how to disable (sanitize) gpg2 GUI features (pinentry)?

[gw]

Whenever I try to do symmetric encryption with the new gpg2, a GUI window pops up (pinentry, the necessity of which I really fail to see) asking for the passphrase.
Within this window copy and paste is not possible (why?).

How can I disable this new "feature", that is: simply enter the passphrase from within my terminal application, or how can I at least make pinentry accept copy and paste?

Thanks

gw

[sm4x]

Same problem here. I'm trying to invoke gpg via a shell script, and this pinentry-ncurses thingy complains about missing S.gpg-agent and unknown LC_TYPE, so i have to fire up X (!) to use the gtk interface.

Ironically, the ncurses interface works when gpg is invoked directly and not from a shell script.

So far I didn't find any solution to disable this completely useless feature, just found some hints that this is required now. On my BSD machines same thing, i went with the old gnupg version but this can't be a solution. I honestly don't know why a tool like gpg needs some stupid dependency like this.

Please let me know if you come up with something.

sm4x

[Thorium]

If you place

Code: Select all

export DISPLAY=""

in your shell script before you call gpg, then the pinentry curses interface should be started instead of the gtk one.

[sm4x]

The ncurses interface *is* actually working, if I execute gpg directly from the command line.

It ist just not working when invoked by a pipe, like

Code: Select all

cat somefile | gpg --symmetric -a > cryptfile

I guess the ncurses interface cannot be set up when it is called by another app.

So is there any whay of completely diasabling this pinentry stuff and return to the passphrase dialog that the 1.4.8 had?

sm4x

[Orothain]

I don't know of any way to disable the pinentry stuff, but you can force it to use the curses interface by setting

Code: Select all

pinentry-program /usr/bin/pinentry-curses

in ~/.gnupg/gpg-agent.conf (create the file if it doesn't exist).

[Felig]

The suggestion to set pinentry-program was confusing -- the gpg-agent man page refers to both pinentry-program and pinentry-pgm, and neither seemed to be useful. I had to unset DISPLAY to skip the X popup which wants the passphrase, and then I got some horrible text dump without \r, looked like \n only of the kind that used to trigger my reflexes to type "stty sane ^J", but it wouldn't take input. If that is the ncurses interface, it is useless.

This is really really annoying. I DO NOT WANT the X interface. I don't know what the ncurses interface is supposed to add over a simple read from /dev/console because what I have seen doesn't work.

Why can't this program revert to whatever behavior it had before of simply reading /dev/console? What bright eyed genius decided we all needed X to read passphrases, and that as a consolation prize for us stone age cripples, we could fall back to a broken ncurses interface?

[Konsti]

This is very far beyond my understanding also. Is there any way to go back to oldscool console password input in any way? I did not found any yet...

[Thimo]

One can go back and emerge =gnupg-1.4.9 and therefore ignore that nasty behavior of gnupg-2.
As stated in the release notes of gnupg-2, gnupg-1.* will still be maintained. If you need to invoke gpg in pipes, this may be the way to go, at least until an appropriate console option is available for gnupg-2.* .

[overlourd]

gnupg-1.* seems to not work with enigmail, the gnupg-plugin for thunderbird. So downgrading isn't a solution for me.
The gnupg-plugin for vim works fine with gnupg-1.* but not with gnupg-2.*'s ncurses passphrase dialog, so I probably have to keep the crappy gtk one.

[Thimo]

Did you start a gpg-agent (with corresponding environment settings) prior to thunderbird?
If you do not use an agent, you have to disable the corresponding option in enigmail.

[swimmer]

gnupg-1.* seems to not work with enigmail, the gnupg-plugin for thunderbird. So downgrading isn't a solution for me.
The gnupg-plugin for vim works fine with gnupg-1.* but not with gnupg-2.*'s ncurses passphrase dialog, so I probably have to keep the crappy gtk one.

The vim-plugin seems to work now -> http://www.vim.org/scripts/script.php?script_id=661

(Still untested though)

HTH
swimmer

[nlsa8z6zoz7lyih3ap]

What is the current state of this situation?
I.e. make gnupg2 behave like gnupg so that a script with the following line

Code: Select all

find /home/owner/secure  | afio -ovZ -Pbzip2     -M1024m -|gpg -c  |split  -b500m - secure-bz2-

can be run without requiring pinentry or ncurses?

I would be happy with app-crypt/gnupg-1.4.11, which is in portage, but it is not slotted and kdelibs demands gnupg-2.

[Felig]

Good question. I last used gpg an hour ago and still get that awful pinentry or ncurses entry. I'd really like something simpler again.

[MassimoM]

GPG has alternative methods for passphrase input: pinentry (which is voluntarily not scriptable), from file (but the passphrase should be stored in clear on disk...... ), from command line argument (which is very insecure, cmdline arguments can be read easily from anyone) and from another FD.
You can do:

Code: Select all

tar WHATEVER |gpg -c --passphrase-fd=3 3<<<$(echo this_is_the_passphrase) > WHATEVER.gpg

Details in the man page.

