Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Password prompt inside Emacs with epg-gpg-program -> "gpg2"?

98 views
Skip to first unread message

Michael Heerdegen

unread,
Feb 8, 2016, 9:44:38 AM2/8/16
to Emacs mailing list, Lars Ingebrigtsen
Hi,

since some days ago, epg-gpg-program defaults to gpg2 (when installed)
in emacs-25.

With that new default, when Gnus tries to open my "~/.authinfo.gpg", I'm
prompted for its password in a separate popup (X) window. With
epg-gpg-program -> "gpg", Emacs itself prompted for the password. That's
the behavior I prefer.

Is there any way to get the old behavior back?


Thanks,

Michael.

Teemu Likonen

unread,
Feb 8, 2016, 10:10:27 AM2/8/16
to Michael Heerdegen, Emacs mailing list, Lars Ingebrigtsen
Michael Heerdegen [2016-02-08 15:44:19+01] wrote:

> since some days ago, epg-gpg-program defaults to gpg2 (when installed)
> in emacs-25.
>
> With that new default, when Gnus tries to open my "~/.authinfo.gpg",
> I'm prompted for its password in a separate popup (X) window. With
> epg-gpg-program -> "gpg", Emacs itself prompted for the password.
> That's the behavior I prefer.

The present and the future of GPG (version 2.x and above) is to use
gpg-agent and pinentry. I think there's no way to escape that. And it's
better. But it seems that there are pinentry implementation(s) for
Emacs. There is one in GNU Elpa and I also found this:

https://github.com/ecraven/pinentry-emacs

--
/// Teemu Likonen - .-.. <https://github.com/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc

Michael Heerdegen

unread,
Feb 8, 2016, 10:39:31 AM2/8/16
to Teemu Likonen, Emacs mailing list, ue...@gnu.org, Lars Ingebrigtsen
Teemu Likonen <tlik...@iki.fi> writes:

> The present and the future of GPG (version 2.x and above) is to use
> gpg-agent and pinentry. I think there's no way to escape that. And it's
> better. But it seems that there are pinentry implementation(s) for
> Emacs. There is one in GNU Elpa [...]

Ok, thanks. (BTW, part of the problem is that when I get the X popup,
Emacs is in an unresponsive state. And I need Emacs to get the
password. So I need to run a second Emacs instance, or get the password
before calling Gnus.)

I tried pinentry.el from Gnu Elpa. What do I need to add exactly to
"~/.gnupg/gpg-agent.conf"? Just "allow-emacs-pinentry" as the package's
doc tells doesn't work.

I could figure it out myself I guess, but I decided to CC the author and
hope we can improve the package's doc instead.


Thanks,

Michael.

Joakim Jalap

unread,
Feb 8, 2016, 12:01:21 PM2/8/16
to help-gn...@gnu.org
FWIW, this is what I have in my config regarding Gnupg:

**** GPG

So, this was a bit of a pain to get working, but now it works. For some
inexplicable reason, pinentry-emacs isn't built by default on
either FreeBSD or Arch, so one has to build it from source, and add
=--enable-pinentry-emacs=. Then add "allow-pinentry-emacs" to
=~/.gnupg/gpg-agent.conf=.
Then one simply does:
#+BEGIN_SRC emacs-lisp
(require 'pinentry)
(pinentry-start)
(setenv "INSIDE_EMACS" "YES")
#+END_SRC

I also have the cache time set to some ridiculously high value so I
don't have to enter my password all the time, but I guess that's another story.

>
> Thanks,
>
> Michael.

Hope it helps :)

Joakim


Michael Heerdegen

unread,
Feb 8, 2016, 12:54:23 PM2/8/16
to help-gn...@gnu.org
Hi Joakim,

> FWIW, this is what I have in my config regarding Gnupg:
>
> **** GPG
>
> So, this was a bit of a pain to get working, but now it
> works. For some
> inexplicable reason, pinentry-emacs isn't built by default on
> either FreeBSD or Arch, so one has to build it from source, and add
> =--enable-pinentry-emacs=. Then add "allow-pinentry-emacs" to
> =~/.gnupg/gpg-agent.conf=.
> Then one simply does:
>
> #+BEGIN_SRC emacs-lisp
> (require 'pinentry)
> (pinentry-start)
> (setenv "INSIDE_EMACS" "YES")
> #+END_SRC
> [...]

Thanks for answering!

What is pinentry-emacs - this one?

https://github.com/ecraven/pinentry-emacs

Do you mean I need to install this to be able to use pinentry.el (which,
I found out, already comes with Emacs 25)?


Regards,

Michael.


