Fixed in 8e3aa3204e74e8d7a7538e0d0f04e555f140131b.

FTR: EFL == enlightenment foundation libraries. Calling this
"Enlightenment-based" is like calling the GTK pinentry "Metacity-based".

It does work, but contrary to my expectations it is rather unpolished. I'll
talk to Mike.

Little update with latest 1.0.0 release:

– nothing new regarding pinentry-gnome3, still working nicely;
– nothing new regarding pinentry-gtk-2, but I know why it doesn’t take into
account my dead keys anymore and it’s not an issue on pinentry side;
– thanks to the new “show passphrase” button, I’ve been able to figure where the
issue lies with pinentry-qt: while invoked in the terminal, it does take into
account my dead keys, but while invoked via Thunderbird/Enigmail, it does not
(altought pinentry-gnome3 does).

So I suppose this is in fact an issue with Enigmail… Any hints on what they
could be doing wrong so that I can report this to them?

So, regarding Qt, the issue has been acknowledged
(https://bugreports.qt.io/browse/QTBUG-56452). Using IBus as suggested in
https://bugreports.qt.io/browse/QTBUG-49438, I know have dead keys working
properly in most apps. But…

Previously, the situation was as following:

— pinentry-qt4 was working everywhere.
– pinentry-qt was not working properly for me because I wasn’t able to input
some characters.
– pinentry-gnome3 wasn’t showing up in Thunderbird/Enigmail, but worked OK in a
terminal (GETPIN).
– pinentry-gtk-2 was working properly in a terminal (GETPIN), but not in
Thunderbird/Enigmail (deciphering failed, with the right passphrase obviously).

And now:

– pinentry-qt4 doesn’t exist anymore.
– pinentry-qt is as pinentry-gtk-2 was before: works OK in a terminal (GETPIN),
but not in Thunderbird (fails to decipher). Sighs…
– pinentry-gnome3 does show up in Thunderbird/Enigmail, and works correctly. I’m
currently using this one, even if that’s not totally satisfying.
– pinentry-gtk-2 doesn’t take my dead keys into account anymore.

For the last one, honestly I don’t care, gtk2 is being phased out, and it’s
probably not an issue on pinentry side.

However, the fact pinentry-qt doesn’t work correctly in Thunderbird/Enigmail is
strange. Do you think this is an issue with pinentry-qt or these programs?

SETREPEAT is an optional feature - thus I changed this to a feature requests.

curses can't figure out the window size and thus it returns -1 for the size.
Pinentry's test for the required window size thus returns an error.

I have added new error codes to libgpg-error to either return
ERR 83886383 Screen or window too small <Pinentry>
or in our case:
ERR 83886383 Required environment variable not set <Pinentry>

That does not directly point to a problem with the TTY but it shows the cause
for the error (COLUMNS, LINES etc not set).

Can you please test if the following patch that has been committed recently

fixes your problem?

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=pinentry.git;a=commitdiff;h=2227f67af53f38d3d7f97760f2553d2c9ed05969

Cloning the git repository (commit id 2227f67af53f38d3d7f97760f2553d2c9ed05969)
followed by

autogen.sh
./configure --enable-maintainer-mode
make

works, i.e. the warning/error is not present any more.
So this patch seems to fix the issue.

The command line for gcc backs this observation (note the includes):

gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/ncursesw -I../pinentry -Wall -g
-O2 -Wall -Wcast-align -Wshadow -Wstrict-prototypes -Wformat -Wno-format-y2k
-Wformat-security -W -Wno-sign-compare -Wno-missing-field-initializers -Wdeclaratio
n-after-statement -Wno-pointer-sign -Wpointer-arith -MT pinentry-curses.o -MD
-MP -MF .deps/pinentry-curses.Tpo -c -o pinentry-curses.o pinentry-curses.c

Can you please test if the following patch that has been committed recently
fixes your problem?

https://git.gnupg.org/cgi-bin/gitweb.cgi?
p=pinentry.git;a=commitdiff;h=2227f67af53f38d3d7f97760f2553d2c9ed05969

(It is not NCURSES_INCLUDE, but NCURSES_CFLAGS should be set by
PKG_CHECK_MODULES.)

Thanks!

