Discussion:
epg + pinentry + gnus
Sergio Durigan Junior
2014-09-18 04:11:17 UTC
Permalink
Hi there,

I know this is not specific to Gnus, but I figured I'd try sending this
question here and see how it goes.

I use EasyPG (with gpg-agent) + Gnus, like many others, I believe.
However, there's one thing that I can't do: make Gnus (or epg, for that
matter) prompt me only once for the passphrase and then make gpg-agent
cache it. What happens instead is that whenever I open an encrypted
message, I see the passphrase prompt in the minibuffer.

Well, TBH I actually *managed* to solve this problem, by telling
gpg-agent to use pinentry-gtk instead, which opens this fancy window
with the same passphrase prompt in it. However, this obviously doesn't
work (out of the box) when I'm using Emacs over SSH (which is *a lot*
for me).

I managed to find a few workarounds, like

<http://www.enigmacurry.com/2009/01/14/extending-emacs-with-advice/>

And also a few threads discussing a very similar problem:

<https://lists.gnu.org/archive/html/emacs-devel/2013-09/msg00590.html>

But before I decide to go with the (defadvice) thing, I decided to ask
here: do you guys have this same problem, and if so, how do you
workaround it?

Thanks,
--
Sergio
GPG key ID: 0x65FC5E36
Please send encrypted e-mail if possible
http://sergiodj.net/
Peter Münster
2014-09-18 18:44:28 UTC
Permalink
Post by Sergio Durigan Junior
I use EasyPG (with gpg-agent) + Gnus, like many others, I believe.
However, there's one thing that I can't do: make Gnus (or epg, for that
matter) prompt me only once for the passphrase and then make gpg-agent
cache it. What happens instead is that whenever I open an encrypted
message, I see the passphrase prompt in the minibuffer.
Just some ideas:
- Keep passphrase in ram forever, put these lines in
~/.gnupg/gpg-agent.conf:
default-cache-ttl 99999999
max-cache-ttl 99999999
- Allow preset passphrase for secret keys, put this in
~/.gnupg/gpg-agent.conf:
allow-preset-passphrase
- Apply passphrase to all secret keys at start of session, put this in
~/.xinitrc:
SSH_ASKPASS=~/bin/askpass.lisp ssh-add
(file ~/bin/askpass.lisp is attached)
--
Peter
Sergio Durigan Junior
2014-09-25 02:50:03 UTC
Permalink
Post by Peter Münster
- Keep passphrase in ram forever, put these lines in
default-cache-ttl 99999999
max-cache-ttl 99999999
Sorry for the long delay in answering. This is the approach I decided,
after all. I am preparing a patch to GPG in order to deal with infinite
ttl's (this is buggy now).

Cheers,
--
Sergio
GPG key ID: 0x65FC5E36
Please send encrypted e-mail if possible
http://sergiodj.net/
W. Greenhouse
2014-10-03 06:31:13 UTC
Permalink
Hi Sergio,
Post by Sergio Durigan Junior
Post by Peter Münster
- Keep passphrase in ram forever, put these lines in
default-cache-ttl 99999999
max-cache-ttl 99999999
Sorry for the long delay in answering. This is the approach I decided,
after all. I am preparing a patch to GPG in order to deal with infinite
ttl's (this is buggy now).
Necromancing this thread for a moment to offer my dumb kludge for the
pinentry-on-Emacs-over-SSH case:

http://www.emacswiki.org/emacs/EasyPG#toc5

The only issue I have with this is that the display is sometimes garbled
in the pinentry-curses "window" when entering the passphrase from a
terminal session.

--
Best,
WGG

Ted Zlatanov
2014-09-24 15:09:58 UTC
Permalink
On Thu, 18 Sep 2014 00:11:17 -0400 Sergio Durigan Junior <***@sergiodj.net> wrote:

SDJ> But before I decide to go with the (defadvice) thing, I decided to ask
SDJ> here: do you guys have this same problem, and if so, how do you
SDJ> workaround it?

You can try dropping to GnuPG 1.x and caching a symmetric encryption
key. See `epa-file-cache-passphrase-for-symmetric-encryption'. It's not
great but works much better over SSH to remote hosts if you accept the
risk of storing the passphrase in Emacs' memory. In my work, it's
indispensable.

Documentation:

"If non-nil, cache passphrase for symmetric encryption.

For security reasons, this option is turned off by default and
not recommended to use. Instead, consider using gpg-agent which
does the same job in a safer way. See Info node `(epa) Caching
Passphrases' for more information.

Note that this option has no effect if you use GnuPG 2.0."

Ted
Sergio Durigan Junior
2014-09-25 02:51:19 UTC
Permalink
Post by Ted Zlatanov
SDJ> But before I decide to go with the (defadvice) thing, I decided to ask
SDJ> here: do you guys have this same problem, and if so, how do you
SDJ> workaround it?
You can try dropping to GnuPG 1.x and caching a symmetric encryption
key.
Thanks for the advice, Ted, but dropping to GPG 1.x is not something I'd
like to do. Anyway, I chose to extend the TTL of the key, so that I
don't have to type the passphrase every now and then.
--
Sergio
GPG key ID: 0x65FC5E36
Please send encrypted e-mail if possible
http://sergiodj.net/
Loading...