Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
how to disable (sanitize) gpg2 GUI features (pinentry)?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gw
Apprentice
Apprentice


Joined: 03 Dec 2006
Posts: 215

PostPosted: Tue Jan 01, 2008 11:14 pm    Post subject: how to disable (sanitize) gpg2 GUI features (pinentry)? Reply with quote

Whenever I try to do symmetric encryption with the new gpg2, a GUI window pops up (pinentry, the necessity of which I really fail to see) asking for the passphrase.
Within this window copy and paste is not possible (why?).

How can I disable this new "feature", that is: simply enter the passphrase from within my terminal application, or how can I at least make pinentry accept copy and paste?

Thanks

gw
Back to top
View user's profile Send private message
sm4x
n00b
n00b


Joined: 14 Dec 2003
Posts: 38
Location: Hamburg

PostPosted: Wed Jan 09, 2008 8:56 pm    Post subject: Reply with quote

Same problem here. I'm trying to invoke gpg via a shell script, and this pinentry-ncurses thingy complains about missing S.gpg-agent and unknown LC_TYPE, so i have to fire up X (!) to use the gtk interface.

Ironically, the ncurses interface works when gpg is invoked directly and not from a shell script.

So far I didn't find any solution to disable this completely useless feature, just found some hints that this is required now. On my BSD machines same thing, i went with the old gnupg version but this can't be a solution. I honestly don't know why a tool like gpg needs some stupid dependency like this.

Please let me know if you come up with something.

sm4x
Back to top
View user's profile Send private message
Thorium
n00b
n00b


Joined: 01 Jul 2004
Posts: 22

PostPosted: Thu Jan 10, 2008 3:19 am    Post subject: Reply with quote

If you place

Code:
export DISPLAY=""


in your shell script before you call gpg, then the pinentry curses interface should be started instead of the gtk one.
Back to top
View user's profile Send private message
sm4x
n00b
n00b


Joined: 14 Dec 2003
Posts: 38
Location: Hamburg

PostPosted: Thu Jan 10, 2008 9:30 am    Post subject: Reply with quote

The ncurses interface *is* actually working, if I execute gpg directly from the command line.

It ist just not working when invoked by a pipe, like
Code:
cat somefile | gpg --symmetric -a > cryptfile

I guess the ncurses interface cannot be set up when it is called by another app.

So is there any whay of completely diasabling this pinentry stuff and return to the passphrase dialog that the 1.4.8 had?

sm4x
Back to top
View user's profile Send private message
Orothain
n00b
n00b


Joined: 27 Jan 2004
Posts: 8

PostPosted: Thu Feb 28, 2008 1:37 pm    Post subject: Reply with quote

I don't know of any way to disable the pinentry stuff, but you can force it to use the curses interface by setting

Code:

pinentry-program /usr/bin/pinentry-curses


in ~/.gnupg/gpg-agent.conf (create the file if it doesn't exist).
Back to top
View user's profile Send private message
Felig
Apprentice
Apprentice


Joined: 22 Jun 2004
Posts: 180

PostPosted: Mon Mar 03, 2008 6:23 pm    Post subject: Still can't get rid of the X requirement Reply with quote

The suggestion to set pinentry-program was confusing -- the gpg-agent man page refers to both pinentry-program and pinentry-pgm, and neither seemed to be useful. I had to unset DISPLAY to skip the X popup which wants the passphrase, and then I got some horrible text dump without \r, looked like \n only of the kind that used to trigger my reflexes to type "stty sane ^J", but it wouldn't take input. If that is the ncurses interface, it is useless.

This is really really annoying. I DO NOT WANT the X interface. I don't know what the ncurses interface is supposed to add over a simple read from /dev/console because what I have seen doesn't work.

Why can't this program revert to whatever behavior it had before of simply reading /dev/console? What bright eyed genius decided we all needed X to read passphrases, and that as a consolation prize for us stone age cripples, we could fall back to a broken ncurses interface?
Back to top
View user's profile Send private message
Konsti
l33t
l33t


Joined: 10 Dec 2002
Posts: 691

PostPosted: Thu Apr 24, 2008 10:00 am    Post subject: Reply with quote

This is very far beyond my understanding also. Is there any way to go back to oldscool console password input in any way? I did not found any yet...
_________________
konsti@jabber.org
Back to top
View user's profile Send private message
Thimo
n00b
n00b


Joined: 22 May 2008
Posts: 2
Location: Germany

PostPosted: Thu May 22, 2008 4:43 pm    Post subject: Reply with quote

One can go back and emerge =gnupg-1.4.9 and therefore ignore that nasty behavior of gnupg-2.
As stated in the release notes of gnupg-2, gnupg-1.* will still be maintained. If you need to invoke gpg in pipes, this may be the way to go, at least until an appropriate console option is available for gnupg-2.* .
Back to top
View user's profile Send private message
overlourd
n00b
n00b