What operating system are you using?

I'm using Gentoo.

(referring to the discussion you linked):

pkg-config ncursesw --cflags returns "-I/usr/include/ncursesw", which is the
correct path. However, this include is not listed in the gcc command line (see
initial message).

I'm no expert in make nor autotools, but looking at pinentry/Makefile $COMPILE
uses $INCLUDES and $AM_CPPFLAGS. However $INCLUDES is not defined and
$AM_CPPFLAGS only adds -I../secmem. Also, nothing seems to use the variable
$NCURSES_INCLUDE (which is set to the pkg-config value "-I/usr/include/ncursesw").

This leads me to the wild guess that the pkg-config definitions for ncurses are
ignored by configure (or however sets up the Makefile). Instead the default
include directory /usr/include is used which has the wrong curses.h header. I
would like to submit a patch, but I sadly have no knowledge about make and automake.

Fixed in 2f1f1f06.

Grabbing the pointer might have unexpected repercussions though, e.g. one isn't
able to move windows around anymore. Let's see how it turns out.

What operating system are you using?

We had the exact same patch committed (21e83f42) and later reverted (f0db3192).
Discussion: https://lists.gnupg.org/pipermail/gnupg-devel/2015-June/030051.html

This is really weird. Merely not adding the password reveal button to the hbox
'fixes' this problem. Therefore, I don't believe that the patch introduces the
bug, it merely makes it manifest itself.

I looked around in the related gtk bits, but I believe the problem might be in
the X server, or the asynchronous interaction with it. I don't believe it is
worth digging further into X.

Workaround committed in ad390f29.

Ah, I misunderstood your problem. In the future, please paste all program interactions in one chunk
in the right order. We did merge some changes related to exporting of secret keys, so it may very
well be solved by that.

Thanks for caring :)

I think the problem is that your key export fails, because you pointed
--homedir at the (presumably) empty directory "%tmp%\_tempKeyring".

The export did not use any filter and tried to export a key as can be seen in
Msg8313 "error receiving key from agent"
The import itself also stated no errors as it can be seen in T2355 (dranft on May 12 2016, 03:00 PM / Roundup), but this
imported secret key cannot be used (or exported) anymore.
Also important: This is no longer reproducible in 2.1.14 (which might be enough
to set the bug to fixed)

I don't believe this demonstrates a bug.

I think the problem is that your key export fails, because you pointed --homedir at the (presumably)
empty directory "%tmp%\_tempKeyring". This leads to the not very helpful error message about the
eof. If the export were successful, gpg would have written the key to stdout.

For reference, here is what I tried. First GNUPGHOME points to a home with the key I want to export:

    $ echo $GNUPGHOME
    /tmp/tmp.T7I4M9RIc3
    $ g10/gpg --list-keys alpha
    gpg: please do a --check-trustdb
    pub   dsa1024 1999-03-08 [SCA]
          A0FF4590BB6122EDEF6E3C542D727CC768697734
    uid           [ unknown] Alfa Test (demo key) <alfa@example.net>
    uid           [ unknown] Alpha Test (demo key) <alpha@example.net>
    uid           [ unknown] Alice (demo key)
    sub   elg1024 1999-03-08 [E]

You need some kind of pinentry program, because you may be asked for the current passphrase or an
export passphrase:

    $ cat $GNUPGHOME/gpg-agent.conf
    pinentry-program /usr/bin/pinentry-x11

Now export the key:

    $ g10/gpg --export-secret-keys alpha >/tmp/alpha.gpg

Now I create an empty home, and import the key in batch mode:

    $ export GNUPGHOME=$(mktemp -d)
    $ g10/gpg --batch --import /tmp/alpha.gpg
    gpg: keybox '/tmp/tmp.bL2caQmZri/pubring.kbx' created
    gpg: /tmp/tmp.bL2caQmZri/trustdb.gpg: trustdb created
    gpg: key 2D727CC768697734: public key "Alfa Test (demo key) <alfa@example.net>" imported
    gpg: key 2D727CC768697734: secret key imported
    gpg: Total number processed: 3
    gpg:               imported: 1
    gpg:       secret keys read: 3
    gpg:   secret keys imported: 2

Could you please check if that works for you?

