GNU bug report logs -
#67012
29.1; epa-sign-file pinentry loopback mode does not work with S/MIME
Previous Next
To reply to this bug, email your comments to 67012 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Thu, 09 Nov 2023 06:58:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ulrich Mueller <ulm <at> gentoo.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Thu, 09 Nov 2023 06:58:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
I was originally trying to sign e-mail messages with S/MIME using
mml-secure-sign-smime followed by message-send, which fails when I
customize epg-pinentry-mode as loopback.
The problem also occurs with epa-sign-file, which is easier to reproduce
(because it doesn't need as much configuration). So I am reporting the
bug for this command.
To reproduce, emacs -Q, then execute in the *scratch* buffer:
(write-region "hello\n" nil "hello.txt")
(require 'epa)
(let ((epg-pinentry-mode 'loopback)
(epa-protocol 'CMS))
(epa-sign-file
"hello.txt"
(epa-select-keys (epg-make-context epa-protocol) "Key:" nil t)
'normal))
This asks interactively to select a key. After doing so, it fails with
the following error (shown in an "*Error* (EPA Info)" buffer):
Error while signing with "/usr/bin/gpgsm":
gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE'
gpgsm: error creating signature: No passphrase given <GPG Agent>
Debugger *Backtrace* (key IDs x-ed out):
Debugger entered--Lisp error: (epg-error "Sign failed" "")
signal(epg-error ("Sign failed" ""))
epa-sign-file("hello.txt" (#s(epg-key :owner-trust nil :sub-key-list (#s(epg-sub-key :validity nil :capability (encrypt sign) :secret-p nil :algorithm 1 :length 4096 :id "XXXXXXXXXXXXXXXX" :creation-time 20231107 :expiration-time 20251106 :fingerprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")) :user-id-list (#s(epg-user-id :validity nil :string (("CN" . "Ulrich Müller") ("OU" . "Institut fuer Kernphysik") ("O" . "Johannes Gutenberg-Universitaet Mainz") ("L" . "Mainz") ("ST" . "Rheinland-Pfalz") ("C" . "DE")) :signature-list nil) #s(epg-user-id :validity nil :string "<ulm <at> uni-mainz.de>" :signature-list nil)))) normal)
(let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal))
(progn (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal)))
eval((progn (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal))) t)
elisp--eval-last-sexp(t)
eval-last-sexp(t)
eval-print-last-sexp(nil)
funcall-interactively(eval-print-last-sexp nil)
call-interactively(eval-print-last-sexp nil nil)
command-execute(eval-print-last-sexp)
When I change epg-pinentry-mode to ask or epa-protocol to OpenPGP in
the let-binding, things work as expected. In other words, only the
combination of S/MIME and pinentry loopback fails.
| | OpenPGP | CMS |
|----------+---------+-------|
| ask | works | works |
| loopback | works | fails |
I use pinentry-gnome3, in case this should matter:
$ readlink /usr/bin/pinentry
pinentry-gnome3
In GNU Emacs 29.1 (build 1, x86_64-pc-linux-gnu, X toolkit, cairo
version 1.18.0) of 2023-10-24 built on localhost
Windowing system distributor 'The X.Org Foundation', version 11.0.12101009
System Description: Gentoo Linux
Configured using:
'configure --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
--localstatedir=/var/lib --datarootdir=/usr/share
--disable-silent-rules --docdir=/usr/share/doc/emacs-29.1-r5
--htmldir=/usr/share/doc/emacs-29.1-r5/html --libdir=/usr/lib64
--program-suffix=-emacs-29 --includedir=/usr/include/emacs-29
--infodir=/usr/share/info/emacs-29 --localstatedir=/var
--enable-locallisppath=/etc/emacs:/usr/share/emacs/site-lisp
--without-compress-install --without-hesiod --without-pop
--with-file-notification=inotify --with-pdumper --enable-acl
--with-dbus --with-modules --with-gameuser=:gamestat --with-libgmp
--with-gpm --without-native-compilation --without-json
--without-kerberos --without-kerberos5 --with-lcms2 --with-xml2
--without-mailutils --without-selinux --with-small-ja-dic
--without-sqlite3 --with-gnutls --without-libsystemd --with-threads
--without-tree-sitter --without-wide-int --with-sound=alsa --with-zlib
--with-x --without-pgtk --without-ns --without-gconf --with-gsettings
--without-toolkit-scroll-bars --with-xpm --with-xft --with-cairo
