What about a separate package? E.g.
(define-public pinentry-emacs
(package
(inherit pinentry-tty)
(name "pinentry-emacs")
(inputs
`(("emacs" ,emacs)
,@(package-inputs pinentry-tty)))
(arguments
`(#:configure-flags '("--enable-pinentry-emacs")))
(description
"Pinentry provides a console and an Emacs interface that allows users to
enter a passphrase when required by @code{gpg} or other software.")))
I haven't delved into packaging so far. I have read the manual but I'm
unsure about the best practice for local hacking.
I have set GUIX_PACKAGE_PATH=~/.guix-packages, then
> cp ~/.config/guix/latest/gnu/packages/gnupg.scm ~/.guix-packages/
> chmod +w ~/.guix-packages/
Then add the above the the file, plus a
#:use-module (gnu packages emacs)
at the beginning.
Now if I do
> guix package -s pinentry-emacs
guix package: warning: failed to load '(gnupg)':
no code for module (gnupg)
name: pinentry-emacs
version: 1.1.0
outputs: out
systems: x86_64-linux i686-linux armhf-linux aarch64-linux mips64el-linux
dependencies: emacs-25.3 libassuan-2.5.1 libsecret-0.18.5 ncurses-6.0-20170930
+ pkg-config-0.29.2
location: /home/ambrevar/.guix-packages/gnupg.scm:991:2
homepage: https://gnupg.org/aegypten2/
license: GPL 2+
synopsis: GnuPG's interface to passphrase input
description: Pinentry provides a console and an Emacs interface that allows users to enter a
+ passphrase when required by `gpg' or other software.
relevance: 4
Notive the error at th beginning:
guix package: warning: failed to load '(gnupg)':
no code for module (gnupg)
I don't understand this.
That said, is this the commended way to proceed? Or should I work from
a local checkout of guix? What about the value of GUIX_PACKAGE_PATH then?
--
Pierre Neidhardt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-28 7:17 ` Pierre Neidhardt
@ 2018-03-28 8:29 ` Pierre Neidhardt
2018-03-29 7:30 ` Oleg Pykhalov
2018-03-29 7:23 ` Oleg Pykhalov
1 sibling, 1 reply; 13+ messages in thread
From: Pierre Neidhardt @ 2018-03-28 8:29 UTC (permalink / raw)
To: Oleg Pykhalov; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 200 bytes --]
Thinking more about it, wouldn't it make more sense to use several
outputs instead of several packages?
Is it possible to specify additional inputs for specific outputs?
--
Pierre Neidhardt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-28 7:17 ` Pierre Neidhardt
2018-03-28 8:29 ` Pierre Neidhardt
@ 2018-03-29 7:23 ` Oleg Pykhalov
2018-03-29 8:44 ` Pierre Neidhardt
1 sibling, 1 reply; 13+ messages in thread
From: Oleg Pykhalov @ 2018-03-29 7:23 UTC (permalink / raw)
To: Pierre Neidhardt; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 3126 bytes --]
Pierre Neidhardt <ambrevar@gmail.com> writes:
[…]
> What about a separate package? E.g.
>
> (define-public pinentry-emacs
> (package
> (inherit pinentry-tty)
> (name "pinentry-emacs")
> (inputs
> `(("emacs" ,emacs)
> ,@(package-inputs pinentry-tty)))
> (arguments
> `(#:configure-flags '("--enable-pinentry-emacs")))
> (description
> "Pinentry provides a console and an Emacs interface that allows users to
> enter a passphrase when required by @code{gpg} or other software.")))
Looks like what ‘pinentry-gtk2’, ‘pinentry-gnome3’, ‘pinentry-qt’ do.
I think it's a way to go.
> I haven't delved into packaging so far. I have read the manual but I'm
> unsure about the best practice for local hacking.
To prepare a patch you should have a Guix from a Git checkout [1].
You could still just send a package recipe in plain text.
> I have set GUIX_PACKAGE_PATH=~/.guix-packages, then
>
> > cp ~/.config/guix/latest/gnu/packages/gnupg.scm ~/.guix-packages/
> > chmod +w ~/.guix-packages/gnupg.scm
^^^^^^^^^
You probably mean this. ;-)
> Then add the above the the file
Sorry, I don't understand what do you mean.
Do you mean ‘#:use-module (gnu packages gnupg)’?
[…]
> Now if I do
>
> > guix package -s pinentry-emacs
> guix package: warning: failed to load '(gnupg)':
> no code for module (gnupg)
> name: pinentry-emacs
> version: 1.1.0
> outputs: out
> systems: x86_64-linux i686-linux armhf-linux aarch64-linux mips64el-linux
> dependencies: emacs-25.3 libassuan-2.5.1 libsecret-0.18.5 ncurses-6.0-20170930
> + pkg-config-0.29.2
> location: /home/ambrevar/.guix-packages/gnupg.scm:991:2
> homepage: https://gnupg.org/aegypten2/
> license: GPL 2+
> synopsis: GnuPG's interface to passphrase input
> description: Pinentry provides a console and an Emacs interface that allows users to enter a
> + passphrase when required by `gpg' or other software.
