[PATCH] Add inside-Emacs mode to GUI pinentry programs
Daiki Ueno
ueno at gnu.org
Tue Jun 9 05:40:36 CEST 2015
Hello Daniel,
Thanks for the comment.
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> This worries me a bit. I use emacs regularly, and i often use emacs
> under X11. I'd generally rather that emacs *not* ever see or touch my
> passphrase or my secret key material, deferring instead to gpg-agent and
> graphical pinentry prompts to retain its ignorance.
That's a valid concern. Actually, I too am unlikely to use the Emacs
pinentry regularly for security reasons, while users are really eager
for the enter-passphrase-from-the-minibuffer feature.
> But i think the code you've outlined above makes it so that pinentry
> will be used automatically as long as it is detected as running within
> emacs. is that right?
Partly yes. To enable the Emacs pinentry, a user needs to call M-x
pinentry-start manually. However, this might not be sufficient for
GnuPG not to interact with Emacs. In that case, it might make sense to
add an option to pinentry.conf, e.g., {no-,}allow-emacs-pinentry.
I will try to add it in the new patch.
>> + /* Check if INSIDE_EMACS envvar is set. */
>> + envvar = getenv ("INSIDE_EMACS");
>> + if (!envvar || !*envvar)
>> + return 0;
>> +
>> + /* FIXME: Additional checks for the value. */
>> + return pinentry_emacs_init ();
>> +}
>
> What does the FIXME above mean? What checks do you imagine going
> here?
> what problems could happen if the checks are not done?
I was thinking of some version checks of Emacs, based on the value of
INSIDE_EMACS, which normally in the form of "25.0.50.1,comint".
However, now that the Emacs side code (pinentry.el) doesn't depend on
particular version of Emacs, we can remove the comment.
Regards,
--
Daiki Ueno
More information about the Gnupg-devel
mailing list