--with-harfbuzz --with-libotf --with-m17n-flt --with-x-toolkit=lucid
--with-xaw3d --with-gif --with-jpeg --with-png --with-rsvg --with-tiff
--without-webp --with-imagemagick --with-dumping=pdumper
'CFLAGS=-march=native -ggdb -O2 -pipe' 'LDFLAGS=-Wl,-O1
-Wl,--as-needed''
Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM GSETTINGS HARFBUZZ
IMAGEMAGICK JPEG LCMS2 LIBOTF LIBXML2 M17N_FLT MODULES NOTIFY INOTIFY
PDUMPER PNG RSVG SECCOMP SOUND THREADS TIFF X11 XAW3D XDBE XIM XINPUT2
XPM LUCID ZLIB
Important settings:
value of $LC_CTYPE: en_GB.UTF-8
value of $LC_TIME: en_GB.UTF-8
value of $LANG: POSIX
locale-coding-system: utf-8-unix
Major mode: Lisp Interaction
Minor modes in effect:
tooltip-mode: t
global-eldoc-mode: t
eldoc-mode: t
show-paren-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
line-number-mode: t
indent-tabs-mode: t
transient-mark-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug org-element org-persist org-id
org-refile avl-tree generator oc-basic ol-eww eww xdg url-queue mm-url
ol-rmail ol-mhe ol-irc ol-info ol-gnus nnselect gnus-art mm-uu mml2015
mm-view mml-smime smime gnutls dig gnus-sum shr pixel-fill kinsoku
url-file svg dom browse-url url url-proxy url-privacy url-expand
url-methods url-history url-cookie generate-lisp-file url-domsuf
url-util url-parse auth-source cl-seq eieio eieio-core cl-macs json map
url-vars gnus-group gnus-undo gnus-start gnus-dbus dbus xml gnus-cloud
nnimap nnmail mail-source utf7 nnoo parse-time gnus-spec gnus-int
gnus-range message sendmail mailcap yank-media puny rfc822 mml mml-sec
password-cache mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047
rfc2045 ietf-drums mailabbrev gmm-utils mailheader gnus-win gnus
nnheader gnus-util mail-utils range mm-util mail-prsvr wid-edit
ol-docview doc-view filenotify jka-compr image-mode exif dired
dired-loaddefs ol-bibtex bibtex iso8601 ol-bbdb ol-w3m ol-doi
org-link-doi org ob ob-tangle ob-ref ob-lob ob-table ob-exp org-macro
org-src ob-comint org-pcomplete pcomplete comint ansi-osc ansi-color
ring org-list org-footnote org-faces org-entities noutline outline icons
ob-emacs-lisp ob-core ob-eval org-cycle org-table ol rx org-fold
org-fold-core org-keys oc org-loaddefs cal-menu calendar cal-loaddefs
org-version org-compat org-macs format-spec misearch multi-isearch
epa-file thingatpt shortdoc text-property-search cl-extra help-fns
radix-tree cl-print byte-opt gv bytecomp byte-compile debug backtrace
help-mode find-func time-date subr-x cl-loaddefs cl-lib epa derived epg
rfc6068 epg-config rmc iso-transl tooltip cconv eldoc paren electric
uniquify ediff-hook vc-hooks lisp-float-type elisp-mode mwheel
term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode lisp-mode
prog-mode register page tab-bar menu-bar rfn-eshadow isearch easymenu
timer select scroll-bar mouse jit-lock font-lock syntax font-core
term/tty-colors frame minibuffer nadvice seq simple cl-generic
indonesian philippine cham georgian utf-8-lang misc-lang vietnamese
tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek
romanian slovak czech european ethiopic indian cyrillic chinese
composite emoji-zwj charscript charprop case-table epa-hook
jka-cmpr-hook help abbrev obarray oclosure cl-preloaded button loaddefs
theme-loaddefs faces cus-face macroexp files window text-properties
overlay sha1 md5 base64 format env code-pages mule custom widget keymap
hashtable-print-readable backquote threads dbusbind inotify lcms2
dynamic-setting system-font-setting font-render-setting cairo x-toolkit
xinput2 x multi-tty make-network-process emacs)
Memory information:
((conses 16 251336 23421)
(symbols 48 19880 0)
(strings 32 72160 3511)
(string-bytes 1 2156491)
(vectors 16 36926)
(vector-slots 8 414217 18678)
(floats 8 337 164)
(intervals 56 2847 255)
(buffers 976 16))
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Thu, 09 Nov 2023 09:48:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 67012 <at> debbugs.gnu.org (full text, mbox):
Investigating a little further, I see that gpgsm is invoked like this:
/usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --sign -u XXXXXXXXXXXXXXXX -- hello.txt
I believe that the --passphrase-fd option is missing there.
