Page MenuHome GnuPG

pinentry: pinentry-curses doesn't allow to set no password on small terminals
Open, NormalPublic

Description

Debian Buster
pinentry-curses 1.1.0
gnupg 2.2.12

I want to generate a key pair without password protection with pinentry-curses.
It doesn't work: I get into a loop reasking me for a password.
If I use a graphical pinentry it works.

Editing a key pair to remove the password, also doesn't work.

Details

Version
1.1.0

Event Timeline

I just tried and Pinentry ask me whether I really want to use an unprotected key. Take care that you hit the right button.

Perhaps I explain the steps, I'm doing.
I'm on a minimal debian buster instance.

  1. gpg2 --full-gen-key
  2. Insert stuff.
  3. See Dialog:

Real name: Test1 Tester
Email address: test1@example.com
Comment: no pw
You selected this USER-ID:

"Test1 Tester (no pw) <test1@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
-> Insert O

  1. See dialog: ┌──────────────────────────────────────────────────────┐ │ Please enter the passphrase to │ │ protect your new key │ │ │ │ Passphrase: ________________________________________ │ │ │ │ <OK> <Cancel> │ └──────────────────────────────────────────────────────┘
  1. Press TAB -> <OK> is highlighted.
  2. Press Return.

> I expect it to ask me, if I don't want protection, but after 0.5 sec the dialog:

┌──────────────────────────────────────────────────────┐
│ Please enter the passphrase to                                                                                                        │
│ protect your new key                                                                                                                         │
│                                                                                                                                                                   │
│ Passphrase: ________________________________________                                                           │
│                                                                                                                                                                    │
│       <OK>                              <Cancel>                                                                                                │
└──────────────────────────────────────────────────────┘

reappeared.

And yes: If I install pinentry-gtk2 and follow the steps, it works as excepted.

I'm not sure, if the dialog comes from pinentry-curses or is some kind of gnupg on-board dialog. But it seems,
that this dialog doesn't work as excepted.

It is the pinentry-curses, which is needed to reproduce the problem.
Using tab and Return to navigate the dialog.
After pressing ok, the password question dialog reappears. I tried 20 times to press ok, every time the password question dialog reappeared.
If I press cancel, the process aborts. So I'm sure, I hit the right button.

I debugged some more.

The problem is triggered if the terminal is 80x25.
After pressing ok in the pinentry-curses dialog, I see:
DBG: error calling pinentry: Screen or window too small <Pinentry>

If I enlarge the console size to: 115x25 with the same setup, I see the

You have not entered a passphrase - this is in general a bad idea!
Please confirm that you do not want to have any protection on your key.

dialog, like excepted.

aheinecke triaged this task as Normal priority.
aheinecke added a subscriber: aheinecke.

I can reproduce this.

DISPLAY= gpg --yes --homedir $(mktemp -d) --quick-gen-key foo@bar.baz

@werner Do you think that pinentry-curses should be fixed to avoid GPG_ERR_WINDOW_TOO_SMALL by adding line breaks or do you think gpg-agent should handle this better and error out instead of looping.

I think gpg-agent should just abort in that case and print the window too small error.

aheinecke renamed this task from pinentry doesn't allow to set no password to pinentry: pinentry-curses doesn't allow to set no password on small terminals.May 8 2020, 12:32 PM

@aheinecke thanks for commenting.

IMO it should be fixed, because some terminal width cannot easily be changed, so it should work
at least down to 60 characters of width, I'd say. (Of course it is fine to fail if it is getting ridicouosly small, like 10 chars . :) )

It's worth noting that this issue is particularly impactful for devices with small screens whose sizes cannot be changed. A Raspberry Pi with an Adafruit touchscreen would almost certainly have issues, for example.
This also applies to mobile devices. For context, I use Termux on my Android phone, and this issue manifests there. I can enter the passphrase for an existing key and decrypt/sign with it, but any attempt to create a new key throws me into the same loop that the OP describes. (Interestingly, this happens whether or not I actually supply a new passphrase.)
Since I am on a mobile device in this scenario, my terminal dimensions are 56x115. I'm not familiar with the implementation details of GPG, but is there any chance we could fall back to a single-line, sudo-style password prompt if pinentry fails (or have pinentry fall back to that internally if the normal mode fails)? That should work on terminals of just about any size.
(As an additional note, I've also tried flipping into landscape orientation, hoping that would increase my screen width sufficiently. However, my keyboard then occupies most of the screen, and I receive the expected error message, gpg: agent_genkey failed: Screen or window too small.)
EDIT: I'm running GPG 2.3.1 and pinentry 1.1.1.