Hi, thanks for testing master.

I can semi reproduce this. For me it works the first time but a second call to
getpin fails.

$ ./pinentry-gtk-2
OK Pleased to meet you
getpin
D hello
OK
getpin

• (pinentry-gtk-2:29090): CRITICAL **: could not grab keyboard

ERR 83886179 Operation cancelled <Pinentry>

And indeed this goes away with f4b5049c68a79d5e4faba06447db5440936cefeb~1

Looking at the code I don't see a reason for this. Maybe the dialog?
The code without the dialog 71b51e02cf20174ba7144765e985f7e889eaa429 also allows
me to repeatedly call getpin.

Werner: Any idea? I'm a bit clueless which change in the patch could have caused
that.

Please report this to Debian. This is not a part of upstream Pinentry.

PS: forget the --homedir thing, it is even reprodicable in the default folder in
%appdata%.

Sorry, forgot my import cmdline:

C:\Program Files (x86)\GNU\GnuPG\2.1.12\bin>gpg --batch --homedir
%tmp%\_tempKeyring --import "P:\2EEC2B65A2B4B3EF.sec.asc"
gpg: Die "Keybox" `C:/Users/ranftd/AppData/Local/Temp/_tempKeyring/pubring.kbx'
wurde erstellt
gpg: C:/Users/ranftd/AppData/Local/Temp/_tempKeyring/trustdb.gpg: trust-db erzeugt
gpg: Schlüssel A2B4B3EF: Öffentlicher Schlüssel "Daniel Ranft (Giegerich &
Partner GmbH)" importiert
gpg: Schlüssel A2B4B3EF: "Daniel Ranft (Giegerich & Partner GmbH)" nicht geändert
gpg: Schlüssel A2B4B3EF: geheimer Schlüssel importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 4
gpg: importiert: 1
gpg: unverändert: 1
gpg: gelesene geheime Schlüssel: 3
gpg: unveränderte geh. Schl.: 2
gpg: keine ultimativ vertrauenswürdigen Schlüssel gefunden

I've now pushed a patch to the GTK variant based on werner's original work with
the message box and the string button labels.

I was unable to get the tab order working correctly so that the visibility
button comes last in GTK. I've tried it with gtk_container_set_focus_chain but
it did not work as expected. When set on the wvbox it disabled tab changes
altogether. When set on the cbbox or bbbox it somewhat worked (e.g. when I
removed a widget from my list it was no longer tabbable) but it would not add
the repeat edit and the visibility toggle button although both were part of my list.
Probably a problem because of the sublayouts?

I noted this in the code so if someone wants to change that you are welcome :-)

Am Donnerstag, 14. April 2016 16:24:59 schrieb Andre Heinecke via BTS:

But from the discussion here and back then I took that draft to be no
longer up to date and that the MessageBox Question approach with small icon
buttons is not wanted.

I know your first draft.

But from the discussion here and back then I took that draft to be no longer up
to date and that the MessageBox Question approach with small icon buttons is not
wanted.

I also don't know where we agreed that an Eye icon is a bad idea for this action.
This icon in similar to the one of the Windows Login screen and the same one
used in KDE. So it is recognizable for this action.

If you strongly favor the Message box variant I can change it to that.

No string changes in gpg-agent please.

I though we agreed that a watching eye is not a good icon for various reasons?

For the GTK version I already proposed a different layout:
it is still available at https://wiki.gnupg.org/ScratchWK . That fallback
solution tales away to much real estate

Better screenshot of the fallback showing a real call by gpg-agent instead of a
"getpin"

Neal: I've commited this with: 71b51e02cf20174ba7144765e985f7e889eaa429

The Make passphrase visible is in the tab order after the line edit. I don't
know how to best change this in GTK and the "Save passphrace using libsecret"
button would have the same problem.

I don't think it's a real problem though as you would have to tab + space to
make the password visible. Tab + Enter would just accept the dialog.

If you think this ok you can set this issue to resolved. You can also change the
setting you mentioned in T2139 (neal on Dec 07 2015, 10:09 AM / Roundup) . I don't know how. :-)

We might want to change the strings in gpg-agent though. I would prefer: "Show
passphrase" instead of "Make passphrase visible".