Trying from the command line, the following works:
$ /usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --passphrase-fd 0 --sign -u XXXXXXXXXXXXXXXX -- hello.txt
It expects a passphrase from stdin (without a prompt), and after
entering that, signing will succeed.
Then again, when I hack function epg--start to add "--passphrase-fd" "0"
to args, the error no longer occurs, but now gpgsm hangs (waiting for
input)? Also Emacs doesn't prompt for a passphrase.
So looks like something else is still missing.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Thu, 09 Nov 2023 11:23:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 67012 <at> debbugs.gnu.org (full text, mbox):
> From: Ulrich Mueller <ulm <at> gentoo.org>
> Date: Thu, 09 Nov 2023 10:46:08 +0100
>
> Investigating a little further, I see that gpgsm is invoked like this:
>
> /usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --sign -u XXXXXXXXXXXXXXXX -- hello.txt
>
> I believe that the --passphrase-fd option is missing there.
>
> Trying from the command line, the following works:
>
> $ /usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --passphrase-fd 0 --sign -u XXXXXXXXXXXXXXXX -- hello.txt
>
> It expects a passphrase from stdin (without a prompt), and after
> entering that, signing will succeed.
>
> Then again, when I hack function epg--start to add "--passphrase-fd" "0"
> to args, the error no longer occurs, but now gpgsm hangs (waiting for
> input)? Also Emacs doesn't prompt for a passphrase.
Isn't this one more manifestation of the GnuPG 2.4.1? See the entry
in etc/PROBLEMS whose heading is "Saving a file encrypted with GnuPG
via EasyPG hangs".
IOW, if you downgrade to an older version of GnuPG, do both problems
go away?
Thanks.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Thu, 09 Nov 2023 11:45:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 67012 <at> debbugs.gnu.org (full text, mbox):
>>>>> On Thu, 09 Nov 2023, Eli Zaretskii wrote:
> Isn't this one more manifestation of the GnuPG 2.4.1? See the entry
> in etc/PROBLEMS whose heading is "Saving a file encrypted with GnuPG
> via EasyPG hangs".
AFAICS this is a different problem.
> IOW, if you downgrade to an older version of GnuPG, do both problems
> go away?
My original report was with gnupg-2.4.3. I've tried again after
downgrading to gnupg-2.2.41, but the behaviour is basically the same.
The only difference is an additional line in the error message:
Error while signing with "/usr/bin/gpgsm":
gpgsm: DBG: adding certificates at level -2
gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE'
gpgsm: error creating signature: No passphrase given <GPG Agent>
I see no change either when I add --passphrase-fd 0 to the args in
epg--start. That is, gpgsm still hangs as reported above.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Wed, 15 Nov 2023 15:33:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 67012 <at> debbugs.gnu.org (full text, mbox):
Michael Albinus <michael.albinus <at> gmx.de> writes:
Hi Eli,
> Btw, debbugs.gnu.org isn't reachable today. I've tried to contact Bob
> Proulx (who takes care of basic admin tasks), but no answer yet.
>
> Perhaps I need to contact FSF sysadmins.
I did. They are superfast, the server is back.
Best regards, Michael.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Wed, 15 Nov 2023 15:34:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 67012 <at> debbugs.gnu.org (full text, mbox):
Eli Zaretskii <eliz <at> gnu.org> writes:
Hi Eli,
> Michael, could you please look into this?
I could try, but I don't know what qualifies me for this. Do you mean
somebody else?
Btw, debbugs.gnu.org isn't reachable today. I've tried to contact Bob
Proulx (who takes care of basic admin tasks), but no answer yet.
Perhaps I need to contact FSF sysadmins.
