[PATCH] Add inside-Emacs mode to GUI pinentry programs

Daiki Ueno ueno at gnu.org
Tue Jun 9 05:40:36 CEST 2015


Hello Daniel,

Thanks for the comment.

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> This worries me a bit.  I use emacs regularly, and i often use emacs
> under X11.  I'd generally rather that emacs *not* ever see or touch my
> passphrase or my secret key material, deferring instead to gpg-agent and
> graphical pinentry prompts to retain its ignorance.

That's a valid concern.  Actually, I too am unlikely to use the Emacs
pinentry regularly for security reasons, while users are really eager
for the enter-passphrase-from-the-minibuffer feature.

> But i think the code you've outlined above makes it so that pinentry
> will be used automatically as long as it is detected as running within
> emacs.  is that right?

Partly yes.  To enable the Emacs pinentry, a user needs to call M-x
pinentry-start manually.  However, this might not be sufficient for
GnuPG not to interact with Emacs.  In that case, it might make sense to
add an option to pinentry.conf, e.g., {no-,}allow-emacs-pinentry.

I will try to add it in the new patch.

>> +  /* Check if INSIDE_EMACS envvar is set.  */
>> +  envvar = getenv ("INSIDE_EMACS");
>> +  if (!envvar || !*envvar)
>> +    return 0;
>> +
>> +  /* FIXME: Additional checks for the value.  */
>> +  return pinentry_emacs_init ();
>> +}
>
> What does the FIXME above mean?  What checks do you imagine going
> here?
> what problems could happen if the checks are not done?

I was thinking of some version checks of Emacs, based on the value of
INSIDE_EMACS, which normally in the form of "25.0.50.1,comint".
However, now that the Emacs side code (pinentry.el) doesn't depend on
particular version of Emacs, we can remove the comment.

Regards,
-- 
Daiki Ueno





More information about the Gnupg-devel mailing list