> relevance: 4
>
> Notive the error at th beginning:
>
> guix package: warning: failed to load '(gnupg)':
> no code for module (gnupg)
>
> I don't understand this.
You want to name your Guile module properly [2]. In case of
‘GUIX_PACKAGE_PATH=$HOME/.guix-packages’:
(define-module (gnupg) …)
> That said, is this the commended way to proceed?
Sorry, I don't fully understand the question. As far as I understand,
the answer is you could use ‘GUIX_PACKAGE_PATH’ to have recipes that
cannot be in Guix package collection for some reason, e.g. customized
for own purpose recipes. It's not the case of ‘pinentry-emacs’. ;-)
> Or should I work from a local checkout of guix?
Local checkout allows you prepare patches and use ‘guix’ without ‘guix
pull’. If you plan to contribute more it's definitely worth to have it.
[…]
[1] https://www.gnu.org/software/guix/manual/html_node/Building-from-Git.html
[2] https://www.gnu.org/software/guile/manual/html_node/Using-the-Guile-Module-System.html
Thanks,
Oleg.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Missing pinentry-emacs for gpg-agent?
2018-03-29 7:23 ` Oleg Pykhalov
@ 2018-03-29 8:44 ` Pierre Neidhardt
0 siblings, 0 replies; 13+ messages in thread
From: Pierre Neidhardt @ 2018-03-29 8:44 UTC (permalink / raw)
To: Oleg Pykhalov; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 2819 bytes --]
Oleg Pykhalov <go.wigust@gmail.com> writes:
>> > cp ~/.config/guix/latest/gnu/packages/gnupg.scm ~/.guix-packages/
>> > chmod +w ~/.guix-packages/gnupg.scm
>> [...]
>> Then add the above the the file
>
> Sorry, I don't understand what do you mean.
I meant adding the ~(define-public ... (package...))~ I quoted to the
new gnupg.scm file.
> Do you mean ‘#:use-module (gnu packages gnupg)’?
No. For now I just wanted to do some out-of-tree hacking, as a first
step towards contributing to Guix.
What I had in mind:
1. Copy gnupg.scm.
2. Modify it to add the new recipe plus the new use-module requirements.
3. Build.
I understand it's not how Guix is meant to be patched, I'll go on with a
proper checkout next.
That said, the new ~define-module~ is as follows:
(define-module (gnu packages gnupg)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (gnu packages)
#:use-module (gnu packages emacs) ; NEW
...
>> Now if I do
>>
>> > guix package -s pinentry-emacs
>> guix package: warning: failed to load '(gnupg)':
>> no code for module (gnupg)
>> name: pinentry-emacs
>> version: 1.1.0
>> outputs: out
>> systems: x86_64-linux i686-linux armhf-linux aarch64-linux mips64el-linux
>> dependencies: emacs-25.3 libassuan-2.5.1 libsecret-0.18.5 ncurses-6.0-20170930
>> + pkg-config-0.29.2
>> location: /home/ambrevar/.guix-packages/gnupg.scm:991:2
>> homepage: https://gnupg.org/aegypten2/
>> license: GPL 2+
>> synopsis: GnuPG's interface to passphrase input
>> description: Pinentry provides a console and an Emacs interface that allows users to enter a
>> + passphrase when required by `gpg' or other software.
>> relevance: 4
>>
>> Notive the error at th beginning:
>>
>> guix package: warning: failed to load '(gnupg)':
>> no code for module (gnupg)
>>
>> I don't understand this.
>
> You want to name your Guile module properly [2]. In case of
> ‘GUIX_PACKAGE_PATH=$HOME/.guix-packages’:
>
> (define-module (gnupg) …)
So ~(define-module (gnu packages gnupg)...)~ means the package must lie
in a "gnu/packages/gnupg.scm" file. Did not know that, I assumed the
namespace was detached from
> [2] https://www.gnu.org/software/guile/manual/html_node/Using-the-Guile-Module-System.html
The manual you linked shows examples of paths linked to the namespaces.
But I can't seem to find where it states that it is a requirement.
I always thought this requirement on path-linked namespaces (that we
find in many languages) to be redundant.
> Local checkout allows you prepare patches and use ‘guix’ without ‘guix
> pull’. If you plan to contribute more it's definitely worth to have it.
Will do just now.
Thanks a lot for your help.
--
Pierre Neidhardt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2018-03-29 8:44 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-27 6:17 Missing pinentry-emacs for gpg-agent? Pierre Neidhardt
2018-03-27 9:53 ` Ludovic Courtès
2018-03-27 15:45 ` Alex Kost
2018-03-27 15:50 ` Oleg Pykhalov
2018-03-27 18:28 ` Pierre Neidhardt
2018-03-27 20:22 ` Vladimir Sedach
2018-03-28 4:49 ` Pierre Neidhardt
2018-03-28 7:04 ` Oleg Pykhalov
2018-03-28 7:17 ` Pierre Neidhardt
2018-03-28 8:29 ` Pierre Neidhardt
2018-03-29 7:30 ` Oleg Pykhalov
2018-03-29 7:23 ` Oleg Pykhalov
2018-03-29 8:44 ` Pierre Neidhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).