Best regards, Michael.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Wed, 15 Nov 2023 16:08:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 67012 <at> debbugs.gnu.org (full text, mbox):
> From: Ulrich Mueller <ulm <at> gentoo.org>
> Date: Thu, 09 Nov 2023 07:56:47 +0100
>
> I was originally trying to sign e-mail messages with S/MIME using
> mml-secure-sign-smime followed by message-send, which fails when I
> customize epg-pinentry-mode as loopback.
>
> The problem also occurs with epa-sign-file, which is easier to reproduce
> (because it doesn't need as much configuration). So I am reporting the
> bug for this command.
>
> To reproduce, emacs -Q, then execute in the *scratch* buffer:
>
> (write-region "hello\n" nil "hello.txt")
> (require 'epa)
>
> (let ((epg-pinentry-mode 'loopback)
> (epa-protocol 'CMS))
> (epa-sign-file
> "hello.txt"
> (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t)
> 'normal))
>
> This asks interactively to select a key. After doing so, it fails with
> the following error (shown in an "*Error* (EPA Info)" buffer):
>
> Error while signing with "/usr/bin/gpgsm":
>
> gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE'
> gpgsm: error creating signature: No passphrase given <GPG Agent>
>
> Debugger *Backtrace* (key IDs x-ed out):
>
> Debugger entered--Lisp error: (epg-error "Sign failed" "")
> signal(epg-error ("Sign failed" ""))
> epa-sign-file("hello.txt" (#s(epg-key :owner-trust nil :sub-key-list (#s(epg-sub-key :validity nil :capability (encrypt sign) :secret-p nil :algorithm 1 :length 4096 :id "XXXXXXXXXXXXXXXX" :creation-time 20231107 :expiration-time 20251106 :fingerprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")) :user-id-list (#s(epg-user-id :validity nil :string (("CN" . "Ulrich Müller") ("OU" . "Institut fuer Kernphysik") ("O" . "Johannes Gutenberg-Universitaet Mainz") ("L" . "Mainz") ("ST" . "Rheinland-Pfalz") ("C" . "DE")) :signature-list nil) #s(epg-user-id :validity nil :string "<ulm <at> uni-mainz.de>" :signature-list nil)))) normal)
> (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal))
> (progn (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal)))
> eval((progn (let ((epg-pinentry-mode 'loopback) (epa-protocol 'CMS)) (epa-sign-file "hello.txt" (epa-select-keys (epg-make-context epa-protocol) "Key:" nil t) 'normal))) t)
> elisp--eval-last-sexp(t)
> eval-last-sexp(t)
> eval-print-last-sexp(nil)
> funcall-interactively(eval-print-last-sexp nil)
> call-interactively(eval-print-last-sexp nil nil)
> command-execute(eval-print-last-sexp)
>
> When I change epg-pinentry-mode to ask or epa-protocol to OpenPGP in
> the let-binding, things work as expected. In other words, only the
> combination of S/MIME and pinentry loopback fails.
>
> | | OpenPGP | CMS |
> |----------+---------+-------|
> | ask | works | works |
> | loopback | works | fails |
>
> I use pinentry-gnome3, in case this should matter:
>
> $ readlink /usr/bin/pinentry
> pinentry-gnome3
Michael, could you please look into this?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Wed, 15 Nov 2023 16:49:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 67012 <at> debbugs.gnu.org (full text, mbox):
> From: Michael Albinus <michael.albinus <at> gmx.de>
> Cc: Ulrich Mueller <ulm <at> gentoo.org>, 67012 <at> debbugs.gnu.org
> Date: Wed, 15 Nov 2023 16:07:48 +0100
>
> Eli Zaretskii <eliz <at> gnu.org> writes:
>
> Hi Eli,
>
> > Michael, could you please look into this?
>
> I could try, but I don't know what qualifies me for this. Do you mean
> somebody else?
Sorry, I thought you knew more than I do about GnuPG and epg.
> Btw, debbugs.gnu.org isn't reachable today. I've tried to contact Bob
> Proulx (who takes care of basic admin tasks), but no answer yet.
>
> Perhaps I need to contact FSF sysadmins.
Yes, it was down, but seems to be back up now.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Wed, 15 Nov 2023 17:14:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 67012 <at> debbugs.gnu.org (full text, mbox):
Eli Zaretskii <eliz <at> gnu.org> writes:
Hi Eli,
>> > Michael, could you please look into this?
>>
>> I could try, but I don't know what qualifies me for this. Do you mean
>> somebody else?
