Remove gpg-agent passphrase nags for empty / none passphrase
Open, NormalPublic

Description

@dkg I subscribed you because I would be interested in your opinion as a downstream maintainer.

I do not think that gpg-agent or pinentry should pop up these annoying dialogs if a user decides not to enter a password or a seemingly (and the logic for that is super weak in gpg-agent) insecure passphrase.

Currently this leads me to implement GUI code where the passphrase for keygen is not provided by pinentry but by my own GUI. This should not be the case.

There are very many scenarios where "no passphrase" is viable for OpSec and as this increases usability it increases adoption.

Yeah, it is annoying. Maybe it is indeed better not to ask for a passphrase at all.

aheinecke added a comment.EditedJan 25 2019, 4:49 PM

No! That is not what I want with this issue. We should ask once for a passphrase and then shut up.

Current User Interface design is not: "Double ask the user if she is sure she wan'ts to do that" because the User has not gained any information in the meantime.

You only use these dialogs in case an accidental click is irreversible. (Like deleting files) But creating a key is a reversible and inconsequential operation. You can easily repeat it.

So you mean the bug that you see a second set of passphrase dialogs iff you told the first one that you don't want a passphrase? That is not trivial to fix because we use the passphrase cache to avoid the double passpharse questions. Without passphrase cache we need a separate code path.

No that bug is different. Nowadays you have to solve four dialogs to create a key without a passphrase.

This bug is to make it only two. I have to look up the subkey passphrase thing but we have it in pahbricator.

But to resolve this bug I also want to remove stuff like "ooooh you should use numbers or something like that" we have that in configuration but our default code is too dumb to be useful (afaik "password" is accepted with 90% quality). We also have a bug for the quality thingy, which I also find important because that is the first contact with our software.

The quality bar is switched off by default. That feature including the quality was ordered and accepted by a client. I don't like it either and thus the new default of having it disabled is a useful solution.

Regarding the quality evaluation, several months ago I proposed to optionally delegate that task to an external tool (specified by a new gpg-agent option passphrase-checker). I posted a first draft as D442 and then submitted a proper patchset to gnupg-devel, but although @werner expressed interest it was never merged. I have just checked that the patchset still applies cleanly to both the master branch and the STABLE-BRANCH-2-2. I can re-submit it to the mailing list if needed.

dkg added a comment.Feb 11 2019, 7:48 AM

I can't tell whether this bug report is about all the ways that we wish that GnuPG's default password process was better, or whether it's about one specific change.

re: the specific change: I fully support not hassling the user if they've chosen to decline to enter a passphrase. I don't mind a message to stderr or --status-fd that acknowledges the lack of a passphrase though, i think that could be useful.

re: general usability improvement: i think it would be great if gpg-agent (or pinentry?), when it knows it is prompting for a new password, to auto-generate a memorable, high-entropy passphrase from the user's native locale and provide it as initial prompt. If the user selects this pre-generated passphrase, then they should also be prompted for it while it is not being shown to the user, to verify that they do actually know it. Choosing high-entropy passphrases for people is super useful because people are terrible at choosing passphrases.

The quality bar is switched off by default. That feature including the quality was ordered and accepted by a client. I don't like it either and thus the new default of having it disabled is a useful solution.

^ I do not think that this is true for me at least for the stable branch. I still get it and I have not configured it.

FWIW I like @gouttegd 's patchset.

But this ticket has become a bit murky "improve pinentry usability", we should better split it out into different tickets.
I'll do so and add you as subscribers in the new tickets.

aheinecke renamed this task from Remove gpg-agent passphrase nags to Remove gpg-agent passphrase nags for empty / none passphrase.Mar 14 2019, 9:26 AM

The issue for the quality indication is: T2103