epg + pinentry + gnus

epg + pinentry + gnus

[Sergio Durigan Junior]

Hi there,

I know this is not specific to Gnus, but I figured I'd try sending this
question here and see how it goes.

I use EasyPG (with gpg-agent) + Gnus, like many others, I believe.
However, there's one thing that I can't do: make Gnus (or epg, for that
matter) prompt me only once for the passphrase and then make gpg-agent
cache it.  What happens instead is that whenever I open an encrypted
message, I see the passphrase prompt in the minibuffer.

Well, TBH I actually *managed* to solve this problem, by telling
gpg-agent to use pinentry-gtk instead, which opens this fancy window
with the same passphrase prompt in it.  However, this obviously doesn't
work (out of the box) when I'm using Emacs over SSH (which is *a lot*
for me).

I managed to find a few workarounds, like

  <http://www.enigmacurry.com/2009/01/14/extending-emacs-with-advice/>

And also a few threads discussing a very similar problem:

  <https://lists.gnu.org/archive/html/emacs-devel/2013-09/msg00590.html>

But before I decide to go with the (defadvice) thing, I decided to ask
here: do you guys have this same problem, and if so, how do you
workaround it?

Thanks,

-- 
Sergio
GPG key ID: 0x65FC5E36
Please send encrypted e-mail if possible
http://sergiodj.net/

Re: epg + pinentry + gnus

[Peter Münster]

[-- Attachment #1: Type: text/plain, Size: 852 bytes --]

On Thu, Sep 18 2014, Sergio Durigan Junior wrote:

> I use EasyPG (with gpg-agent) + Gnus, like many others, I believe.
> However, there's one thing that I can't do: make Gnus (or epg, for that
> matter) prompt me only once for the passphrase and then make gpg-agent
> cache it.  What happens instead is that whenever I open an encrypted
> message, I see the passphrase prompt in the minibuffer.

Just some ideas:
- Keep passphrase in ram forever, put these lines in
  ~/.gnupg/gpg-agent.conf:
    default-cache-ttl 99999999
    max-cache-ttl 99999999
- Allow preset passphrase for secret keys, put this in
  ~/.gnupg/gpg-agent.conf:
    allow-preset-passphrase
- Apply passphrase to all secret keys at start of session, put this in
  ~/.xinitrc:
    SSH_ASKPASS=~/bin/askpass.lisp ssh-add
  (file ~/bin/askpass.lisp is attached)

-- 
           Peter

[-- Attachment #2: askpass.lisp --]
[-- Type: application/octet-stream, Size: 631 bytes --]

#!/usr/bin/sbcl --script

;; vielleicht so:
;; gpg --list-secret-keys --with-fingerprint --with-fingerprint --with-colon
;; --list-options no-show-unusable-uids,no-show-unusable-subkeys | sed -rn 's/^fpr:::::::::(.*):/\1/p'

(defvar *fingerprints*
  (list "xxx"
        "yyy"
        "zzz"))

(with-output-to-string (out)
  (run-program "/usr/lib/ssh/ssh-askpass" nil :output out)
  (let ((s (get-output-stream-string out)))
    (dolist (fp fingerprints)
      (with-input-from-string (in s)
        (run-program "/usr/lib64/gpg-preset-passphrase" (list "--preset" fp)
                     :input in :output nil)))
    (princ s)))

Re: epg + pinentry + gnus

[Ted Zlatanov]

On Thu, 18 Sep 2014 00:11:17 -0400 Sergio Durigan Junior <sergiodj@sergiodj.net> wrote: 

SDJ> But before I decide to go with the (defadvice) thing, I decided to ask
SDJ> here: do you guys have this same problem, and if so, how do you
SDJ> workaround it?

You can try dropping to GnuPG 1.x and caching a symmetric encryption
key. See `epa-file-cache-passphrase-for-symmetric-encryption'. It's not
great but works much better over SSH to remote hosts if you accept the
risk of storing the passphrase in Emacs' memory. In my work, it's
indispensable.

Documentation:

"If non-nil, cache passphrase for symmetric encryption.

For security reasons, this option is turned off by default and
not recommended to use.  Instead, consider using gpg-agent which
does the same job in a safer way.  See Info node `(epa) Caching
Passphrases' for more information.

Note that this option has no effect if you use GnuPG 2.0."

Ted

Re: epg + pinentry + gnus

[Sergio Durigan Junior]

On Thursday, September 18 2014, Peter Münster wrote:

> Just some ideas:
> - Keep passphrase in ram forever, put these lines in
>   ~/.gnupg/gpg-agent.conf:
>     default-cache-ttl 99999999
>     max-cache-ttl 99999999

Sorry for the long delay in answering.  This is the approach I decided,
after all.  I am preparing a patch to GPG in order to deal with infinite
ttl's (this is buggy now).

Cheers,

-- 
Sergio
GPG key ID: 0x65FC5E36
Please send encrypted e-mail if possible
http://sergiodj.net/

Re: epg + pinentry + gnus

[Sergio Durigan Junior]

On Wednesday, September 24 2014, Ted Zlatanov wrote:

> On Thu, 18 Sep 2014 00:11:17 -0400 Sergio Durigan Junior <sergiodj@sergiodj.net> wrote: 
>
> SDJ> But before I decide to go with the (defadvice) thing, I decided to ask
> SDJ> here: do you guys have this same problem, and if so, how do you
> SDJ> workaround it?
>
> You can try dropping to GnuPG 1.x and caching a symmetric encryption
> key.

Thanks for the advice, Ted, but dropping to GPG 1.x is not something I'd
like to do.  Anyway, I chose to extend the TTL of the key, so that I
don't have to type the passphrase every now and then.

-- 
Sergio
GPG key ID: 0x65FC5E36
Please send encrypted e-mail if possible
http://sergiodj.net/

Re: epg + pinentry + gnus

[W. Greenhouse]

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

Hi Sergio,

Sergio Durigan Junior <sergiodj@sergiodj.net> writes:

> On Thursday, September 18 2014, Peter Münster wrote:
>
>> Just some ideas:
>> - Keep passphrase in ram forever, put these lines in
>>   ~/.gnupg/gpg-agent.conf:
>>     default-cache-ttl 99999999
>>     max-cache-ttl 99999999
>
> Sorry for the long delay in answering.  This is the approach I decided,
> after all.  I am preparing a patch to GPG in order to deal with infinite
> ttl's (this is buggy now).

Necromancing this thread for a moment to offer my dumb kludge for the
pinentry-on-Emacs-over-SSH case:

http://www.emacswiki.org/emacs/EasyPG#toc5

The only issue I have with this is that the display is sometimes garbled
in the pinentry-curses "window" when entering the passphrase from a
terminal session.

--
Best,
WGG

[-- Attachment #2: Type: application/pgp-signature, Size: 818 bytes --]