>
> Sorry, I thought you knew more than I do about GnuPG and epg.
Not really. I can try to debug, but don't expect too much. Terra
incognita.
And tomorrow I'm almost OOO. My daughter will hijack my office.
Best regards, Michael.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Thu, 16 Nov 2023 09:56:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 67012 <at> debbugs.gnu.org (full text, mbox):
When executing gpg2 from the command line, but with the same arguments
that are passed from Emacs, I see the following output:
$ /usr/bin/gpg2 --no-tty --status-fd 1 --yes --enable-progress-filter --command-fd 0 --output hello.txt.gpg --pinentry-mode loopback --sign -u XXXXXXXXXXXXXXXX -- hello.txt 2>/dev/null
[GNUPG:] KEYEXPIRED 1546257620
[GNUPG:] KEYEXPIRED 1533081541
[GNUPG:] KEY_CONSIDERED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
[GNUPG:] PROGRESS hello.txt ? 0 6 B
[GNUPG:] BEGIN_SIGNING H8
[GNUPG:] PROGRESS hello.txt ? 6 6 B
[GNUPG:] USERID_HINT XXXXXXXXXXXXXXXX Ulrich Müller <ulm <at> gentoo.org>
[GNUPG:] NEED_PASSPHRASE XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX 1 0
[GNUPG:] INQUIRE_MAXLEN 100
[GNUPG:] GET_HIDDEN passphrase.enter
**** <-- passphrase input
[GNUPG:] GOT_IT
[GNUPG:] SIG_CREATED S 1 8 00 1700077951 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
IIUC, function epg--process-filter looks for status output from GnuPG
and calls the matching epg--status-* functions. The passphrase is read
in epg--status-GET_HIDDEN.
For gpgsm (same arguments as passed from Emacs, plus --passphrase-fd 0)
output is this:
$ /usr/bin/gpgsm --no-tty --status-fd 1 --yes --output hello.txt.p7m --pinentry-mode loopback --passphrase-fd 0 --sign -u XXXXXXXXXXXXXXXX -- hello.txt 2>/dev/null
**** <-- passphrase input
[GNUPG:] PROGRESS starting_agent ? 0 0
[GNUPG:] SIG_CREATED S 1 8 00 20231115T195756 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note that gpgsm is way less chatty than gpg2. Especially, the passphrase
is expected before the first status message appears, and function
epg--status-GET_HIDDEN is never called. So this would have to be handled
in a different way.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Fri, 17 Nov 2023 11:41:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 67012 <at> debbugs.gnu.org (full text, mbox):
Until there's a proper fix (not anytime soon, I suppose?), could we
please disable pinentry loopback with gpgsm? See patch below.
That way, the user could still set epg-pinentry-mode to loopback for use
with gpg2, and with gpgsm it would fall back to passphrase input through
the pinentry program (i.e. in the GUI). This seems to be better than
erroring out.
(In fact, I use gpgsm with pinentry.el from Emacs 25.3 as a workaround.
Unfortunately, that package has been removed as a fix for bug #27445.)
From b1cbdfc8f4890c6cb31cc8d59b347aedfb2f7f5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm <at> gentoo.org>
Date: Fri, 17 Nov 2023 12:16:54 +0100
Subject: [PATCH] Don't enable pinentry loopback mode for gpgsm
* lisp/epg.el (epg--start): Passphrase entry through the
minibuffer is currently not supported with gpgsm, therefore don't
pass "--pinentry-mode loopback" as an argument when the protocol
is CMS. (Bug#67012)
---
lisp/epg.el | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lisp/epg.el b/lisp/epg.el
index aae9b9444b4..b994c1b9ca2 100644
--- a/lisp/epg.el
+++ b/lisp/epg.el
@@ -595,7 +595,12 @@ epg--start
(if (epg-context-textmode context) '("--textmode"))
(if (epg-context-output-file context)
(list "--output" (epg-context-output-file context)))
- (if (epg-context-pinentry-mode context)
+ (if (and (epg-context-pinentry-mode context)
+ (not
+ ;; loopback doesn't work with gpgsm
+ (and (eq (epg-context-protocol context) 'CMS)
+ (eq (epg-context-pinentry-mode context)
+ 'loopback))))
(list "--pinentry-mode"
(symbol-name (epg-context-pinentry-mode
context))))
--
2.42.1
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sun, 19 Nov 2023 05:45:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 67012 <at> debbugs.gnu.org (full text, mbox):
> From: Ulrich Mueller <ulm <at> gentoo.org>
> Cc: Eli Zaretskii <eliz <at> gnu.org>, Michael Albinus <michael.albinus <at> gmx.de>
> Date: Fri, 17 Nov 2023 12:40:05 +0100
>
> Until there's a proper fix (not anytime soon, I suppose?), could we
> please disable pinentry loopback with gpgsm? See patch below.
