About the removal of pinentry.el

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

About the removal of pinentry.el

Nicolas Petton-2
Hi,

I wonder why pinentry.el was removed.  I did read the NEWS info about
it, but unless I'm missing something, setting epa-pinentry-mode to
loopback and using pinentry-emacs are two different things.

With the gpg-agent configured to use pinentry-emacs, when using gpg from
external programs the passphrase is asked from within Emacs.

However, AFAIK, setting epa-pinentry-mode to lookpack will only make use
of Emacs when used from within Emacs.

For instance, with pinentry-emacs, when evaluating `echo "foo" | gpg -s`
from a terminal like xterm, the passphrase is asked inside of Emacs
(instead of using another pinentry like pinentry-gtk).

Maybe I'm missing something?

Cheers,
Nico

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Eli Zaretskii
> From: Nicolas Petton <[hidden email]>
> Date: Mon, 08 Jan 2018 22:16:40 +0100
>
> I wonder why pinentry.el was removed.  I did read the NEWS info about
> it, but unless I'm missing something, setting epa-pinentry-mode to
> loopback and using pinentry-emacs are two different things.

Where do you see a reference to pinentry-emacs in NEWS?  Or maybe I'm
missing something obvious here.

Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Nicolas Petton-2
Eli Zaretskii <[hidden email]> writes:

> Where do you see a reference to pinentry-emacs in NEWS?  Or maybe I'm
> missing something obvious here.

Isn't pinentry-emacs only working when the pinentry service has been
started with `pinentry-start' (which was defined in pinentry.el)?

Nico

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Eli Zaretskii
> From: Nicolas Petton <[hidden email]>
> Cc: [hidden email]
> Date: Mon, 08 Jan 2018 22:45:00 +0100
>
> Eli Zaretskii <[hidden email]> writes:
>
> > Where do you see a reference to pinentry-emacs in NEWS?  Or maybe I'm
> > missing something obvious here.
>
> Isn't pinentry-emacs only working when the pinentry service has been
> started with `pinentry-start' (which was defined in pinentry.el)?

Once again, the NEWS entry doesn't mention pinentry-emacs at all.  So
I wonder what is it that I'm missing here.

AFAIU, the NEWS entry just says that pinentry.el and the related
features are not needed with GnuPG >= 2.1, and are not very useful
with GnuPG < 2.1.  That's why we removed it: its only effect was to
confuse users.

Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Nicolas Petton-2
Eli Zaretskii <[hidden email]> writes:

Hi Eli,

I'm putting Daiki Ueno in Cc.

> Once again, the NEWS entry doesn't mention pinentry-emacs at all.

That's why I mentioned it here.  My thought was that pinentry.el might
have been removed while it is still a useful package.

> So I wonder what is it that I'm missing here.

I think that pinentry.el is still useful today for pinentry-emacs, when
configuring gpg-agent to use it.

> AFAIU, the NEWS entry just says that pinentry.el and the related
> features are not needed with GnuPG >= 2.1

Maybe pinentry-emacs can work without pinentry.el, and I'm not aware of
that?

Cheers,
Nico

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Daiki Ueno-4
Nicolas Petton <[hidden email]> writes:

>> Once again, the NEWS entry doesn't mention pinentry-emacs at all.
>
> That's why I mentioned it here.  My thought was that pinentry.el might
> have been removed while it is still a useful package.
>
>> So I wonder what is it that I'm missing here.
>
> I think that pinentry.el is still useful today for pinentry-emacs, when
> configuring gpg-agent to use it.

It still works, but I don't think it's useful today, given that
epa-pinentry-mode 'loopback exists.  I would suggest the GnuPG upstream
to drop pinentry-emacs and any support for it in GnuPG itself.

Nevertheless, I admit I misremembered as if the package was added in
Emacs 26; it's was actually added in 25.  So it might be safer to
restore it under obsolete, although it is also available on ELPA:
http://elpa.gnu.org/packages/pinentry.html

>> AFAIU, the NEWS entry just says that pinentry.el and the related
>> features are not needed with GnuPG >= 2.1
>
> Maybe pinentry-emacs can work without pinentry.el, and I'm not aware of
> that?

No.

Regards,
--
Daiki Ueno

Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Nicolas Petton-2
Daiki Ueno <[hidden email]> writes:

> It still works, but I don't think it's useful today, given that
> epa-pinentry-mode 'loopback exists.

It is at least really useful to me :-)  I'm calling gpg outside of Emacs
a lot.

Correct me if I'm wrong, but setting epa-pinentry-mode to 'loopback
won't have any effect if I evaluate:

  (shell-command-to-string "echo 'foo' | gpg -s")

> I would suggest the GnuPG upstream to drop pinentry-emacs and any
> support for it in GnuPG itself.

That'd be a shame IMO, I use pinentry-emacs daily.

> Nevertheless, I admit I misremembered as if the package was added in
> Emacs 26; it's was actually added in 25.  So it might be safer to
> restore it under obsolete, although it is also available on ELPA:
> http://elpa.gnu.org/packages/pinentry.html

Is the ELPA version the same as the one in Emacs?

Nico

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

John Wiegley-6
>>>>> "NP" == Nicolas Petton <[hidden email]> writes:

>> Nevertheless, I admit I misremembered as if the package was added in Emacs
>> 26; it's was actually added in 25. So it might be safer to restore it under
>> obsolete, although it is also available on ELPA:
>> http://elpa.gnu.org/packages/pinentry.html

NP> Is the ELPA version the same as the one in Emacs?

I would prefer this be moved to ELPA; would that work for you Nicolas?

