Page MenuHome GnuPG
Create Task
Maniphest T6085

pinentry-qt: Earlier passphrase hint when creating new key
Open, LowPublic
Actions

Description

When you create a new key in kleopatra, the only instruction shown is "Please enter the passphrase to
protect your new key". If you enter a passphrase shorter than 9 characters, you only get a warning and
"A passphrase should be at least 9 characters long. A passphrase may not be a known term or match certain pattern."
after you have clicked "OK" in the new pinentry window for the second try.

I would at least expect a short note "(>= 9 characters)" in the first pinentry window.

And add that information in the warning that appears if you try an empty password, too.
(Instead of just "An empty passphrase is not allowed.")

Related Objects

Event Timeline

ebo created this task.Jul 15 2022, 12:29 PM
ikloecker renamed this task from earlier passphrase hint when creating new key to pinentry-qt: Earlier passphrase hint when creating new key.Jul 15 2022, 12:57 PM
ikloecker added a subscriber: ikloecker.Jul 15 2022, 1:00 PM

It's already possible to define a short and a long hint for the constraints via the file doc/help.txt and its translations. This is a standard technique used by GnuPG for customization of several UI texts. Since the passphrase constraints can be very complex we don't try to come up with a suitable default hint.

Note that the hints are only displayed/used if the constraints are actually enforced.

This has been implemented with T5517: Improvements for symmetric encryption and T5532: pinentry: Add support for checking passphrase constraints to pinentry-qt.

ebo added a comment.Jul 15 2022, 3:30 PM

it seems to be a GnuPG-VSD packaging issue, then

werner triaged this task as Normal priority.Jul 26 2022, 10:56 AM
ikloecker added a project: Installer.Aug 24 2022, 8:57 PM
aheinecke moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 26 2022, 2:22 PM
aheinecke lowered the priority of this task from Normal to Low.Sep 5 2022, 4:39 PM
aheinecke added a subscriber: aheinecke.

I think there was a misunderstanding here. We already set .pinentry.constraints.hint.long and .pinentry.constraints.hint.short in GnuPG-VSD but firstly they are only about symmetric.
And the issue for which @ebo opened this ticket is in my opinion that you have to fail first before you see the hint.

Maybe a user spends some time to think about a password or so and then just see its denied because it is only 7 characters long. That could be frustrating. So maybe in a future version we add support for some more help texts.

aheinecke moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Sep 5 2022, 4:50 PM
ebo awarded a token.Sep 6 2022, 9:08 AM
ikloecker added a comment.Sep 6 2022, 2:42 PM

And the issue for which @ebo opened this ticket is in my opinion that you have to fail first before you see the hint.

It's not true that you have to fail first before you see the hint.

Running

pinentry <<EOF
OPTION no-grab
OPTION default-ok=|pinentry-label|_OK
OPTION default-cancel=|pinentry-label|_Cancel
OPTION default-prompt=|pinentry-label|PIN:
OPTION default-pwmngr=|pinentry-label|_Save in password manager
OPTION default-cf-visi=Do you really want to make your passphrase visible on the screen?
OPTION default-tt-visi=|pinentry-tt|Make passphrase visible
OPTION default-tt-hide=|pinentry-tt|Hide passphrase
OPTION default-capshint=Caps Lock is on
SETTIMEOUT 60
GETINFO flavor
GETINFO version
GETINFO ttyinfo
GETINFO pid
SETDESC Enter a symmetric passphrase
SETPROMPT Passphrase:
OPTION formatted-passphrase
OPTION formatted-passphrase-hint=pinentry.formatted_passphrase.hint
SETGENPIN Suggest
SETGENPIN_TT pinentry.genpin.tooltip-eg-Suggest a random passphrase.
OPTION constraints-enforce
OPTION constraints-hint-short=pinentry.constraints.hint.short
OPTION constraints-hint-long=pinentry.constraints.hint.long
OPTION constraints-error-title=Passphrase Not Allowed
SETREPEAT Repeat:
GETPIN
EOF

you get the following pinentry which clearly shows "pinentry.constraints.hint.short"

ikloecker added a comment.Sep 6 2022, 2:53 PM

The long hint is "hidden" in the tooltip of the short hint.

Moreover, I'm not sure that this only works for symmetric. As far as I can tell, pinentry has no idea whether gpg-agent is asking for a passphrase for symmetric encryption or for a passphrase for protecting a secret key.

A problem may be that we have separate options for pattern files for symmetric and key-protecting passphrases:

--check-passphrase-pattern file
--check-sym-passphrase-pattern file

but only a single constraints hint that's shown for both.

ebo added a comment.Sep 6 2022, 4:27 PM

well, when creating openPGP keys with kleopatra I did not see any hints. I do not think that the issue would be vaild for password based encryption. There the common usecase is autogeneration, anyway

aheinecke added a comment.Sep 6 2022, 5:18 PM

@ikloecker yes as mentioned in my response the current hints are only for symmetric.

ikloecker added a comment.Sep 6 2022, 5:41 PM
In T6085#162921, @aheinecke wrote:

@ikloecker yes as mentioned in my response the current hints are only for symmetric.

That's a problem because I think gpg-agent's --enforce-passphrase-constraints option doesn't make a difference.

ikloecker added a comment.Sep 6 2022, 5:46 PM
In T6085#162918, @ebo wrote:

well, when creating openPGP keys with kleopatra I did not see any hints. I do not think that the issue would be vaild for password based encryption. There the common usecase is autogeneration, anyway

Autogeneration isn't viable if an organization has stupid password constraints that the autogenerated passwords do not satisfy. In particular, the autogenerated passwords do not contain any non-alphanumeric characters, but many password policies require such a character.

aheinecke edited projects, added gnupg; removed Installer.Aug 14 2023, 2:45 PM
In T6085#162923, @ikloecker wrote:
In T6085#162918, @ebo wrote:

well, when creating openPGP keys with kleopatra I did not see any hints. I do not think that the issue would be vaild for password based encryption. There the common usecase is autogeneration, anyway

Autogeneration isn't viable if an organization has stupid password constraints that the autogenerated passwords do not satisfy. In particular, the autogenerated passwords do not contain any non-alphanumeric characters, but many password policies require such a character.

Sorry for responding to such an old issue but for symmetric keys we have convinced every customer as far as I know to allow our autogenerated passwords. They have a special rule in the symrules file.

Because the usual use case is that someone from OrgA sends a symmetric password to someone at OrgB. If they have different password rules they then can't reuse that password for communication. So our autogenerated ones are the ones people are using. :)

But for asymmetric passwords there is still no hint. But before pinentry could show anything there would need to be support for that in GnuPG.

In T6085#162922, @ikloecker wrote:
In T6085#162921, @aheinecke wrote:

@ikloecker yes as mentioned in my response the current hints are only for symmetric.

That's a problem because I think gpg-agent's --enforce-passphrase-constraints option doesn't make a difference.

No, since we have different rules for symmetric and asymmetric passwords we would need differrent hints. There is no support for that in GnuPG there are no such hints definable in help.txt