[PATCH] Add inside-Emacs mode to GUI pinentry programs

Daiki Ueno ueno at gnu.org
Tue Jun 9 05:40:36 CEST 2015

Hello Daniel,

Thanks for the comment.

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> This worries me a bit.  I use emacs regularly, and i often use emacs
> under X11.  I'd generally rather that emacs *not* ever see or touch my
> passphrase or my secret key material, deferring instead to gpg-agent and
> graphical pinentry prompts to retain its ignorance.

That's a valid concern.  Actually, I too am unlikely to use the Emacs
pinentry regularly for security reasons, while users are really eager
for the enter-passphrase-from-the-minibuffer feature.

> But i think the code you've outlined above makes it so that pinentry
> will be used automatically as long as it is detected as running within
> emacs.  is that right?

Partly yes.  To enable the Emacs pinentry, a user needs to call M-x
pinentry-start manually.  However, this might not be sufficient for
GnuPG not to interact with Emacs.  In that case, it might make sense to
add an option to pinentry.conf, e.g., {no-,}allow-emacs-pinentry.

I will try to add it in the new patch.

>> +  /* Check if INSIDE_EMACS envvar is set.  */
>> +  envvar = getenv ("INSIDE_EMACS");
>> +  if (!envvar || !*envvar)
>> +    return 0;
>> +
>> +  /* FIXME: Additional checks for the value.  */
>> +  return pinentry_emacs_init ();
>> +}
> What does the FIXME above mean?  What checks do you imagine going
> here?
> what problems could happen if the checks are not done?

I was thinking of some version checks of Emacs, based on the value of
INSIDE_EMACS, which normally in the form of ",comint".
However, now that the Emacs side code (pinentry.el) doesn't depend on
particular version of Emacs, we can remove the comment.

Daiki Ueno

More information about the Gnupg-devel mailing list