diff --git a/NEWS b/NEWS index bc1745b..c8b5195 100644 --- a/NEWS +++ b/NEWS @@ -1,379 +1,388 @@ -Noteworthy changes in version 1.1.1 (unreleased) +Noteworthy changes in version 1.1.1 (2021-01-21) ------------------------------------------------ * A EFL-based pinentry has been contributed. + * Disable echoing in backspace key is pressed first + (GTK, Qt, TQt, and ncurses pinentries). + + * Support line editing in TTY pinentry. + + * Remove support for old GTK+2 (< 2.12.0). + + * Various minor fixes. + Noteworthy changes in version 1.1.0 (2017-12-03) ------------------------------------------------ * A FLTK1.3-based pinentry has been contributed. * A TQt3-based pinentry has been contributed. * New option --ttyalert for pinentry-curses to alert the user. * Don't show "save passphrase" checkbox if secret service is unavailable. * The GTK Pinentry shows on Linux some information anout the process which invoked the Pinentry. * The GTK Pinentry does not anymore show tooltips when keyboard grabbing is enabled. * Fixed various minor problems. Noteworthy changes in version 1.0.0 (2016-11-22) ------------------------------------------------ * Qt pinentry now supports repeat mode in one dialog. * Qt and GTK pinentries now make it possible to show the entered value. * Qt pinentry now only grabs the keyboard if an entry field is focused. * Fixed foreground handling in pinentry-qt if compiled with Qt5 for Windows. * Fixed potential crash in Qt qualitybar calculation. * GTK keyboard grabbing is now a bit more robust. The cursor is changed to a big dot as a visual indication that a pinentry has popped up and is waiting for input. * The GNOME pinentry now falls back to curses if it can't use the GCR system prompter or a screenlock is active. * Fixed error output for cached passwords. * A show/hide passphrase button or checkbox is now available with some pinentry flavors. * Improved diagnostics and error codes. Noteworthy changes in version 0.9.7 (2015-12-07) ------------------------------------------------ * Fix regressions in the Qt pinentry. * Fix minor problems pinnetyr-tty. * New option --invisible-char. Noteworthy changes in version 0.9.6 (2015-09-10) ------------------------------------------------ * Many improvements for the dump tty pinentry. * Use the standard GTK+-2 text entry widget instead of our outdated and back-then-it-was-more-secure text widget. * Use the standard Qt text widget. * Allow for building a static Qt variant. * Fix regression in w32 pinentry. Noteworthy changes in version 0.9.5 (2015-07-01) ------------------------------------------------ * Replaced the internal Assuan and gpg-error code by the standard libassuan and libgpg-error libraries. * Add a new Emacs pinentry and use as fallback for GUI programs. * gnome3: The use-password-manager checkbox does now work. * Gtk: Improved fallback to curses feature. * curses: Recognize DEL as backspace. Noteworthy changes in version 0.9.4 (2015-06-05) ------------------------------------------------ * Fix regression in GTK+ and curses pinentries. Noteworthy changes in version 0.9.3 (2015-06-01) ------------------------------------------------ * Improved documentation * New pinentry-gnome3 * More improvements for pinentry-tty. * Fixes for pinentry-curses including support for Ctrl-W, Ctrl-U, Ctrl-H, Ctrl-L, and Alt-Backspace * New Assuan command to request clearing an external cache. * Fixed problems linking to ncursesw. * All kind of other minor fixes. Noteworthy changes in version 0.9.2 (2015-05-11) ------------------------------------------------ * Support for saving the passphrase with libsecret. * Escape key works in the Gtk+ pinentry. * Improvements for pinentry-tty. * Minor cleanups for the native Windows pinentry. Noteworthy changes in version 0.9.1 (2015-03-18) ------------------------------------------------ * Fixed build problems for systems without ncurses. * Reworked the option parser to allow building on systems without getopt_long. * Fixed Qt4 build problems. Noteworthy changes in version 0.9.0 (2014-10-26) ------------------------------------------------ * New command SETREPEAT. Currently only supported for Gtk+-2. * Gtk+-2: Pasting using the mouse is now supported. * curses: Check that it is actually connected to a tty. * Removed the old qt-3 and gtk+-1 pinentries. Noteworthy changes in version 0.8.4 (2014-09-18) ------------------------------------------------ * New pinentry-tty version for dumb terminals. * Qt4: New option to enable pasting the passphrase from clipboard * Qt4: Improved accessiblity * Qt4: Raise confirm message windows into foreground * Qt4 (Windows): Improve the way pinentry-qt raises itself in the foreground. * Improved the build