Joakim Jalap

unread,
Feb 8, 2016, 1:38:35 PM2/8/16
to help-gn...@gnu.org
Michael Heerdegen <michael_...@web.de> writes:

>
> What is pinentry-emacs - this one?
>
> https://github.com/ecraven/pinentry-emacs
>

No, pinentry-emacs is a binary which can be built when building pinentry
from source. It's been a long time since I dug into this, but I managaed
to find what I found then :)

If you clone the pinentry repo:

git clone git://git.gupg.org/pinentry.git

And run ./autogen.sh and the ./configure --help

You will see the option --enable-pinentry-emacs. So that's what you
should build with :)

There's also the option --enable-inside-emacs, but I think this will be
set by --enable-pinentry-emacs.

> Do you mean I need to install this to be able to use pinentry.el (which,
> I found out, already comes with Emacs 25)?

Well, I guess. I don't really know, sorry. But I think you need some
program for entering the password, and I guess this is the official way
to do it. But the gnupg maintainers really don't seem to like it, which
is why Arch and FreeBSD don't build it by default I guess.

Michael Heerdegen

unread,
Feb 8, 2016, 1:57:10 PM2/8/16
to help-gn...@gnu.org
Joakim Jalap <joakim...@fastmail.com> writes:


> No, pinentry-emacs is a binary which can be built when building pinentry
> from source. It's been a long time since I dug into this, but I managaed
> to find what I found then :)
>
> If you clone the pinentry repo:
>
> git clone git://git.gupg.org/pinentry.git
>
> And run ./autogen.sh and the ./configure --help
>
> You will see the option --enable-pinentry-emacs. So that's what you
> should build with :)
>
> There's also the option --enable-inside-emacs, but I think this will be
> set by --enable-pinentry-emacs.

I see.


> > Do you mean I need to install this to be able to use pinentry.el (which,
> > I found out, already comes with Emacs 25)?
>
> Well, I guess. I don't really know, sorry. But I think you need some
> program for entering the password, and I guess this is the official way
> to do it. But the gnupg maintainers really don't seem to like it, which
> is why Arch and FreeBSD don't build it by default I guess.

Same on Debian obviously.

Is it bad to get "Emacs in contact with the password", do I lose
security (question to all)? The main advantage of pinentry seems to be
that it avoids to leave a password in the swap partition.

Is using pinentry via pinentry.el in Emacs similarly secure as using a
different pinentry dialog?


Michael.


Joakim Jalap

unread,
Feb 8, 2016, 2:08:00 PM2/8/16
to help-gn...@gnu.org
Michael Heerdegen <michael_...@web.de> writes:

> Same on Debian obviously.

Yeah, nobody seems to like it, I guess the only reason they still keep
it around is because of Emacs' special status in the GNU project.

> Is it bad to get "Emacs in contact with the password", do I lose
> security (question to all)? The main advantage of pinentry seems to be
> that it avoids to leave a password in the swap partition.
>
> Is using pinentry via pinentry.el in Emacs similarly secure as using a
> different pinentry dialog?

There's some discussion on the matter here:

https://bugs.gnupg.org/gnupg/issue2034

I don't really care too much about security anyway, I'm more on the
level of "if I forget my laptop on the tube all my passwords shouldn't
be out in the open". So as long as they are in an encrypted file that's
all I ask :)

> Michael.

Joakim


Michael Heerdegen

unread,
Feb 8, 2016, 3:26:38 PM2/8/16
to help-gn...@gnu.org
Joakim Jalap <joakim...@fastmail.com> writes:

> I don't really care too much about security anyway, I'm more on the
> level of "if I forget my laptop on the tube all my passwords shouldn't
> be out in the open". So as long as they are in an encrypted file that's
> all I ask :)

Dunno. Maybe it's easy to extract a password for an encrypted file
from the swap partition if it is included there.

Michael.


Lars Ingebrigtsen

unread,
Feb 8, 2016, 8:02:00 PM2/8/16
to Michael Heerdegen, Emacs mailing list, Teemu Likonen, ue...@gnu.org
Perhaps pinentry.el and the pinentry program should be included in
Emacs? Having this stuff work out of the box would be nice.

--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no


Lars Ingebrigtsen

unread,
Feb 8, 2016, 10:49:45 PM2/8/16
to Daiki Ueno, Michael Heerdegen, Emacs mailing list, Teemu Likonen
Daiki Ueno <ue...@gnu.org> writes:

> pinentry.el is actually in lisp/net/ already. For the pinentry program,
> I don't think it is feasible, since there isn't (and won't be) a way to
> use a custom pinentry program from the gpg command line:
> https://lists.gnupg.org/pipermail/gnupg-devel/2015-May/029862.html

Hm... I don't know much about this stuff, but I'm not sure I
understand. :-) There exists a program already called pinentry-emacs,
somebody said? That allows us to enter passwords from Emacs, sort of?

Joakim Jalap

unread,
Feb 9, 2016, 4:11:25 AM2/9/16
to help-gn...@gnu.org
Michael Heerdegen <michael_...@web.de> writes:

> Dunno. Maybe it's easy to extract a password for an encrypted file
> from the swap partition if it is included there.

Well, that depends on your definition of easy :) First of all it would
require you to know that there is such a thing as a swap partition. I
think that rules out about 99% of the people who might find my laptop on
a train :)

But I totally understand if you want more security than that,
personally I just think that anyone with that level of sofistication
(can dump a swap partition and analyze it to get my password) will be
able to hack me anyway, if they wanted to.

Joakim


to...@tuxteam.de

unread,
Feb 9, 2016, 4:33:27 AM2/9/16
to Joakim Jalap, help-gn...@gnu.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If that's your threat model, I'd rather recommend using encrypted
file systems (yes, swap too). Don't lose a "running" laptop.

(yes, a bit off-topic, but as a reminder that to have some grip on
those things you have to try to develop threat models you care about,
otherwise it's just waving hands: necessary at the beginning, but
not yet the point at which you should rush to implement stuff).

- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAla5qjoACgkQBcgs9XrR2kbR8wCeNujIol3Zng48OS6LXQuLUeuY
lNMAnjKk1WUX3NZpwKRRDF8gmfxeOyqJ
=PSvg
-----END PGP SIGNATURE-----

Joakim Jalap

unread,
Feb 9, 2016, 4:54:55 AM2/9/16
to help-gn...@gnu.org
Lars Ingebrigtsen <la...@gnus.org> writes:

> Daiki Ueno <ue...@gnu.org> writes:
>
>> pinentry.el is actually in lisp/net/ already. For the pinentry program,
>> I don't think it is feasible, since there isn't (and won't be) a way to
>> use a custom pinentry program from the gpg command line:
>> https://lists.gnupg.org/pipermail/gnupg-devel/2015-May/029862.html

Interesting to see that discussion :) I was looking at this months ago
when I tried to get it working in Emacs, but I never really found that thread.

> Hm... I don't know much about this stuff, but I'm not sure I
> understand. :-) There exists a program already called pinentry-emacs,
> somebody said? That allows us to enter passwords from Emacs, sort of?

pinentry-emacs can be built from the pintry repo at
git.gnupg.org/pintry.git.

Together with the correct envvars set, this allows us to input passwords
from Emacs, yes :)

However this seems to be seen as a sort of hack, and it's disabled by
default on Arch Linux, FreeBSD and Debian as it seems, so I have had to
build it from source. I guess that alienates a lot of users though :/

I agree it would be nice to have this working out of the box. Figuring
out all the steps took me quite a lot of time and effort actually (I
discovered pinentry-emacs by chance while looking at some changelog
entry in the pinentry repo, I think, and the figured out what it was by
reading the configure.ac file) and I don't think it qualifies as user
friendly. The reason I decided to look it up in the first place was that
while the gtk popup diolog works fine on an X display, I wanted
something that would work in a terminal as well. And unfortunately it
seems pinentry-curses can't be run through Emacs, well I didn't manage
anyway :)

Joakim


Daiki Ueno

unread,
Feb 9, 2016, 9:22:22 AM2/9/16
to Lars Ingebrigtsen, Michael Heerdegen, Emacs mailing list, Teemu Likonen
Lars Ingebrigtsen <la...@gnus.org> writes:

> Daiki Ueno <ue...@gnu.org> writes:
>
>> pinentry.el is actually in lisp/net/ already. For the pinentry program,
>> I don't think it is feasible, since there isn't (and won't be) a way to
>> use a custom pinentry program from the gpg command line:
>> https://lists.gnupg.org/pipermail/gnupg-devel/2015-May/029862.html
>
> Hm... I don't know much about this stuff, but I'm not sure I
> understand. :-) There exists a program already called pinentry-emacs,
> somebody said? That allows us to enter passwords from Emacs, sort of?

It allows you to enter passwords _only_ from Emacs. That could be
acceptable for those who do everything in Emacs, but wouldn't for most
others. For example, suppose one use Emacs for editing and Thunderbird
for mailing. When he opens an encrypted mail in Thunderbird, he will be
asked passphrase from an Emacs window; I think that would be too
annoying.

