View previous topic :: View next topic |
Author |
Message |
gw Apprentice
Joined: 03 Dec 2006 Posts: 215
|
Posted: Tue Jan 01, 2008 11:14 pm Post subject: how to disable (sanitize) gpg2 GUI features (pinentry)? |
|
|
Whenever I try to do symmetric encryption with the new gpg2, a GUI window pops up (pinentry, the necessity of which I really fail to see) asking for the passphrase.
Within this window copy and paste is not possible (why?).
How can I disable this new "feature", that is: simply enter the passphrase from within my terminal application, or how can I at least make pinentry accept copy and paste?
Thanks
gw |
|
Back to top |
|
|
sm4x n00b
Joined: 14 Dec 2003 Posts: 38 Location: Hamburg
|
Posted: Wed Jan 09, 2008 8:56 pm Post subject: |
|
|
Same problem here. I'm trying to invoke gpg via a shell script, and this pinentry-ncurses thingy complains about missing S.gpg-agent and unknown LC_TYPE, so i have to fire up X (!) to use the gtk interface.
Ironically, the ncurses interface works when gpg is invoked directly and not from a shell script.
So far I didn't find any solution to disable this completely useless feature, just found some hints that this is required now. On my BSD machines same thing, i went with the old gnupg version but this can't be a solution. I honestly don't know why a tool like gpg needs some stupid dependency like this.
Please let me know if you come up with something.
sm4x |
|
Back to top |
|
|
Thorium n00b
Joined: 01 Jul 2004 Posts: 22
|
Posted: Thu Jan 10, 2008 3:19 am Post subject: |
|
|
If you place
in your shell script before you call gpg, then the pinentry curses interface should be started instead of the gtk one. |
|
Back to top |
|
|
sm4x n00b
Joined: 14 Dec 2003 Posts: 38 Location: Hamburg
|
Posted: Thu Jan 10, 2008 9:30 am Post subject: |
|
|
The ncurses interface *is* actually working, if I execute gpg directly from the command line.
It ist just not working when invoked by a pipe, like Code: | cat somefile | gpg --symmetric -a > cryptfile |
I guess the ncurses interface cannot be set up when it is called by another app.
So is there any whay of completely diasabling this pinentry stuff and return to the passphrase dialog that the 1.4.8 had?
sm4x |
|
Back to top |
|
|
Orothain n00b
Joined: 27 Jan 2004 Posts: 8
|
Posted: Thu Feb 28, 2008 1:37 pm Post subject: |
|
|
I don't know of any way to disable the pinentry stuff, but you can force it to use the curses interface by setting
Code: |
pinentry-program /usr/bin/pinentry-curses
|
in ~/.gnupg/gpg-agent.conf (create the file if it doesn't exist). |
|
Back to top |
|
|
Felig Apprentice
Joined: 22 Jun 2004 Posts: 180
|
Posted: Mon Mar 03, 2008 6:23 pm Post subject: Still can't get rid of the X requirement |
|
|
The suggestion to set pinentry-program was confusing -- the gpg-agent man page refers to both pinentry-program and pinentry-pgm, and neither seemed to be useful. I had to unset DISPLAY to skip the X popup which wants the passphrase, and then I got some horrible text dump without \r, looked like \n only of the kind that used to trigger my reflexes to type "stty sane ^J", but it wouldn't take input. If that is the ncurses interface, it is useless.
This is really really annoying. I DO NOT WANT the X interface. I don't know what the ncurses interface is supposed to add over a simple read from /dev/console because what I have seen doesn't work.
Why can't this program revert to whatever behavior it had before of simply reading /dev/console? What bright eyed genius decided we all needed X to read passphrases, and that as a consolation prize for us stone age cripples, we could fall back to a broken ncurses interface? |
|
Back to top |
|
|
Konsti l33t
Joined: 10 Dec 2002 Posts: 691
|
Posted: Thu Apr 24, 2008 10:00 am Post subject: |
|
|
This is very far beyond my understanding also. Is there any way to go back to oldscool console password input in any way? I did not found any yet... |
|
Back to top |
|
|
Thimo n00b
Joined: 22 May 2008 Posts: 2 Location: Germany
|
Posted: Thu May 22, 2008 4:43 pm Post subject: |
|
|
One can go back and emerge =gnupg-1.4.9 and therefore ignore that nasty behavior of gnupg-2.
As stated in the release notes of gnupg-2, gnupg-1.* will still be maintained. If you need to invoke gpg in pipes, this may be the way to go, at least until an appropriate console option is available for gnupg-2.* . |
|
Back to top |
|
|
overlourd n00b
Joined: 01 Jul 2008 Posts: 1
|
Posted: Tue Jul 01, 2008 2:33 pm Post subject: |
|
|
gnupg-1.* seems to not work with enigmail, the gnupg-plugin for thunderbird. So downgrading isn't a solution for me.