Joined: 01 Jul 2008
Posts: 1

PostPosted: Tue Jul 01, 2008 2:33 pm    Post subject: Reply with quote

gnupg-1.* seems to not work with enigmail, the gnupg-plugin for thunderbird. So downgrading isn't a solution for me.
The gnupg-plugin for vim works fine with gnupg-1.* but not with gnupg-2.*'s ncurses passphrase dialog, so I probably have to keep the crappy gtk one.
Back to top
View user's profile Send private message
Thimo
n00b
n00b


Joined: 22 May 2008
Posts: 2
Location: Germany

PostPosted: Tue Jul 01, 2008 5:18 pm    Post subject: Reply with quote

Did you start a gpg-agent (with corresponding environment settings) prior to thunderbird?
If you do not use an agent, you have to disable the corresponding option in enigmail.
Back to top
View user's profile Send private message
swimmer
Veteran
Veteran


Joined: 15 Jul 2002
Posts: 1289
Location: Netherlands

PostPosted: Thu Jul 31, 2008 10:03 pm    Post subject: Reply with quote

overlourd wrote:
gnupg-1.* seems to not work with enigmail, the gnupg-plugin for thunderbird. So downgrading isn't a solution for me.
The gnupg-plugin for vim works fine with gnupg-1.* but not with gnupg-2.*'s ncurses passphrase dialog, so I probably have to keep the crappy gtk one.

The vim-plugin seems to work now -> http://www.vim.org/scripts/script.php?script_id=661

(Still untested though)

HTH
swimmer
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 328
Location: Canada

PostPosted: Wed Jun 06, 2012 4:11 pm    Post subject: Reply with quote

What is the current state of this situation?
I.e. make gnupg2 behave like gnupg so that a script with the following line
Code:
find /home/owner/secure  | afio -ovZ -Pbzip2     -M1024m -|gpg -c  |split  -b500m - secure-bz2-

can be run without requiring pinentry or ncurses?

I would be happy with app-crypt/gnupg-1.4.11, which is in portage, but it is not slotted and kdelibs demands gnupg-2.


Last edited by nlsa8z6zoz7lyih3ap on Thu Jun 07, 2012 7:57 pm; edited 1 time in total
Back to top
View user's profile Send private message
Felig
Apprentice
Apprentice


Joined: 22 Jun 2004
Posts: 180

PostPosted: Thu Jun 07, 2012 6:15 pm    Post subject: Reply with quote

Good question. I last used gpg an hour ago and still get that awful pinentry or ncurses entry. I'd really like something simpler again.
Back to top
View user's profile Send private message
MassimoM
n00b
n00b


Joined: 03 May 2008
Posts: 14
Location: Italy

PostPosted: Fri Jun 08, 2012 11:05 am    Post subject: Reply with quote

GPG has alternative methods for passphrase input: pinentry (which is voluntarily not scriptable), from file (but the passphrase should be stored in clear on disk...... :( ), from command line argument (which is very insecure, cmdline arguments can be read easily from anyone) and from another FD.
You can do:
Code:

tar WHATEVER |gpg -c --passphrase-fd=3 3<<<$(echo this_is_the_passphrase) > WHATEVER.gpg


Details in the man page.
Back to top
View user's profile Send private message
Apheus
Apprentice
Apprentice


Joined: 12 Jul 2008
Posts: 218

PostPosted: Fri Jun 08, 2012 2:29 pm    Post subject: Reply with quote

What happens with pinentry emerged without gtk or qt use flag? Maybe even without ncurses use flag. If there is no other application needing graphical pinentry (like thunderbird[crypt] with enigmail), this should be possible.
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 328
Location: Canada

PostPosted: Fri Jun 08, 2012 4:36 pm    Post subject: Reply with quote

Quote:
What happens with pinentry emerged without gtk or qt use flag? Maybe even without ncurses use flag.


What happens with me is that it still uses ncurses. Bizarre, isn't it.
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2187

PostPosted: Sun Jun 10, 2012 6:23 pm    Post subject: Reply with quote

all ...

if you try and build pinentry without either gtk, gtk2, qt, or ncurses it fails:

Code:
./configure --disable-pinentry-curses --disable-pinentry-gtk --disable-pinentry-gtk2 --disable-pinentry-qt
[...]
configure: error: No pinentry enabled.


As gnupg has no native method, and uses pinentry, this means there is no current method of escaping one or other "interface". If you were happy with how it once was, when a command line interface was an 'option', then step aside, linux is being made 'usable', and your antiquated thinking is standing in the way of progress.