[Apheus]

What happens with pinentry emerged without gtk or qt use flag? Maybe even without ncurses use flag. If there is no other application needing graphical pinentry (like thunderbird[crypt] with enigmail), this should be possible.

[nlsa8z6zoz7lyih3ap]

What happens with pinentry emerged without gtk or qt use flag? Maybe even without ncurses use flag.

What happens with me is that it still uses ncurses. Bizarre, isn't it.

[khayyam]

all ...

if you try and build pinentry without either gtk, gtk2, qt, or ncurses it fails:

Code: Select all

./configure --disable-pinentry-curses --disable-pinentry-gtk --disable-pinentry-gtk2 --disable-pinentry-qt 
[...]
configure: error: No pinentry enabled.

As gnupg has no native method, and uses pinentry, this means there is no current method of escaping one or other "interface". If you were happy with how it once was, when a command line interface was an 'option', then step aside, linux is being made 'usable', and your antiquated thinking is standing in the way of progress.

The offical advice is "use gpg-agent", which in my case makes ... no, no, don't get me started. So, yes, this is a major annoyance, but unless some stop is put on this drive toward an ill concieved abstracted "user" (which is little more than a stratigists idea of the "usability" requirement for "developing markets") then I think we will see more and more of this type of "development".

best ... khay

[HeXiLeD]

It is quite stupid completely disable or make unavailable the use of copy and paste with pinentry.
It is only intelligent to do so in the minds of those who use passwords like: 12345 or abcdf, god, car, love and so on.
While i do understand the potential security risks (and i block java!) that are around pasting passwords i do fee like asking the #$%$%#&*$&* developers of the application if they considered passwords like this:

Code: Select all

B:>\j*]-/z/mdd4EyGfXe{VP^nhjHRi78(n<W8D6wAN5_p<-Y"

And how are we suppose to know them. I do advocate security but pinentry intended functionality is simply STUPID and arrogant. At least an intelligent development would consider an option that would allow the user to select if he wants the functionality or not.

This stupid behaviour has prevented me to use openpgp with my email. All know and half working work arounds are just messy.
I am quite frustrated with all this pinentry crap.

Either i use small simple crackable passwords or i dont use openpgp at all.

pinentry-curses also does not work.

[nlsa8z6zoz7lyih3ap]

B:>\j*]-/z/mdd4EyGfXe{VP^nhjHRi78(n<W8D6wAN5_p<-Y"

That does sound like my kind of password too. Since I cut and paste large bizarre passwords,
I use the pinentry-ncurses interface, which does allow it.

There are some tricks to getting it to work.

(1)

Code: Select all

 USE="ncurses -caps -gtk -qt4 -static" emerge pinentry"

(2) Before using gpg

Code: Select all

export GPG_TTY=`tty`

NOTE: I also include the following:

Code: Select all

export LANG="en_CA"

I hope that the above enables you to get cut and paste with pinentry-ncurses working.
Please feel free to get back to me if you have any follow up comments or questions.

PS I still find gpg vastly more useful to me than gpg2. I would install the old gpg (which is still in the portage tree) except that it is not a "slotted" package and gpg2 is required by so much of the modern Desktop. I wonder if anyone knows how to make it into a slotted package?

[HeXiLeD]

No luck with thunderbird and your solution as i cannot get an interface to input the password.
and also in gpg-agent.conf :

Code: Select all

pinentry-program /usr/bin/pinentry-curses
no-grab
default-cache-ttl 599940
max-cache-ttl 999999

I am however able to open the ncurses interface on a terminal and hat is about it.
pinetry should be removed from portage. It is useless for people who actually are interested in secure passwords.

[nlsa8z6zoz7lyih3ap]

No luck with thunderbird and your solution as i cannot get an interface to input the password.

I have to apologize as I never thought of gui programs such as Thunderbird. My frustration is that I only use gpg on the command line
and am now forced to jump through hoops to make it work.

Do you know if it is possible to do high quality encryption from the command line without using gnupg?

[nihil39]

Do you know if it is possible to do high quality encryption from the command line without using gnupg?

app-crypt/ccrypt
Available versions: 1.9
Installed versions: 1.9(10:49:48 PM 12/05/2012)
Homepage: http://ccrypt.sourceforge.net
Description: Encryption and decryption


Try to use ccrypt, I just asked for a version bump in bugzilla.

[nlsa8z6zoz7lyih3ap]

Thanks very much!
I have installed it and am using it already.

[nihil39]

Thanks very much!
I have installed it and am using it already.

No problem! Can you please join the version bump request by asking and/or voting the bug in the following thread? https://bugs.gentoo.org/show_bug.cgi?id=446170
Version 1.10 adds new useful features. Thanks.

[nlsa8z6zoz7lyih3ap]

Done.

PS: The only time that I submitted a version bump, I also submitted the new ebuild.
Of course it doesn't automatically go into portage, but it makes it easier for the maintainer to proceed and may well hurry things along.
Are you interested in doing this?