[Bug 1986895] [NEW] pinentry does not work with emacs editor

Andrew L. Moore 1986895 at bugs.launchpad.net
Thu Aug 18 03:32:26 UTC 2022 

Public bug reported:

Emacs supports entering GnuPG passwords in a mini-buffer. This is a
common scenario when running Emacs on remote machine, e.g., to commit to
a GIT repository.  Password entry is implemented by calling pinentry,
which provides a secure protocol between GnuPG and Emacs.

Unfortunately, the Debian 11/Ubuntu 22.04 implementation of pinentry
does not work properly: A password can only be entered in a windowed
environment using a (e.g., Gnome3) pop-up window - not in an Emacs mini-
buffer. And if Emacs is run in tty mode, a password cannot be entered at
all since pinentry-curses competes with Emacs for I/O.  In the
pariticular case of Ubuntu 22.04, replacing the pinentry package(s) with
those from Fedora 36 resolves the issue.

Configuration:
In Emacs, install the (Emacs) package `pinentry' along with the following lines in ~/.emacs (or other init file):

(require 'pinentry)

(setq epg-pinentry-mode 'loopback)
(pinentry-start)

Install GnuPG.  Create a password-protected secret key (e.g., `gpg
--full-generate-key`). Add the following lines to ~/.gnupg/gpg-
agent.conf:

allow-loopback-pinentry
allow-emacs-pinentry

Add the GnuPG key id to GIT config:

gpg_key_id=$(
    gpg --list-secret-keys --keyid-format long |
        awk '/^sec\s+ed25519/ { print gensub(/.*\//, "", 1, $2) }'
)
git config --global commit.gpgsign true
git config --global user.signingkey $gpg_key_id


Kill any existing gpg-agent (e.g., `pkill -U $USER -f gpg-agent` or `systemctl --user stop gpg-agent.service`).

Now, edit a GIT repository with Emacs and commit the changes using,
e.g., Emacs package `magit'.

The attached image shows the expected password prompt in an Emacs mini-
buffer.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: pinentry-gnome3 1.1.1-1build2 [modified: usr/bin/pinentry-gnome3]
ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
Uname: Linux 5.15.0-46-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Wed Aug 17 20:02:51 2022
InstallationDate: Installed on 2021-08-01 (381 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420)
SourcePackage: pinentry
UpgradeStatus: Upgraded to jammy on 2022-04-29 (110 days ago)

** Affects: pinentry (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy wayland-session

** Attachment added: "Emacs password entry in mini-buffer"
   https://bugs.launchpad.net/bugs/1986895/+attachment/5609499/+files/Emacs%20password%20entry%20in%20mini-buffer.png

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pinentry in Ubuntu.
https://bugs.launchpad.net/bugs/1986895

Title:
  pinentry does not work with emacs editor

Status in pinentry package in Ubuntu:
  New

Bug description:
  Emacs supports entering GnuPG passwords in a mini-buffer. This is a
  common scenario when running Emacs on remote machine, e.g., to commit
  to a GIT repository.  Password entry is implemented by calling
  pinentry, which provides a secure protocol between GnuPG and Emacs.

  Unfortunately, the Debian 11/Ubuntu 22.04 implementation of pinentry
  does not work properly: A password can only be entered in a windowed
  environment using a (e.g., Gnome3) pop-up window - not in an Emacs
  mini-buffer. And if Emacs is run in tty mode, a password cannot be
  entered at all since pinentry-curses competes with Emacs for I/O.  In
  the pariticular case of Ubuntu 22.04, replacing the pinentry
  package(s) with those from Fedora 36 resolves the issue.

  Configuration:
  In Emacs, install the (Emacs) package `pinentry' along with the following lines in ~/.emacs (or other init file):

  (require 'pinentry)

  (setq epg-pinentry-mode 'loopback)
  (pinentry-start)

  Install GnuPG.  Create a password-protected secret key (e.g., `gpg
  --full-generate-key`). Add the following lines to ~/.gnupg/gpg-
  agent.conf:

  allow-loopback-pinentry
  allow-emacs-pinentry

  Add the GnuPG key id to GIT config:

  gpg_key_id=$(
      gpg --list-secret-keys --keyid-format long |
          awk '/^sec\s+ed25519/ { print gensub(/.*\//, "", 1, $2) }'
  )
  git config --global commit.gpgsign true
  git config --global user.signingkey $gpg_key_id

  
  Kill any existing gpg-agent (e.g., `pkill -U $USER -f gpg-agent` or `systemctl --user stop gpg-agent.service`).

  Now, edit a GIT repository with Emacs and commit the changes using,
  e.g., Emacs package `magit'.

  The attached image shows the expected password prompt in an Emacs
  mini-buffer.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: pinentry-gnome3 1.1.1-1build2 [modified: usr/bin/pinentry-gnome3]
  ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
  Uname: Linux 5.15.0-46-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia
  ApportVersion: 2.20.11-0ubuntu82.1
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Aug 17 20:02:51 2022
  InstallationDate: Installed on 2021-08-01 (381 days ago)
  InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420)
  SourcePackage: pinentry
  UpgradeStatus: Upgraded to jammy on 2022-04-29 (110 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pinentry/+bug/1986895/+subscriptions

More information about the foundations-bugs mailing list