Fallback variant. (Qt5 Version with XDG_CURRENT_DESKTOP=GNOME)

The checkbox comes after the cancel button in the Tab order and will not
activate when pressing enter.

This is how I'll add it to the GTK variant now.

I've implemented this for Qt now.

The Qt5 variant with breeze icon theme looks like the attached screenshot. This
is how it will look on Windows and for KDE plasma 5 users.

If the Qt version is too old (The API for the line edit action was added in
Qt5.2) or there is no icon for the visibility actions it falls back to a textual
checkbox.
This also avoids licensing problems with the icons as the icons are loaded
through QIcon::fromTheme.

No, FLTK is not lightweight. It actually adds the requirement for a C++
compiler to GnuPG. And pinentry-w32 shall of course not die!

Werner what is your opinion on this?

pinentry-w32 is broken. It does not handle variable string sizes and there is no
easy way to fix that. Afaik it was never intended as the "default" windows
pinentry but only as a crutch for windows ce experiments.

Would fltk be lightweight enough for your to replace pinentry-w32 in your
installer? In that case I think we should take a serious look at this patch as a
minimal pinentry version for windows.

(And delete pinentry-w32 instead)

I think this can be resolved. Yes older versions did not allow pasting but
recent versions do allow this. So we've fixed the bug in recent versions ->
resolved. No?

The reporter says he is using ubuntu 14 (i assume 14.4) where the default
pinentry is pinentry-gtk2 0.8.3

What is the output of

  gpgconf --list-dirs

?

Yes you are using pinentry, and we need to know what kind of pinentry (there are
several flavors) and which version you are using in order to help you.

Please do 'pinentry --version' and report the output.

To see whether this pinentry is the one you are using, or to play around with it
and the variants, you can do:

echo -e "SETDESC Does this look like your pinentry window?\nGETPIN" | pinentry

You can try replacing pinentry with pinentry-qt for example.

I have done some experiment with it, and it works (though I had
to add ASSUAN_*_FDPASSING flags to a couple of places in gnupg).
However, I think I still need some more opinions to make it a
reviewable state.

First, to make all the things work, gpg would need a new
option (or an envvar?) to tell the FD number. Naively, it could
be named as --emacs-fd, which only works if INSIDE_EMACS is set.
However, it might be too specific, and sounds over-engineering to
me.

Instead, we could add a more generic option, say, --pinentry-fd.
With that option, any pinentry could talk to the caller through
the FD with the Assuan protocol. For security, the effect of the
option shall be restricted only when --pinentry-mode=loopback is
set and working.

In that case, it's tempting to make gpg-agent directly talk to
the FD, instead of spawning pinentry. However, it cannot take
advantage of pinentry's libsecret support and the diversion to
other pinentries (GTK+, ...). Also, it might be a similar
concept of --pinentry-program, which I proposed and was rejected.

What do you think?

Actually, I'm not sure about the current recommendation on the
custom passphrase input options. Given the recent bug fixes,
could --pinentry-mode=loopback be publicly promoted? If so,
I'm happy to withdraw this (and perhaps INSIDE_EMACS stuff) and
add a hack to use --pinentry-mode=loopback.

I think this is reasonable. If you want to implement it, I'll review the
patches. Thanks.

I wonder if we could / should use this as a replacement for Pinentry-w32?

Pinentry-w32 should die and FLTK could be lightweight enough that werner would
include it in gnupg-w32?

Does this mean that pinentry-emacs will only work when an emacs instance calls

gpg?

Yes, it is the intention of this proposal.

Does pinentry-emacs need to support the case that a program other than

emacs calls gpg?

I don't think it is worth being supported. It would be rather confusing if a
GUI program internally using gpg asked passphrases from Emacs window.

I tend to agree with Werner: adding another pinentry program increases our
maintenance burden, but the new pinentry doesn't add any convincing features,
AFAIK. If there are some significant benefits, please add them. Otherwise, I
think I'll change this issue to wont-fix. Sorry. Nevertheless, thank you for
your contribution! I hope you'll find another way to contribute.

Does this mean that pinentry-emacs will only work when an emacs instance calls
gpg? Does pinentry-emacs need to support the case that a program other than
emacs calls gpg?