system. Noteworthy changes in version 0.8.3 (2013-04-26) ------------------------------------------------ * Build fixes for newer mingw32 toolchains. * Add SETTIMEOUT command for the gtk+-2 pinentry. Noteworthy changes in version 0.8.2 (2012-08-08) ------------------------------------------------ * New SETTIMEOUT command for the qt4 pinentry. * Wide character support for the curses pinentry. * Various bug fixes. Noteworthy changes in version 0.8.1 (2010-12-16) ------------------------------------------------ * The W32 pinentry now supports WindowsCE. * The GTK pinentry now always sticks to the top and properly grabs the keyboard. * The protocol options default-cancel and default-ok now work for the pinentry-gtk2 and pinentry-qt (that is QT3). Noteworthy changes in version 0.8.0 (2010-03-03) ------------------------------------------------ * Beautified the qt4 pinentry * Minor enhancements. Noteworthy changes in version 0.7.6 (2009-06-19) ------------------------------------------------ * Make Gtk+-2 pinentry transient to the root window. * Add Qt4 pinentry. * Add native W32 pinentry. * Fix utf-8 problem in Qt pinentries. * Return GPG_ERR_CANCELED if during a "CONFIRM" command the user closed the window. * Add quality bar. Noteworthy changes in version 0.7.5 (2008-02-15) ------------------------------------------------ * Fix cross compilation for Gtk+-2 pinentry. * New Assuan command GETINFO with subcommands "version" and "pid". Noteworthy changes in version 0.7.4 (2007-11-29) ------------------------------------------------ * Pinentry-gtk-2 and pinentry-qt now support a simple passphrase quality indicator. Noteworthy changes in version 0.7.3 (2007-07-06) ------------------------------------------------ * New command MESSAGE and --one-button compatibility option to CONFIRM. * New Assuan option touch-file to set a file which will be touched after ncurses does not need the display anymore. * New option --colors=FG,BG,SO to set the colors for the curses pinentry. * Pinentry-w32 does now basically work. It needs some finishing though. For example the buttons should resize themself according to the size of the text. Noteworthy changes in version 0.7.2 (2005-01-27) ------------------------------------------------ * Remove bug in configure script that would use installed version of Qt even if another path was explicitely specified with QTDIR. * Honor the rpath setting for Qt. * Add GTK+-2 pinentry. * Install a symbolic link under the name "pinentry" that defaults to pinentry-gtk, pinentry-qt, pinentry-gtk-2, or pinentry-curses, in that order. Noteworthy changes in version 0.7.1 (2004-04-21) ------------------------------------------------ * Removed unneeded Assuan cruft. * Fixes for *BSD. Noteworthy changes in version 0.7.0 (2003-12-23) ------------------------------------------------ * Make UTF8 description (prompt, error message, button texts) work. * Make sure that secmem_term is called before program termination. * Make assuan in Gtk and Curses pinentry use secure memory for storage. * Fixed a bug that would occur if a canceled GETPIN was immediately followed by a CONFIRM. * Disabled undo/redo in Qt pinentry. * Print diagnostics for locale problems and return a new error code in that case. Noteworthy changes in version 0.6.8 (2003-02-07) ------------------------------------------------ * Bug fix in pinentry-qt. Noteworthy changes in version 0.6.7 (2002-11-20) ------------------------------------------------ * Workaround for a bug in the curses version which led to an infinite loop. Noteworthy changes in version 0.6.6 (2002-11-09) ------------------------------------------------ * Fixed handling of DISPLAY and --display for the sake of the curses fallback. * UTF-8 conversion does now work for the GTK+ and CURSES version. Noteworthy changes in version 0.6.5 (2002-09-30) ------------------------------------------------ * Handle Assuan options in the qt version. Noteworthy changes in version 0.6.4 (2002-08-19) ------------------------------------------------ * Handle CONFIRM command in the qt version. Noteworthy changes in version 0.6.3 (2002-06-26) ------------------------------------------------ * Minor bug fixes to the qt version. Noteworthy changes in version 0.6.2 (2002-05-13) ------------------------------------------------ * Error texts can now be percent-escaped. * The Curses pinentry supports multi-line error texts. * The GTK+ and Qt pinentry can fall back to curses if no display is available. Noteworthy changes in version 0.6.1 (2002-04-25) ------------------------------------------------ * The Curses pinentry supports user-provided button texts via the new SETOK and SETCANCEL commands. * The Curses pinentry