Now that the upstream Pinentry has a proper diversion mechanism (Emacs
-> gnome-shell/GTK+/Qt -> curses), I don't see any benefit of
maintaining our own version of the pinentry program which only works
with Emacs.

Regards,
--
Daiki Ueno

Daiki Ueno

unread,
Feb 9, 2016, 9:22:23 AM2/9/16
to Michael Heerdegen, Emacs mailing list, Teemu Likonen, Lars Ingebrigtsen
Michael Heerdegen <michael_...@web.de> writes:

> I tried pinentry.el from Gnu Elpa. What do I need to add exactly to
> "~/.gnupg/gpg-agent.conf"? Just "allow-emacs-pinentry" as the package's
> doc tells doesn't work.

pinentry.el requires GnuPG >= 2.1.5 and Pinentry >= 0.9.8, as mentioned
in the header comment. Is the version requirement met on your system?

If it is all fine, try reloading the configuration with:

gpgconf --reload gpg-agent

as gpg-agent doesn't automatically reload the configuration.

Lars Ingebrigtsen <la...@gnus.org> writes:

> Perhaps pinentry.el and the pinentry program should be included in
> Emacs? Having this stuff work out of the box would be nice.

pinentry.el is actually in lisp/net/ already. For the pinentry program,
I don't think it is feasible, since there isn't (and won't be) a way to
use a custom pinentry program from the gpg command line:
https://lists.gnupg.org/pipermail/gnupg-devel/2015-May/029862.html

Regards,
--
Daiki Ueno

Lars Ingebrigtsen

unread,
Feb 9, 2016, 5:50:51 PM2/9/16
to Daiki Ueno, Michael Heerdegen, Emacs mailing list, Teemu Likonen
Daiki Ueno <ue...@gnu.org> writes:

> It allows you to enter passwords _only_ from Emacs. That could be
> acceptable for those who do everything in Emacs, but wouldn't for most
> others. For example, suppose one use Emacs for editing and Thunderbird
> for mailing. When he opens an encrypted mail in Thunderbird, he will be
> asked passphrase from an Emacs window; I think that would be too
> annoying.

Oh, I see. Yeah, that doesn't sound very useful in general.

Barry Fishman

unread,
Feb 10, 2016, 8:47:53 AM2/10/16
to

On 2016-02-09 10:54:30 +0100, Joakim Jalap wrote:
> pinentry-emacs can be built from the pintry repo at
> git.gnupg.org/pintry.git.
>
> Together with the correct envvars set, this allows us to input passwords
> from Emacs, yes :)
>
> However this seems to be seen as a sort of hack, and it's disabled by
> default on Arch Linux, FreeBSD and Debian as it seems, so I have had to
> build it from source. I guess that alienates a lot of users though :/

But it *is* enabled by default in Arch, and included as a separate
package in Fedora.

For Arch, its even part of core:

$ pacman -Ss pinentry
core/pinentry 0.9.7-1 [installed]
Collection of simple PIN or passphrase entry dialogs which utilize the
Assuan protocol
$ pacman -Qo /usr/bin/pinentry-emacs
/usr/bin/pinentry-emacs is owned by pinentry 0.9.7-1

--
Barry Fishman

Joakim Jalap

unread,
Feb 10, 2016, 10:18:36 AM2/10/16
to help-gn...@gnu.org
Oh cool!

Seems it was added in December last year, so that's probably after my
escapades :)

I actually mailed the maintainer of the FreeBSD port about it, and he
said he would enable it if I could get it to work, but unfortunately I
couldn't get the ports Makefile magic right :(

Joakim


Lele Gaifax

unread,
Feb 15, 2016, 6:15:54 AM2/15/16
to help-gn...@gnu.org
Michael Heerdegen <michael_...@web.de> writes:

> since some days ago, epg-gpg-program defaults to gpg2 (when installed)
> in emacs-25.
>
> With that new default, when Gnus tries to open my "~/.authinfo.gpg", I'm
> prompted for its password in a separate popup (X) window.

While on the subject, is there any way to tell Emacs to "inject" the related
file name into that popup, or even in the minibuffer password prompt?

I often use the desktop.el facility: it may happen that I have several
gpg-encoded files open at the same time, and when restarting the Emacs session
I was prompted for a keyword for each of them, and it's been a challenge to
blindly insert the right one, having no hint about which file was being open.

Thank you,
ciao, lele.
--
nickname: Lele Gaifax | Quando vivrò di quello che ho pensato ieri
real: Emanuele Gaifas | comincerò ad aver paura di chi mi copia.
le...@metapensiero.it | -- Fortunato Depero, 1929.


0 new messages