Page MenuHome GnuPG

timeout for pinentry too short for key-generation, losing previous entries
Open, WishlistPublic

Description

The timeout for getting the new passphrase for a fresh key pair seems too short, because if you start looking for a good passphrase, you may take longer than the timeout now (which probably is about 60 seconds or so).

If this happens, the process aborts and the previously made manual selections and data like "real name", key length
and so on, is lost and needs to be reentered.

Tested with gpg (GnuPG) 2.2.20 on pinentry curses and pinentry default buster.

Potential solutions:

  • in interative mode, try to ask if the user wants a new pinentry or wants to abort, and announce the timeout like (60 seconds timeout)
  • extend to timeout to something more reasonable for key creation only, like 5 or 10 minutes.

Event Timeline

bernhard updated the task description. (Show Details)
bernhard updated the task description. (Show Details)
werner triaged this task as Wishlist priority.Jun 13 2020, 3:04 PM
werner added a project: pinentry.
werner added a subscriber: werner.

5 or 10 minutes are not reasonable in this case. Users are expected to attend the key generation. Your idea of having a countdown after, say 30 seconds, makes sense and should be easy to implement in the pinentries.

To explain the use case, I've started coming up with a good passphrase and this took a bit of time with a pencil and paper in front of me. When I wanted to type it in, it was too late. Thus I guess that some people will look up good rules of passphrases or at least make sure they can remember the one they are typing in.

In my opinion this is also a problem. Especially if you think about it for a while. The one minute timeout is too short and pinentry-timeout which I would expect here to be the config value to adjust this is not used.

pinentry-timeout is indeed used when it is not set to 0.

The timeout comes from pinentry/pinentry.c

/* Pinentry timeout in seconds.  */
pinentry.timeout = 60;

If the agent explicitly sets this it is overwritten. I think this should be changed but since we have the global configuration I can also live with just configuring it to a value I find more appropiate. I am changing it to 10 minutes. Basically I never want to see the timeout if the user has not forgotten about the dialog altogether.