The gnupg-plugin for vim works fine with gnupg-1.* but not with gnupg-2.*'s ncurses passphrase dialog, so I probably have to keep the crappy gtk one. |
|
Back to top |
|
|
Thimo n00b
Joined: 22 May 2008 Posts: 2 Location: Germany
|
Posted: Tue Jul 01, 2008 5:18 pm Post subject: |
|
|
Did you start a gpg-agent (with corresponding environment settings) prior to thunderbird?
If you do not use an agent, you have to disable the corresponding option in enigmail. |
|
Back to top |
|
|
swimmer Veteran
Joined: 15 Jul 2002 Posts: 1330 Location: Netherlands
|
Posted: Thu Jul 31, 2008 10:03 pm Post subject: |
|
|
overlourd wrote: | gnupg-1.* seems to not work with enigmail, the gnupg-plugin for thunderbird. So downgrading isn't a solution for me.
The gnupg-plugin for vim works fine with gnupg-1.* but not with gnupg-2.*'s ncurses passphrase dialog, so I probably have to keep the crappy gtk one. |
The vim-plugin seems to work now -> http://www.vim.org/scripts/script.php?script_id=661
(Still untested though)
HTH
swimmer |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Wed Jun 06, 2012 4:11 pm Post subject: |
|
|
What is the current state of this situation?
I.e. make gnupg2 behave like gnupg so that a script with the following line
Code: | find /home/owner/secure | afio -ovZ -Pbzip2 -M1024m -|gpg -c |split -b500m - secure-bz2- |
can be run without requiring pinentry or ncurses?
I would be happy with app-crypt/gnupg-1.4.11, which is in portage, but it is not slotted and kdelibs demands gnupg-2.
Last edited by nlsa8z6zoz7lyih3ap on Thu Jun 07, 2012 7:57 pm; edited 1 time in total |
|
Back to top |
|
|
Felig Apprentice
Joined: 22 Jun 2004 Posts: 180
|
Posted: Thu Jun 07, 2012 6:15 pm Post subject: |
|
|
Good question. I last used gpg an hour ago and still get that awful pinentry or ncurses entry. I'd really like something simpler again. |
|
Back to top |
|
|
MassimoM n00b
Joined: 03 May 2008 Posts: 14 Location: Italy
|
Posted: Fri Jun 08, 2012 11:05 am Post subject: |
|
|
GPG has alternative methods for passphrase input: pinentry (which is voluntarily not scriptable), from file (but the passphrase should be stored in clear on disk...... ), from command line argument (which is very insecure, cmdline arguments can be read easily from anyone) and from another FD.
You can do:
Code: |
tar WHATEVER |gpg -c --passphrase-fd=3 3<<<$(echo this_is_the_passphrase) > WHATEVER.gpg
|
Details in the man page. |
|
Back to top |
|
|
Apheus Guru
Joined: 12 Jul 2008 Posts: 422
|
Posted: Fri Jun 08, 2012 2:29 pm Post subject: |
|
|
What happens with pinentry emerged without gtk or qt use flag? Maybe even without ncurses use flag. If there is no other application needing graphical pinentry (like thunderbird[crypt] with enigmail), this should be possible. |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Fri Jun 08, 2012 4:36 pm Post subject: |
|
|
Quote: | What happens with pinentry emerged without gtk or qt use flag? Maybe even without ncurses use flag. |
What happens with me is that it still uses ncurses. Bizarre, isn't it. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sun Jun 10, 2012 6:23 pm Post subject: |
|
|
all ...
if you try and build pinentry without either gtk, gtk2, qt, or ncurses it fails:
Code: | ./configure --disable-pinentry-curses --disable-pinentry-gtk --disable-pinentry-gtk2 --disable-pinentry-qt
[...]
configure: error: No pinentry enabled. |
As gnupg has no native method, and uses pinentry, this means there is no current method of escaping one or other "interface". If you were happy with how it once was, when a command line interface was an 'option', then step aside, linux is being made 'usable', and your antiquated thinking is standing in the way of progress.
The offical advice is "use gpg-agent", which in my case makes ... no, no, don't get me started. So, yes, this is a major annoyance, but unless some stop is put on this drive toward an ill concieved abstracted "user" (which is little more than a stratigists idea of the "usability" requirement for "developing markets") then I think we will see more and more of this type of "development".
best ... khay |
|
Back to top |
|
|
HeXiLeD Veteran
Joined: 20 Aug 2005 Posts: 1159 Location: Online
|
Posted: Fri Aug 31, 2012 10:10 pm Post subject: |
|
|
It is quite stupid completely disable or make unavailable the use of copy and paste with pinentry.
It is only intelligent to do so in the minds of those who use passwords like: 12345 or abcdf, god, car, love and so on.
While i do understand the potential security risks (and i block java!) that are around pasting passwords i do fee like asking the #$%$%#&*$&* developers of the application if they considered passwords like this:
Code: | B:>\j*]-/z/mdd4EyGfXe{VP^nhjHRi78(n<W8D6wAN5_p<-Y" |
And how are we suppose to know them. I do advocate security but pinentry intended functionality is simply STUPID and arrogant. At least an intelligent development would consider an option that would allow the user to select if he wants the functionality or not.
This stupid behaviour has prevented me to use openpgp with my email. All know and half working work arounds are just messy.
I am quite frustrated with all this pinentry crap.
Either i use small simple crackable passwords or i dont use openpgp at all.
pinentry-curses also does not work. _________________ Do you hear the sound of inevitability?
With age, comes great grumpiness and that, was 20 years ago...
CertFP: becbbd161d5a5c31de3c45171b77bf710911db29 / d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244 |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Fri Aug 31, 2012 11:19 pm Post subject: |
|
|
Quote: | B:>\j*]-/z/mdd4EyGfXe{VP^nhjHRi78(n<W8D6wAN5_p<-Y" |
That does sound like my kind of password too. Since I cut and paste large bizarre passwords,
I use the pinentry-ncurses interface, which does allow it.
There are some tricks to getting it to work.
(1) Code: | USE="ncurses -caps -gtk -qt4 -static" emerge pinentry" |
(2) Before using gpg Code: | export GPG_TTY=`tty` |
NOTE: I also include the following: Code: | export LANG="en_CA" |
I hope that the above enables you to get cut and paste with pinentry-ncurses working.
Please feel free to get back to me if you have any follow up comments or questions.
PS I still find gpg vastly more useful to me than gpg2. I would install the old gpg (which is still in the portage tree) except that it is not a "slotted" package and gpg2 is required by so much of the modern Desktop. I wonder if anyone knows how to make it into a slotted package? |
|
Back to top |
|
|
HeXiLeD Veteran
Joined: 20 Aug 2005 Posts: 1159 Location: Online
|
Posted: Sat Sep 01, 2012 12:28 am Post subject: |
|
|
No luck with thunderbird and your solution as i cannot get an interface to input the password.
and also in gpg-agent.conf :
Code: | pinentry-program /usr/bin/pinentry-curses
no-grab
default-cache-ttl 599940
max-cache-ttl 999999 |
I am however able to open the ncurses interface on a terminal and hat is about it.
pinetry should be removed from portage. It is useless for people who actually are interested in secure passwords. _________________ Do you hear the sound of inevitability?
With age, comes great grumpiness and that, was 20 years ago...
CertFP: becbbd161d5a5c31de3c45171b77bf710911db29 / d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244 |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Sat Sep 01, 2012 2:20 pm Post subject: |
|
|
Quote: | No luck with thunderbird and your solution as i cannot get an interface to input the password. |
I have to apologize as I never thought of gui programs such as Thunderbird. My frustration is that I only use gpg on the command line
and am now forced to jump through hoops to make it work.
Do you know if it is possible to do high quality encryption from the command line without using gnupg? |
|
Back to top |
|
|
nihil39 Tux's lil' helper
Joined: 15 Nov 2005 Posts: 97 Location: Italy
|
Posted: Thu Dec 06, 2012 10:45 am Post subject: |
|
|
nlsa8z6zoz7lyih3ap wrote: | Do you know if it is possible to do high quality encryption from the command line without using gnupg? |
app-crypt/ccrypt
Available versions: 1.9
Installed versions: 1.9(10:49:48 PM 12/05/2012)
Homepage: http://ccrypt.sourceforge.net
Description: Encryption and decryption
Try to use ccrypt, I just asked for a version bump in bugzilla. |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Thu Dec 06, 2012 6:26 pm Post subject: |
|
|
Thanks very much!
I have installed it and am using it already. |
|
Back to top |
|
|
nihil39 Tux's lil' helper
Joined: 15 Nov 2005 Posts: 97 Location: Italy
|
Posted: Fri Dec 07, 2012 4:14 pm Post subject: |
|
|
nlsa8z6zoz7lyih3ap wrote: | Thanks very much!
I have installed it and am using it already. |
No problem! Can you please join the version bump request by asking and/or voting the bug in the following thread? https://bugs.gentoo.org/show_bug.cgi?id=446170
Version 1.10 adds new useful features. Thanks. |
|
Back to top |
|
|
nlsa8z6zoz7lyih3ap Guru
Joined: 25 Sep 2007 Posts: 388 Location: Canada
|
Posted: Fri Dec 07, 2012 4:39 pm Post subject: |
|
|
Done.
PS: The only time that I submitted a version bump, I also submitted the new ebuild.
Of course it doesn't automatically go into portage, but it makes it easier for the maintainer to proceed and may well hurry things along.
Are you interested in doing this? |
|
Back to top |
|
|
|