Problem with focus of pinentry on win7

[Werner Koch]

Hi!

Here is my reply to the Enigmail list which explains why this is indeed
not just a problem of gpg and that we can't have a perfect solution.

For security reasons Windows has strict rules on which process can put
itself into the focus.  Enigmail needs to tell Pinentry, via gpg, that
it may take the focus and request input.  This is implemented by a
callback mechanism all the way from Pinentry, via gpg-agent and gpg up
to the calling process (Thunderbird here).

In the case of Enigmail, it needs to call AllowSetForegroundWindow with
the process handle of the just created gpg process.  In turn, gpg
detects the Pinentry launch and calls AllowSetForegroundWindow on the
Process handle of the started Pinentry.  Only then then Pinentry may
display itself.  Further, when calling AllowSetForegroundWindow the
process must have its Window already in the foregorund.

Sometimes other Windows get in the way and even a correct implemented
AllowSetForegroundWindow chain will not work.  As per Windows security
architecture, the Pinentry will announce itself in the taskbar.

I would recommend to increase the passphrase caching time so
that the Pinentry dialog is not required too often.  Usually there is
not much security gain by always entering the passphrase: Any attacking
malware will first install a keylogger and can thus grab the passphrase
in any case.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181126/f02793fb/attachment.sig>