supports setting the desired character set locale with --lc-ctype and correctly translates the UTF-8 strings into that. Noteworthy changes in version 0.6.0 (2002-04-05) ------------------------------------------------ * Merged all pinentry frontends into a single module. * There is now a Curses frontend. * The curses pinentry supports --ttyname and --ttytype options to set the desired input/output terminal and its type. Noteworthy changes in version 0.5.1 (2002-02-18) ------------------------------------------------ * CONFIRM command works Noteworthy changes in version 0.5.0 (2002-01-04) ------------------------------------------------ * Window layout is somewhat nicer * percent escape sequences do now work for SETDESC and SETERROR diff --git a/README b/README index 981d653..d946ff3 100644 --- a/README +++ b/README @@ -1,68 +1,71 @@ PINEntry --------- This is a collection of PIN or passphrase entry dialogs which utilize the Assuan protocol as specified in the Libassuan manual. There are programs for different toolkits available. For all GUIs it is automatically detected which modules can be built, but it can also be requested explicitly. GUI OPTION DEPENDENCIES -------------------------------------------------------------------------- GTK+ V2.0 --enable-pinentry-gtk2 Gimp Toolkit Library, Version 2.0 eg. libgtk-x11-2.0 and libglib-2.0 GNOME --enable-pinentry-gnome GNOME Qt --enable-pinentry-qt Qt (> 4.4.0) +TQt --enable-pinentry-tqt Trinity Qt +Enlightenment --enable-pinentry-efl EFL (>= 1.18) +FLTK --enable-pinentry-fltk Fast Light Toolkit (>= 1.3) Curses --enable-pinentry-curses Curses library, for example ncurses TTY --enable-pinentry-tty Simple TTY version, no dependencies The GTK+, GNOME, and Qt pinentries can fall back to curses mode. The option to enable this is --enable-fallback-curses, but this is also detected automatically in the same way --enable-pinentry-curses is. The fallback to curses also works if --disable-pinentry-curses is specified. So to disable linking to curses completely you have to pass --disable-fallback-curses to the configure script as well. Examples: * To only build the GTK+ pinentry with curses support: ./configure --enable-pinentry-gtk2 --enable-fallback-curses \ --disable-pinentry-curses --disable-pinentry-qt * To build the Qt pinentry, and the other pinentries if they are supported: ./configure --enable-pinentry-qt * To build everything that is supported (complete auto-detection): ./configure Some of the code is taken from Robert Bihlmeyer's Quintuple-Agent. For security reasons, all internationalization has been removed. The client is expected to tell the PIN entry the text strings to be displayed. Curses Pinentry --------------- The curses pinentry supports colors if the terminal does. The colors can be specified by the --colors=FG,BG,SO option, which sets the foreground, background and standout colors respectively. The standout color is used for error messages. Colors can be named by any of "black", "red", "green", "yellow", "blue", "magenta", "cyan" and "white". The foreground and standout color can be prefixed by "bright-", "bright", "bold-" and "bold", and any of these prefixes has the same effect of making the color bolder or brighter. Two special color names are defined as well: "default" chooses the default color, and "none" disables use of colors. The name "none" is only meaningful for the standout color and in this case a reversed effect is used for error messages. For the other colors, disabling colors means the same as using the defaults. The default colors are as follows: Foreground: Terminal default Background: Terminal default Standout: Bright red Note that color support is limited by the capabilities of the display terminal. Some color combinations can be very difficult to read, and please know that colors are perceived differently by different people. diff --git a/doc/pinentry.texi b/doc/pinentry.texi index a4acd8b..eb97cd0 100644 --- a/doc/pinentry.texi +++ b/doc/pinentry.texi @@ -1,753 +1,753 @@ \input texinfo @c -*-texinfo-*- @c %**start of header @setfilename pinentry.info @include version.texi @macro copyrightnotice Copyright @copyright{} 2002, 2005, 2015 g10 Code GmbH @end macro @macro permissionnotice Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. The text of the license can be found in the section entitled ``Copying''. @end macro @macro pinentry @sc{pinentry} @end macro @settitle Using the PIN-Entry @c Create a separate index for command line options. @defcodeindex op @c Merge the standard indexes into a single one. @syncodeindex fn cp @syncodeindex vr cp @syncodeindex ky cp @syncodeindex pg cp @syncodeindex tp cp @c printing stuff taken from gcc. @macro