>
> That way, the user could still set epg-pinentry-mode to loopback for use
> with gpg2, and with gpgsm it would fall back to passphrase input through
> the pinentry program (i.e. in the GUI). This seems to be better than
> erroring out.
>
> (In fact, I use gpgsm with pinentry.el from Emacs 25.3 as a workaround.
> Unfortunately, that package has been removed as a fix for bug #27445.)
I have difficulty making a decision about this, as I don't feel I
understand the situation well enough. Can you please help me by
answering the following questions:
. are we talking about a single problem or about several ones? the
original report was about invoking gpgsm, but then you started
talking about gpg2 as well?
. is this a recent regression in Emacs, or did this problem exist in
older versions of Emacs as well? or is this due to some recent
change in GnuPG?
Thanks.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sun, 19 Nov 2023 11:14:01 GMT)
Full text and
rfc822 format available.
Message #41 received at 67012 <at> debbugs.gnu.org (full text, mbox):
>>>>> On Sun, 19 Nov 2023, Eli Zaretskii wrote:
>> From: Ulrich Mueller <ulm <at> gentoo.org>
>> Cc: Eli Zaretskii <eliz <at> gnu.org>, Michael Albinus <michael.albinus <at> gmx.de>
>> Date: Fri, 17 Nov 2023 12:40:05 +0100
>>
>> Until there's a proper fix (not anytime soon, I suppose?), could we
>> please disable pinentry loopback with gpgsm? See patch below.
>>
>> That way, the user could still set epg-pinentry-mode to loopback for use
>> with gpg2, and with gpgsm it would fall back to passphrase input through
>> the pinentry program (i.e. in the GUI). This seems to be better than
>> erroring out.
>>
>> (In fact, I use gpgsm with pinentry.el from Emacs 25.3 as a workaround.
>> Unfortunately, that package has been removed as a fix for bug #27445.)
> I have difficulty making a decision about this, as I don't feel I
> understand the situation well enough. Can you please help me by
> answering the following questions:
> . are we talking about a single problem or about several ones? the
> original report was about invoking gpgsm, but then you started
> talking about gpg2 as well?
Single problem, and it affects only gpgsm. I've mentioned gpg2 only
for the reason that any fix or workaround shouldn't change existing
behaviour with gpg2. (So, for example, omitting "--pinentry-mode
loopback" should be conditional on the CMS protocol.)
> . is this a recent regression in Emacs, or did this problem exist in
> older versions of Emacs as well? or is this due to some recent
> change in GnuPG?
AFAICS it is an old problem, not related to any recent changes in Emacs
or GnuPG. And IIUC properly fixing it would require major changes for
either EasyPG or gpgsm, because the design of EasyPG relies on the
status messages output by gpg2 with the --status-fd option. gpgsm
doesn't output most of these messages (see the examples in message #32
above).
It looks like bug #59178 is about the same issue (but that report was
somewhat sidetracked). Sorry that I hadn't noticed before filing this
report.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sat, 25 Nov 2023 09:54:01 GMT)
Full text and
rfc822 format available.
Message #44 received at 67012 <at> debbugs.gnu.org (full text, mbox):
> From: Ulrich Mueller <ulm <at> gentoo.org>
> Cc: 67012 <at> debbugs.gnu.org, michael.albinus <at> gmx.de
> Date: Sun, 19 Nov 2023 12:13:08 +0100
>
> >>>>> On Sun, 19 Nov 2023, Eli Zaretskii wrote:
>
> > I have difficulty making a decision about this, as I don't feel I
> > understand the situation well enough. Can you please help me by
> > answering the following questions:
>
> > . are we talking about a single problem or about several ones? the
> > original report was about invoking gpgsm, but then you started
> > talking about gpg2 as well?
>
> Single problem, and it affects only gpgsm. I've mentioned gpg2 only
> for the reason that any fix or workaround shouldn't change existing
> behaviour with gpg2. (So, for example, omitting "--pinentry-mode
> loopback" should be conditional on the CMS protocol.)
