epg-encrypt-string in Emacs seems to be incompatible with GnuPG 2.4.1 on macOS, 2.4.0 works

[Werner Koch]

Hi!

On Fri, 19 May 2023 17:38, Robert Irelan said:

> This is the command line that seems to hang with 2.4.1:
>
> ```
> /opt/local/bin/gpg2 --no-tty --status-fd 1 --yes
> --enable-progress-filter --command-fd 0 --output
> /var/folders/gc/73c5zcp918z9dssx8k1sybh00000gn/T/epg-output2zVC4K
> --pinentry-mode ask --decrypt --
> /var/folders/gc/73c5zcp918z9dssx8k1sybh00000gn/T/epg-inputMnF1UG
> ```

Here are two places which do not look correct:

  (defun epg-wait-for-completion (context)
    "Wait until the `epg-gpg-program' process completes."
    (while (eq (process-status (epg-context-process context)) 'run)
      (accept-process-output (epg-context-process context) 1))
    ;; This line is needed to run the process-filter right now.
    (sleep-for 0.1)
  
Sleeping for 100ms looks like an error prone hack.

  (defun epg-start-decrypt (context cipher)
    [...]
    ;; `gpgsm' does not read passphrase from stdin, so waiting is not needed.
    (unless (eq (epg-context-protocol context) 'CMS)
      (epg-wait-for-status context '("BEGIN_DECRYPTION"))))

It is quite possible that BEGIN_DECRYPTION is emitted after the request
for a pinentry. It does not look right to wait for it.  I have not
looked into the EasyPG code for many years despite that I am using it
every day.  The use of --command-fd w/o a state machine (or is there one
for decrypt?) to handle the requests is not a good idea;; using --batch
would be better.

Please also see https://dev.gnupg.org/T6481 which is about a very
similar problem.


Salam-Shalom,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230522/b2cf656f/attachment.sig>