gnupgtabopt{body} @code{\body\} @end macro @macro gnupgoptlist{body} @smallexample \body\ @end smallexample @end macro @c Makeinfo handles the above macro OK, TeX needs manual line breaks; @c they get lost at some point in handling the macro. But if @macro is @c used here rather than @alias, it produces double line breaks. @iftex @alias gol = * @end iftex @ifnottex @macro gol @end macro @end ifnottex @c %**end of header @ifnottex @dircategory GNU Utilities @direntry * pinentry: (pinentry). Securely ask for a passphrase or PIN. @end direntry This file documents the use and the internals of the @pinentry{}. This is edition @value{EDITION}, last updated @value{UPDATED}, of @cite{The `PINEntry' Manual}, for version @value{VERSION}. @sp 1 Published by g10 Code GmbH@* Hüttenstr. 61@* 40699 Erkrath, Germany @sp 1 @copyrightnotice{} @sp 1 @permissionnotice{} @end ifnottex @setchapternewpage odd @titlepage @title Using the PIN-Entry @subtitle Version @value{VERSION} @subtitle @value{UPDATED} @author Werner Koch @code{(wk@@gnupg.org)} @page @vskip 0pt plus 1filll @copyrightnotice{} @sp 2 @permissionnotice{} @end titlepage @summarycontents @contents @page @node Top @top Introduction @cindex introduction This manual documents how to use the @pinentry{} and its protocol. The @pinentry{} is a small GUI application used to enter PINs or passphrases. It is usually invoked by @sc{gpg-agent} (@pxref{Invoking GPG-AGENT, ,Invoking the gpg-agent, gnupg, The `GNU Privacy Guard' Manual}, for details). @pinentry{} comes in several flavors to fit the look and feel of the used GUI toolkit: A @sc{GTK+} based one named @code{pinentry-gtk}; a @sc{Qt} based one named @code{pinentry-qt}; and, two non-graphical ones @code{pinentry-curses}, which uses curses, and @code{pinentry-tty}, which doesn't require anything more than a simple terminal. Not all of them are necessarily available on your installation. If curses is supported on your system, the GUI-based flavors fall back to curses when the @code{DISPLAY} variable is not set. @menu * Using pinentry:: How to use the beast. * Front ends:: Description and comparison of the front ends Developer information * Protocol:: The Assuan protocol description. * Implementation Details:: For those extending or writing a new pinentry. Miscellaneous * Copying:: GNU General Public License says how you can copy and share PIN-Entry as well as this manual. Indices * Option Index:: Index to command line options. * Index:: Index of concepts and symbol names. @end menu @node Using pinentry @chapter How to use the @pinentry{} @c man begin DESCRIPTION You may run @pinentry{} directly from the command line and pass the commands according to the Assuan protocol via stdin/stdout. @c man end @c man begin OPTIONS Here is a list of options supported by all flavors of pinentry: @table @gnupgtabopt @item --version @opindex version Print the program version and licensing information. @item --help @opindex help Print a usage message summarizing the most useful command line options. @item --debug @itemx -d @opindex debug @opindex d Turn on some debugging. Mostly useful for the maintainers. Note that this may reveal sensitive information like the entered passphrase. @c @item --enhanced @c @itemx -e @c @opindex enhanced @c @opindex e @c Ask for timeouts and insurance, too. Note that this is currently not @c fully supported. @item --no-global-grab @itemx -g @opindex no-global-grab @opindex g Grab the keyboard only when the window is focused. Use this option if you are debugging software using the @pinentry{}; otherwise you may not be able to to access your X session anymore (unless you have other means to connect to the machine to kill the @pinentry{}). @item --parent-wid @var{n} @opindex parent-wid Use window ID @var{n} as the parent window for positioning the window. Note, that this is not fully supported by all flavors of @pinentry{}. @item --timeout @var{seconds} @opindex timeout Give up waiting for input from the user after the specified number of seconds and return an error. The error returned is the same as if the Cancel button was selected. To disable the timeout and wait indefinitely, set this to 0, which is the default. @item --display @var{string} @itemx --ttyname @var{string} @itemx --ttytype @var{string} @itemx --lc-ctype @var{string} @itemx --lc-messages @var{string} @opindex display @opindex ttyname @opindex ttytype @opindex lc-ctype @opindex lc-messa These options are used to pass localization information to @pinentry{}. They are required because @pinentry{} is usually called by some background process which does not have any information about the locale and terminal to use. It is also possible to pass these