>
> > . is this a recent regression in Emacs, or did this problem exist in
> > older versions of Emacs as well? or is this due to some recent
> > change in GnuPG?
>
> AFAICS it is an old problem, not related to any recent changes in Emacs
> or GnuPG. And IIUC properly fixing it would require major changes for
> either EasyPG or gpgsm, because the design of EasyPG relies on the
> status messages output by gpg2 with the --status-fd option. gpgsm
> doesn't output most of these messages (see the examples in message #32
> above).
OK, thanks. So please install this on the master branch.
Should we perhaps have something about this in etc/PROBLEMS? That is,
after you install your changes? If so, feel free to add there
whatever you think is appropriate.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sat, 25 Nov 2023 11:18:02 GMT)
Full text and
rfc822 format available.
Message #47 received at 67012 <at> debbugs.gnu.org (full text, mbox):
>>>>> On Sat, 25 Nov 2023, Eli Zaretskii wrote:
> OK, thanks. So please install this on the master branch.
Done. I've also added a short note in doc/misc/epa.texi.
> Should we perhaps have something about this in etc/PROBLEMS? That is,
> after you install your changes? If so, feel free to add there
> whatever you think is appropriate.
This ok?
*** EasyPG loopback pinentry does not work with gpgsm.
This happens with the 'gpgsm' command from all versions of GnuPG.
EasyPG relies on the machine-parseable interface that is provided by
'gpg2' with option '--status-fd', but gpgsm does not support this.
As a workaround, input the passphrase with a GUI-capable pinentry
program like 'pinentry-gnome' or 'pinentry-qt5'. Alternatively, you
can use the 'pinentry' package from Emacs 25.
Add to etc/PROBLEMS in master or emacs-29 branch?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sat, 25 Nov 2023 11:41:01 GMT)
Full text and
rfc822 format available.
Message #50 received at 67012 <at> debbugs.gnu.org (full text, mbox):
Ulrich Mueller <ulm <at> gentoo.org> writes:
Hi Ulrich,
> As a workaround, input the passphrase with a GUI-capable pinentry
> program like 'pinentry-gnome' or 'pinentry-qt5'. Alternatively, you
> can use the 'pinentry' package from Emacs 25.
I have no idea what I'm speaking about. However, on GNU ELPA there is
the package pinentry 0.1 from Daiki Ueno <ueno <at> gnu.org>. Same is for
Emacs 25. Shouldn't we advertise the GNU ELPA package?
However, there are differences. On GNU ELPA, thetr is
--8<---------------cut here---------------start------------->8---
;; Copyright (C) 2015 Free Software Foundation, Inc.
--8<---------------cut here---------------end--------------->8---
In Emacs 25, there is
--8<---------------cut here---------------start------------->8---
;; Copyright (C) 2015-2017 Free Software Foundation, Inc.
--8<---------------cut here---------------end--------------->8---
Looks like the version in Emacs 25 is more up-to-date, although both say
--8<---------------cut here---------------start------------->8---
;; Version: 0.1
--8<---------------cut here---------------end--------------->8---
Shouldn't we upgrade the GNU ELPA version?
Best regards, Michael.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sat, 25 Nov 2023 12:18:02 GMT)
Full text and
rfc822 format available.
Message #53 received at 67012 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
>>>>> On Sat, 25 Nov 2023, Michael Albinus wrote:
> I have no idea what I'm speaking about. However, on GNU ELPA there is
> the package pinentry 0.1 from Daiki Ueno <ueno <at> gnu.org>. Same is for
> Emacs 25. Shouldn't we advertise the GNU ELPA package?
I am aware that there's a package on ELPA, but looks like it's very
outdated.
> However, there are differences. [...]
There are quite a few differences, see full diff attached.
> Shouldn't we upgrade the GNU ELPA version?
Probably. Gentoo also has a (rather trivial) patch that fixes some
warnings with newer Emacs versions:
https://gitweb.gentoo.org/repo/gentoo.git/tree/app-emacs/pinentry/files/pinentry-emacs-29.patch
(I still don't entirely understand why pinentry.el was dropped from
Emacs proper, but I won't challenge the decision made in bug #27445.)