The offical advice is "use gpg-agent", which in my case makes ... no, no, don't get me started. So, yes, this is a major annoyance, but unless some stop is put on this drive toward an ill concieved abstracted "user" (which is little more than a stratigists idea of the "usability" requirement for "developing markets") then I think we will see more and more of this type of "development".

best ... khay
Back to top
View user's profile Send private message
HeXiLeD
l33t
l33t


Joined: 20 Aug 2005
Posts: 962
Location: online

PostPosted: Fri Aug 31, 2012 10:10 pm    Post subject: Reply with quote

It is quite stupid completely disable or make unavailable the use of copy and paste with pinentry.
It is only intelligent to do so in the minds of those who use passwords like: 12345 or abcdf, god, car, love and so on.
While i do understand the potential security risks (and i block java!) that are around pasting passwords i do fee like asking the #$%$%#&*$&* developers of the application if they considered passwords like this:

Code:
B:>\j*]-/z/mdd4EyGfXe{VP^nhjHRi78(n<W8D6wAN5_p<-Y"


And how are we suppose to know them. I do advocate security but pinentry intended functionality is simply STUPID and arrogant. At least an intelligent development would consider an option that would allow the user to select if he wants the functionality or not.

This stupid behaviour has prevented me to use openpgp with my email. All know and half working work arounds are just messy.
I am quite frustrated with all this pinentry crap.

Either i use small simple crackable passwords or i dont use openpgp at all.

pinentry-curses also does not work.
_________________
443640, Questioning, Unsolved, BinHost
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 328
Location: Canada

PostPosted: Fri Aug 31, 2012 11:19 pm    Post subject: Reply with quote

Quote:
B:>\j*]-/z/mdd4EyGfXe{VP^nhjHRi78(n<W8D6wAN5_p<-Y"


That does sound like my kind of password too. Since I cut and paste large bizarre passwords,
I use the pinentry-ncurses interface, which does allow it.

There are some tricks to getting it to work.

(1)
Code:
 USE="ncurses -caps -gtk -qt4 -static" emerge pinentry"



(2) Before using gpg
Code:
export GPG_TTY=`tty`


NOTE: I also include the following:
Code:
export LANG="en_CA"


I hope that the above enables you to get cut and paste with pinentry-ncurses working.
Please feel free to get back to me if you have any follow up comments or questions.

PS I still find gpg vastly more useful to me than gpg2. I would install the old gpg (which is still in the portage tree) except that it is not a "slotted" package and gpg2 is required by so much of the modern Desktop. I wonder if anyone knows how to make it into a slotted package?
Back to top
View user's profile Send private message
HeXiLeD
l33t
l33t


Joined: 20 Aug 2005
Posts: 962
Location: online

PostPosted: Sat Sep 01, 2012 12:28 am    Post subject: Reply with quote

No luck with thunderbird and your solution as i cannot get an interface to input the password.
and also in gpg-agent.conf :
Code:
pinentry-program /usr/bin/pinentry-curses
no-grab
default-cache-ttl 599940
max-cache-ttl 999999


I am however able to open the ncurses interface on a terminal and hat is about it.
pinetry should be removed from portage. It is useless for people who actually are interested in secure passwords.
_________________
443640, Questioning, Unsolved, BinHost
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 328
Location: Canada

PostPosted: Sat Sep 01, 2012 2:20 pm    Post subject: Reply with quote

Quote:
No luck with thunderbird and your solution as i cannot get an interface to input the password.


I have to apologize as I never thought of gui programs such as Thunderbird. My frustration is that I only use gpg on the command line
and am now forced to jump through hoops to make it work.

Do you know if it is possible to do high quality encryption from the command line without using gnupg?
Back to top
View user's profile Send private message
nihil39
Tux's lil' helper
Tux's lil' helper


Joined: 15 Nov 2005
Posts: 84
Location: Italy

PostPosted: Thu Dec 06, 2012 10:45 am    Post subject: Reply with quote

nlsa8z6zoz7lyih3ap wrote:
Do you know if it is possible to do high quality encryption from the command line without using gnupg?


app-crypt/ccrypt
Available versions: 1.9
Installed versions: 1.9(10:49:48 PM 12/05/2012)
Homepage: http://ccrypt.sourceforge.net
Description: Encryption and decryption


Try to use ccrypt, I just asked for a version bump in bugzilla.
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 328
Location: Canada

PostPosted: Thu Dec 06, 2012 6:26 pm    Post subject: Reply with quote

Thanks very much! :D
I have installed it and am using it already.
Back to top
View user's profile Send private message
nihil39
Tux's lil' helper
Tux's lil' helper


Joined: 15 Nov 2005
Posts: 84
Location: Italy

PostPosted: Fri Dec 07, 2012 4:14 pm    Post subject: Reply with quote

nlsa8z6zoz7lyih3ap wrote:
Thanks very much! :D
I have installed it and am using it already.


No problem! Can you please join the version bump request by asking and/or voting the bug in the following thread? https://bugs.gentoo.org/show_bug.cgi?id=446170
Version 1.10 adds new useful features. Thanks.
Back to top
View user's profile Send private message
nlsa8z6zoz7lyih3ap
Guru
Guru


Joined: 25 Sep 2007
Posts: 328
Location: Canada

PostPosted: Fri Dec 07, 2012 4:39 pm    Post subject: Reply with quote

Done.

PS: The only time that I submitted a version bump, I also submitted the new ebuild.
Of course it doesn't automatically go into portage, but it makes it easier for the maintainer to proceed and may well hurry things along.
Are you interested in doing this?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum