Ubuntu
pinentry package

pinentry does not work with emacs editor

Bug #1986895 reported by Andrew L. Moore on 2022-08-18

Affects		Status	Importance	Assigned to	Milestone
	pinentry (Ubuntu)	New	Undecided	Unassigned

Bug Description

Emacs supports entering GnuPG passwords in a mini-buffer. This is a common scenario when running Emacs on remote machine, e.g., to commit to a GIT repository. Password entry is implemented by calling pinentry, which provides a secure protocol between GnuPG and Emacs.

Unfortunately, the Debian 11/Ubuntu 22.04 implementation of pinentry does not work properly: A password can only be entered in a windowed environment using a (e.g., Gnome3) pop-up window - not in an Emacs mini-buffer. And if Emacs is run in tty mode, a password cannot be entered at all since pinentry-curses competes with Emacs for I/O. In the pariticular case of Ubuntu 22.04, replacing the pinentry package(s) with those from Fedora 36 resolves the issue.

Configuration:
In Emacs, install the (Emacs) package `pinentry' along with the following lines in ~/.emacs (or other init file):

(require 'pinentry)

(setq epg-pinentry-mode 'loopback)
(pinentry-start)

Install GnuPG. Create a password-protected secret key (e.g., `gpg --full-generate-key`). Add the following lines to ~/.gnupg/gpg-agent.conf:

allow-loopback-pinentry
allow-emacs-pinentry

Add the GnuPG key id to GIT config:

gpg_key_id=$(
gpg --list-secret-keys --keyid-format long |
awk '/^sec\s+ed25519/ { print gensub(/.*\//, "", 1, $2) }'
)
git config --global commit.gpgsign true
git config --global user.signingkey $gpg_key_id

Kill any existing gpg-agent (e.g., `pkill -U $USER -f gpg-agent` or `systemctl --user stop gpg-agent.service`).

Now, edit a GIT repository with Emacs and commit the changes using, e.g., Emacs package `magit'.

The attached image shows the expected password prompt in an Emacs mini-buffer.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: pinentry-gnome3 1.1.1-1build2 [modified: usr/bin/pinentry-gnome3]
ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
Uname: Linux 5.15.0-46-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Wed Aug 17 20:02:51 2022
InstallationDate: Installed on 2021-08-01 (381 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420)
SourcePackage: pinentry
UpgradeStatus: Upgraded to jammy on 2022-04-29 (110 days ago)

Tags:

Revision history for this message

Andrew L. Moore (slewsys) wrote on 2022-08-18:

Emacs password entry in mini-buffer Edit (126.7 KiB, image/png)
Dependencies.txt Edit (5.5 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.5 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (109 bytes, text/plain; charset="utf-8")

Revision history for this message

Andrew L. Moore (slewsys) wrote on 2022-08-21:

Entering a GnuPG passphrase in the Emacs minibuffer evidently does work with Ubuntu/Debian pinentry. To enable this, add to ~/.gnupg/gpg.conf the line:

pinentry-mode loopback

and add to ~/.gnupg/gpg-agent.conf the line:

allow-loopback-pinentry

That's it. Restart gpg-agent, open a text file, then write it (C-x C-w) to disk with a .gpg extension. You'll be prompted in the Emacs minibuffer to enter a passphrase for encryption.

The more complicated method described above uses the external Emacs package pinentry.el and does not modify ~/gnupg/gpg.conf. The prompt that appears in the Emacs minibuffer is more informative, but otherwise the result is the same...
-AM

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntupinentry package