From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vladimir Sedach Subject: Re: Missing pinentry-emacs for gpg-agent? Date: Tue, 27 Mar 2018 13:22:23 -0700 Message-ID: <874ll11d6o.fsf@oneofus.la> References: <877epy59g6.fsf@gmail.com> <87h8p1x2t9.fsf@gnu.org> <87d0zpecv3.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51815) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f0v7P-0008Gp-9m for help-guix@gnu.org; Tue, 27 Mar 2018 16:22:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f0v7O-00037H-7j for help-guix@gnu.org; Tue, 27 Mar 2018 16:22:55 -0400 Received: from forward100o.mail.yandex.net ([2a02:6b8:0:1a2d::600]:40899) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1f0v7N-00035K-Ob for help-guix@gnu.org; Tue, 27 Mar 2018 16:22:54 -0400 In-reply-to: <87d0zpecv3.fsf@gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Oleg Pykhalov Cc: help-guix > I'm sorry to steal a potential contribution to Guix, but you could try: > > =E2=80=98M-x view-emacs-news=E2=80=99: > > * New Modes and Packages in Emacs 25.1 > > ** pinentry.el allows GnuPG passphrase to be prompted through the > minibuffer instead of a graphical dialog, depending on whether the > gpg command is called from Emacs (i.e., INSIDE_EMACS environment > variable is set). This feature requires newer versions of GnuPG > (2.1.5 or later) and Pinentry (0.9.5 or later). To use this > feature, add "allow-emacs-pinentry" to "~/.gnupg/gpg-agent.conf" an= d > reload the configuration with "gpgconf --reload gpg-agent". The two work together, and using pinentry-emacs in my experience seems to be the only reliable way to have pinentry work with the Emacs minibuffer. With pinentry-curses and allow-emacs-pinentry and allow-loopback-pinentry gpg-agent options, I would still have gpg-agent prompt for the passphrase in a curses box on the Linux virtual terminal when running Emacs in X on Debian, whenever the agent cache TTL would expire (so it would prompt in the minibuffer when first started, then would prompt in the VT where X was started from on later attempts). pinentry-emacs is part of the standard pinentry sources, but its build is disabled by default. Apparently everyone thinks that Emacs is a "significant security risk," so no distributions seem to ship it. Here is a discussion about the issue in Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D854797 To me the arguments presented in that discussion against pinentry-emacs are total nonsense. Any other software the user loads or that gets compromised to allow remote execution can query gpg-agent and read all your encrypted files. Same deal with installing an X11 key logger to capture the secret key passphrase. Some of the arguments are just bogus (e.g., "/tmp/emacs$UID/pinentry is not a sensible choice of paths, since it is within a world-writable directory" <- has that person ever heard of mktemp?). My recommendation, as a heavy user of Emacs and GPG, is for Guix to build pinentry with --enable-pinentry-emacs, which provides the pinentry-emacs executable as an option for users. Vladimir