GNU bug report logs - #15553
24.3.50; epg.el and GnuPG 2.x cause unavoidable pinentry prompts for symmetrically encrypted files

Previous Next

Package: emacs;

Reported by: Teodor Zlatanov <tzz <at> lifelogs.com>

Date: Mon, 7 Oct 2013 18:04:02 UTC

Severity: normal

Tags: notabug

Found in version 24.3.50

Done: Daiki Ueno <ueno <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: 15553 <at> debbugs.gnu.org
Cc: ueno <at> gnu.org
Subject: bug#15553: 24.3.50; epg.el and GnuPG 2.x cause unavoidable pinentry prompts for symmetrically encrypted files
Date: Mon, 07 Oct 2013 21:01:06 -0400

On Tue, 08 Oct 2013 08:54:17 +0900 Daiki Ueno <ueno <at> gnu.org> wrote: 

DU> Teodor Zlatanov <tzz <at> lifelogs.com> writes:

>> 1. Install GnuPG 2.x, don't run gpg-agent
>> 2. Open file.gpg, X or curses pinentry dialog pops up
>> 
>> The suggested workaround is to run gpg-agent.

DU> So you can workaround, what's your problem?

See below.

>> Problems:
>> 
>> - on a headless server this can lock up Emacs

DU> Not a problem if you use the workaround.

>> - if the GPG agent is dead, locked up, or not running, there's no remedy

DU> Ditto.

Look.  gpg-agent is an external daemon.  Kill it manually or it dies
accidentally or it blocks for whatever reason.  Now the user has no
access to their secret data and Emacs could even completely lock up.

You're assuming access to a resource that you can't verify (gpg-agent).
Or rather, GnuPG is depending on it.

>> - there's no way to avoid the prompt in favor of an Emacs minibuffer query

DU> As I said a number of times, that degrades security.  If the insecurity
DU> is okay for you, what's the reason you want to use GnuPG 2.x rather than
DU> GnuPG 1.x?

I'd rather not use either but have no choice right now.  I would like to
avoid the GnuPG dependency altogether as I've explained.  Anyhow, I was
hoping that GnuPG 2.x can provide a special option (as we've discussed
that you could propose) to make this possible.  If that's not your
interest, then let's just call this one done as a "user misunderstanding
of basic security" or whatever you like.

Thanks for your time
Ted
This bug report was last modified 11 years and 229 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.