options using Assuan protocol options. @end table @node Front ends @chapter Front Ends There are several different flavors of @pinentry{}. Concretely, there -are Gtk+2, Qt@tie{}4, Gnome@tie{}3, Emacs, curses and tty variants. -These different implementations provide higher levels of integration -with a specific environment. For instance, the Gnome@tie{}3 -@pinentry{} uses Gnome@tie{}3 widgets to display the prompts. For -Gnome@tie{}3 users, this higher level of integration provides a more -consistent aesthetic. However, this comes at a cost. Because this -@pinentry{} uses so many components, there is a larger chance of a -failure. In particular, there is a larger chance that the passphrase -is saved in memory and that memory is exposed to an attacker (consider -the OpenSSL Heartbeat vulnerability). +are Gtk+2, Qt@tie{}4, TQt, EFL, FLTK, Gnome@tie{}3, Emacs, curses and +tty variants. These different implementations provide higher levels +of integration with a specific environment. For instance, the +Gnome@tie{}3 @pinentry{} uses Gnome@tie{}3 widgets to display the +prompts. For Gnome@tie{}3 users, this higher level of integration +provides a more consistent aesthetic. However, this comes at a cost. +Because this @pinentry{} uses so many components, there is a larger +chance of a failure. In particular, there is a larger chance that the +passphrase is saved in memory and that memory is exposed to an +attacker (consider the OpenSSL Heartbeat vulnerability). To understand how many components touch the passphrase, consider again the Gnome@tie{}3 implementation. When a user presses a button on the keyboard, the key is passed from the kernel to the X@tie{}server to the toolkit (Gtk+) and to the actual text entry widget. Along the way, the key is saved in memory and processed. In fact, the key presses are probably read using standard C library functions, which buffer the input. None of this code is careful to make sure the contents of the memory are not leaked by keeping the data in unpagable memory and wiping it when the buffer is freed. However, even if they did, there is still the problem that when a computer hibernates, the system writes unpagable memory to disk anyway. Further, many installations are virtualized (e.g., running on Xen) and have little control over their actual environment. The curses variant uses a significant smaller software stack and the tty variant uses an even smaller one. However, if they are run in an X@tie{}terminal, then a similar number of components are handling the passphrase as in the Gnome@tie{}3 case! Thus, to be most secure, you need to direct GPG@tie{}Agent to use a fixed virtual console. Since you need to remain logged in for GPG@tie{}Agent to use that console, you should run there and have @code{screen} or @code{tmux} lock the tty. The Emacs pinentry implementation interacts with a running Emacs session and directs the Emacs instance to display the passphrase prompt. Since this doesn't work very well if there is no Emacs running, the generic @pinentry{} backend checks if a @pinentry{}-enabled Emacs should be used. Specifically, it looks to see if the @code{INSIDE_EMACS} variable is set and then attempts to establish a connection to the specified address. If this is the case, then instead of, e.g., @code{pinentry-gtk2} displaying a Gtk+2 pinentry, it interacts with the Emacs session. This functionality can be explicitly disabled by passing @code{--disable-inside-emacs} to @code{configure} when building @pinentry{}. Having Emacs get the passphrase is convenient, however, it is a significant security risk. Emacs is a huge program, which doesn't provide any process isolation to speak of. As such, having it handle the passphrase adds a huge chunk of code to the user's trusted computing base. Because of this concern, Emacs doesn't enable this by default, unless the @code{allow-emacs-pinentry} option is explicitly set in his or her @code{.gnupg/gpg-agent.conf} file. Similar to the inside-emacs check, the @pinentry{} frontends check whether the @code{DISPLAY} variable is set and a working X server is available. If this is not the case, then they fallback to the curses front end. This can also be disabled by passing @code{--disable-fallback-curses} to @code{configure} at build time. @c @c Assuan Protocol @c @node Protocol @chapter @pinentry{}'s Assuan Protocol The @pinentry{} should never service more than one connection at once. It is reasonable to exec the @pinentry{} prior to a request. The @pinentry{} does not need to stay in memory because the @sc{gpg-agent} has the ability to cache passphrases. The usual way to run the @pinentry{} is by setting up a pipe (not a socket) and then fork/exec