--
John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2

Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Nicolas Petton-2
John Wiegley <[hidden email]> writes:

> I would prefer this be moved to ELPA; would that work for you Nicolas?

It's already in ELPA, and that would be fine with me, if we don't make
it obsolete, and if we don't suggest the GnuPG maintainers to drop
support for Emacs.

Nico

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Nicolas Petton-2
In reply to this post by John Wiegley-6
John Wiegley <[hidden email]> writes:

> I would prefer this be moved to ELPA; would that work for you Nicolas?

I guess we should change the NEWS entry then as well?

Nico

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

John Wiegley-6
>>>>> Nicolas Petton <[hidden email]> writes:

>> I would prefer this be moved to ELPA; would that work for you Nicolas?

> I guess we should change the NEWS entry then as well?

Sounds like it.

--
John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2

Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Matthew Carter-3
John Wiegley <[hidden email]> writes:

>>>>>> Nicolas Petton <[hidden email]> writes:
>
>>> I would prefer this be moved to ELPA; would that work for you Nicolas?
>
>> I guess we should change the NEWS entry then as well?
>
> Sounds like it.

I'm not sure if this is the direct cause, but I built 26.0.x
and 27.0.50 from source last night, and my use case seems to have broke,
as compared to how things function under the shipped Emacs 25.x.x in Arch Linux.

My previous use case/configuration was as follows:

In ~/.gnupg/gpg-agent.conf I had the following (gpg v2.1):

allow-emacs-pinentry
pinentry-program /usr/bin/pinentry-curses

I did *not* have the epa-pinentry-mode set to 'loopback in Emacs.

I would be able to run: "epa-decrypt-file ~/.mailpass.gpg /dev/null" in
an Eshell session (a file signed with my secret key) and be prompted by
the readpasswd prompt in Emacs to decrypt the file (this is with Emacs
in tty mode).  

With the Emacs 26/27 builds, instead of prompting, it would call up the
curses input (likewise for any of the GUI inputs if using an X session).

Changing to epa-pinentry-mode 'loopback did not change this behavior for
epa-decrypt-file, however it did change it for a symmetric decryption of
~/.authinfo.gpg when I called M-x gnus (perhaps gnus uses a different
 decryption call?)
 
Can anyone suggest a way in which I can retain the functionality of
having Emacs decrypt gpg files while running a system without an X session?

FWIW, I have a setenv call setting GPG_AGENT_INFO to empty string as
well (removing did not have an effect).


--
Matthew Carter ([hidden email])
http://ahungry.com

Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Nicolas Petton-2
In reply to this post by John Wiegley-6
John Wiegley <[hidden email]> writes:

> Sounds like it.

I updated the package on ELPA with the changes from the Emacs
repository.

What about the following NEWS entry?

  ** The pinentry.el library has been removed.
  The package is still available through ELPA.  With 'epa-pinentry-mode'
  set to the symbol 'loopback', epa can now redirect Pinentry queries to
  Emacs instead of an external Pinentry program.
 
  pinentry.el is still useful together with the 'pinentry-emacs' program
  to always use Emacs minibuffer to prompt for passphrases, even when
  using GnuPG outside of Emacs.
 
  Note that previously, it was said that passphrase input through
  minibuffer would be much less secure than other graphical pinentry
  programs.  However, these days the difference is insignificant: the
  'read-password' function sufficiently protects input from leakage to
  message logs.  Emacs still doesn't use secure memory to protect
  passphrases, but it was also removed from other pinentry programs as
  the attack is unrealistic on modern computer systems which don't
  utilize swap memory usually.

Cheers,
Nico

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Eli Zaretskii
> From: Nicolas Petton <[hidden email]>
> Cc: Daiki Ueno <[hidden email]>, Eli Zaretskii <[hidden email]>, [hidden email]
> Date: Tue, 16 Jan 2018 14:19:05 +0100
>
> I updated the package on ELPA with the changes from the Emacs
> repository.
>
> What about the following NEWS entry?

It's okay, but I'd prefer not to remove the paragraph that explained
why the package was removed.  Without it the removal sounds rather
arbitrary.

Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Nicolas Petton-2
Eli Zaretskii <[hidden email]> writes:

> It's okay, but I'd prefer not to remove the paragraph that explained
> why the package was removed.  Without it the removal sounds rather
> arbitrary.

It does say that epa-pinentry-mode can now be set to loopback in which
case pinentry.el is not needed anymore for epa to use Emacs' minibuffer
to prompt for passphrases.

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Eli Zaretskii
> From: Nicolas Petton <[hidden email]>
> Cc: [hidden email], [hidden email], [hidden email]
> Date: Tue, 16 Jan 2018 18:16:54 +0100
>
> > It's okay, but I'd prefer not to remove the paragraph that explained
> > why the package was removed.  Without it the removal sounds rather
> > arbitrary.
>
> It does say that epa-pinentry-mode can now be set to loopback in which
> case pinentry.el is not needed anymore for epa to use Emacs' minibuffer
> to prompt for passphrases.

Yes, but that's just part of the story, and it isn't immediately
apparent how that explains the removal.

Reply | Threaded
Open this post in threaded view
|

Re: About the removal of pinentry.el

Filipp Gunbin
In reply to this post by Nicolas Petton-2
Nicolas, thanks for your work.

Maybe explicitly mention in NEWS that `allow-emacs-pinentry' in
gpg-agent.conf is now not needed for epa queries inside Emacs?

For those who continue to use pinentry.el for gpg usage outside emacs -
pinentry package mentions that setting.

Filipp