Pinentry linking to libassuan? (was: Add inside-Emacs mode to GUI pinentry programs)

Daniel Kahn Gillmor dkg at
Sat Jun 6 00:48:57 CEST 2015

Hi there--

On Fri 2015-06-05 05:31:23 -0400, Werner Koch wrote:
> Originally Pinentry should be mostly self-standing but today this is
> only true for the plain curses, tty and Windows versions.  Most users
> however build one of the real GUI versions with all their large
> dependencies.

For users of graphical environments, this seems likely to be the right

> The question is whether we should keep on using our much stripped down
> versions of libassuan and libgpg-error or switch over to use libassuan
> and libgpg-error directly.  In fact, both libraries are required by
> GnuPG itself and also be any software using GPGME.  Thus we can expect
> that such a change won't introduce any new platform problems.

I'd be happy to switch to libassuan + gcrypt in those environments,
since those libraries are likely already on the system (and pinentry is
really usually expected to be invoked by gpg-agent, which itself depends
on libassuan and gcrypt).

That said, I'd like to try to minimize the number of dependencies for
the non-graphical clients in normal circumstances.  I've filed:

to track doing that in debian.  Is there a way to make a single build of
the pinentry tree, but to only enable libsecret for gtk2, qt4, and
gnome3 and leave it out for tty and curses?  if not, i guess i can just
./configure twice and build different variants in the different

> However, we should also link to Libgcrypt to make use of its secure
> memory code - if that is something we should keep on using. It would
> also be possible to do without and make sure that the passphrase is only
> stored at one place which we would manually clear as needed.  Frankly, I
> think that the mlock-ed memory area is not useful anymore because it
> does not help against hibernation.  To mitigate the swapping problem an
> encrypted swap partition is anyway much easier and safer.

Doing away with mlocking entirely would certainly simplify the pinentry


More information about the Gnupg-devel mailing list