GNU bug report logs - #67937
30.0.50; auth-source-pass relies on epa-file being enabled

Previous Next

Package: emacs;

Reported by: Arsen Arsenović <arsen <at> aarsen.me>

Date: Wed, 20 Dec 2023 17:02:02 UTC

Severity: normal

Found in version 30.0.50

Full log

View this message in rfc822 format

From: Arsen Arsenović <arsen <at> aarsen.me>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 67937 <at> debbugs.gnu.org
Subject: bug#67937: 30.0.50; auth-source-pass relies on epa-file being enabled
Date: Wed, 20 Dec 2023 20:58:08 +0100

[Message part 1 (text/plain, inline)]
Eli Zaretskii <eliz <at> gnu.org> writes:

>> From: Arsen Arsenović <arsen <at> aarsen.me>
>> Cc: 67937 <at> debbugs.gnu.org
>> Date: Wed, 20 Dec 2023 20:11:20 +0100
>>
>> >> - emacs -Q
>> >> - M-x epa-file-disable
>> >> - M-: (auth-source-pass-get 'secret "something")
>> >>
>> >> You will see a GPG-encrypted data string.
>> >>
>> >> epa-file-disable should not break the auth-source.
>> >
>> > Please tell more about what you mean by "break".
>>
>> What I mean by that is 'You will see a GPG-encrypted data string'.  The
>> source returns an encrypted string rather than its contents.
>
> How can it decrypt the string when you disable decryption?  What is
> the replacement of epa-file that would decrypt the data string?

Even with epa-disable, it could use epa-decrypt-region to decrypt the
password from the file.

For some context, I'll briefly summarize how password-store (pass)
works: pass stores credentials as one line representing the secret and
the rest being aux data (usually usernames and similar) in each file.
One file represents one set of credentials, encrypted via PGP (an
example filename is
~/.password-store/gentoo/gentoo.org/arsen <at> gentoo.org.gpg).

To get a given password from a given password store entry,
auth-source-pass needs to decrypt this file and get the first line of
the decrypted contents.

Currently, auth-source-pass relies on epa-file facilities to decrypt the
password entries, but those do nothing after epa-file-disable.  Instead,
it should use something like epa-decrypt-region or such (sorry, not too
familiar with EasyPG).

AIUI, epa-file-disable disables *automatic* decryption, not all forms of
decryption.

To provide some more context, I noticed auth-source-pass preventing
sending emails seemingly at random (by returning encrypted passwords
rather than the actual passwords), then noticed that it seems to start
working again following M-x epa-file-enable RET M-x
auth-source-forget-all-cached RET, and then I managed to reproduce in a
clean Emacs, then I filed this report.

I'm still unsure why epa-file gets disabled on occasion, but whether it
does or does not, auth-source-pass should either ensure its enabled or
not rely on such a facility for reading passwords.

Thanks again, have a lovely night.
--
Arsen Arsenović

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 205 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.