[pinentry.el.diff (text/plain, attachment)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sat, 25 Nov 2023 12:29:02 GMT)
Full text and
rfc822 format available.
Message #56 received at 67012 <at> debbugs.gnu.org (full text, mbox):
> From: Ulrich Mueller <ulm <at> gentoo.org>
> Cc: 67012 <at> debbugs.gnu.org, michael.albinus <at> gmx.de
> Date: Sat, 25 Nov 2023 12:16:50 +0100
>
> >>>>> On Sat, 25 Nov 2023, Eli Zaretskii wrote:
>
> > OK, thanks. So please install this on the master branch.
>
> Done. I've also added a short note in doc/misc/epa.texi.
>
> > Should we perhaps have something about this in etc/PROBLEMS? That is,
> > after you install your changes? If so, feel free to add there
> > whatever you think is appropriate.
>
> This ok?
Yes.
> *** EasyPG loopback pinentry does not work with gpgsm.
>
> This happens with the 'gpgsm' command from all versions of GnuPG.
> EasyPG relies on the machine-parseable interface that is provided by
> 'gpg2' with option '--status-fd', but gpgsm does not support this.
>
> As a workaround, input the passphrase with a GUI-capable pinentry
> program like 'pinentry-gnome' or 'pinentry-qt5'. Alternatively, you
> can use the 'pinentry' package from Emacs 25.
>
> Add to etc/PROBLEMS in master or emacs-29 branch?
On emacs-29, I think.
Thanks.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sat, 25 Nov 2023 15:00:02 GMT)
Full text and
rfc822 format available.
Message #59 received at 67012 <at> debbugs.gnu.org (full text, mbox):
>>>>> On Sat, 25 Nov 2023, Ulrich Mueller wrote:
>>>>> On Sat, 25 Nov 2023, Michael Albinus wrote:
>> Shouldn't we upgrade the GNU ELPA version?
> Probably.
So who can make a new release of the GNU ELPA package? Except for the
mentioned comment change in the copyright and license notices, the tip
of https://github.com/ueno/pinentry-el is identical to the last version
in the Emacs master branch, before the file was removed in
commit b407c521f24b.
> Gentoo also has a (rather trivial) patch that fixes some warnings with
> newer Emacs versions:
> https://gitweb.gentoo.org/repo/gentoo.git/tree/app-emacs/pinentry/files/pinentry-emacs-29.patch
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sat, 25 Nov 2023 15:46:01 GMT)
Full text and
rfc822 format available.
Message #62 received at 67012 <at> debbugs.gnu.org (full text, mbox):
Ulrich Mueller <ulm <at> gentoo.org> writes:
Hi Ulrich,
>>>>>> On Sat, 25 Nov 2023, Michael Albinus wrote:
>>> Shouldn't we upgrade the GNU ELPA version?
>
>> Probably.
>
> So who can make a new release of the GNU ELPA package? Except for the
> mentioned comment change in the copyright and license notices, the tip
> of https://github.com/ueno/pinentry-el is identical to the last version
> in the Emacs master branch, before the file was removed in
> commit b407c521f24b.
pinentry.el is synced from <https://github.com/ueno/pinentry-el>. Perhaps
we shall ask Daiki Ueno <ueno <at> gnu.org> to merge the patches, and
increase the version to 0.2.
Would you like to contact him? I have no idea about this package, so I
cannot discuss seriously with him.
Best regards, Michael.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#67012; Package
emacs.
(Sat, 25 Nov 2023 16:34:02 GMT)
Full text and
rfc822 format available.
Message #65 received at 67012 <at> debbugs.gnu.org (full text, mbox):
>>>>> On Sat, 25 Nov 2023, Michael Albinus wrote:
> pinentry.el is synced from <https://github.com/ueno/pinentry-el>.
> Perhaps we shall ask Daiki Ueno <ueno <at> gnu.org> to merge the patches,
> and increase the version to 0.2.
> Would you like to contact him? I have no idea about this package, so I
> cannot discuss seriously with him.
I have filed a pull request:
https://github.com/ueno/pinentry-el/pull/6
For now, the etc/PROBLEMS entry mentions Emacs 25. It can be updated to
say GNU ELPA when a new version appears there.
Merged 59178 67012.
Request was from
Ulrich Mueller <ulm <at> gentoo.org>
to
control <at> debbugs.gnu.org.
(Sat, 25 Nov 2023 16:36:02 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 258 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.