the @pinentry{}. The communication is then done by means of the protocol described here until the client is satisfied with the result. Although it is called a @pinentry{}, it allows entering reasonably long strings (strings that are up to 2048 characters long are supported by every pinentry). The client using the @pinentry{} has to check for correctness. Note that all strings are expected to be encoded as UTF-8; @pinentry{} takes care of converting it to the locally used codeset. To include linefeeds or other special characters, you may percent-escape them (e.g., a line feed is encoded as @code{%0A}, the percent sign itself is encoded as @code{%25}, etc.). The following is a list of supported commands: @table @gnupgtabopt @item Set the timeout before returning an error @example C: SETTIMEOUT 30 S: OK @end example @item Set the descriptive text to display @example C: SETDESC Enter PIN for Richard Nixon S: OK @end example @item Set the prompt to show When asking for a PIN, set the text just before the widget for passphrase entry. @example C: SETPROMPT PIN: S: OK @end example You should use an underscore in the text only if you know that a modern version of pinentry is used. Modern versions underline the next character after the underscore and use the first such underlined character as a keyboard accelerator. Use a double underscore to escape an underscore. @item Set the window title This command may be used to change the default window title. When using this feature you should take care that the window is still identifiable as the pinentry. @example C: SETTITLE Tape Recorder Room S: OK @end example @item Set the button texts There are three texts which should be used to override the English defaults: To set the text for the button signaling confirmation (in UTF-8). See SETPROMPT on how to use an keyboard accelerator. @example C: SETOK Yes S: OK @end example To set the text for the button signaling cancellation or disagreement (in UTF-8). See SETPROMPT on how to use an keyboard accelerator. @example C: SETCANCEL No S: OK @end example In case three buttons are required, use the following command to set the text (UTF-8) for the non-affirmative response button. The affirmative button text is still set using SETOK and the CANCEL button text with SETCANCEL. See SETPROMPT on how to use an keyboard accelerator. @example C: SETNOTOK Do not do this S: OK @end example @item Set the Error text This is used by the client to display an error message. In contrast to the other commands, the error message is automatically reset with a GETPIN or CONFIRM, and is only displayed when asking for a PIN. @example C: SETERROR Invalid PIN entered - please try again S: OK @end example @item Enable a passphrase quality indicator Adds a quality indicator to the GETPIN window. This indicator is updated as the passphrase is typed. The clients needs to implement an inquiry named "QUALITY" which gets passed the current passphrase (percent-plus escaped) and should send back a string with a single numerical value between -100 and 100. Negative values will be displayed in red. @example C: SETQUALITYBAR S: OK @end example If a custom label for the quality bar is required, just add that label as an argument as a percent-escaped string. You will need this feature to translate the label because @pinentry{} has no internal gettext except for stock strings from the toolkit library. If you want to show a tooltip for the quality bar, you may use @example C: SETQUALITYBAR_TT string S: OK @end example @noindent With STRING being a percent escaped string shown as the tooltip. @item Ask for a PIN The meat of this tool is to ask for a passphrase of PIN, it is done with this command: @example C: GETPIN S: D no more tapes S: OK @end example Note that the passphrase is transmitted in clear using standard data responses. Expect it to be in UTF-8. @item Ask for confirmation To ask for a confirmation (yes or no), you can use this command: @example C: CONFIRM S: OK @end example The client should use SETDESC to set an appropriate text before issuing this command, and may use SETPROMPT to set the button texts. The value returned is either OK for YES or the error code @code{ASSUAN_Not_Confirmed}. @item Show a message To show a message, you can use this command: @example C: MESSAGE S: OK @end example alternatively you may add an option to confirm: @example C: CONFIRM --one-button S: OK @end example The client should use SETDESC to set an appropriate text before issuing this command, and may use SETOK to set the text for the dismiss button. The value returned is OK or an error message. @item Set the output device When using X, the @pinentry{} program must be invoked with an appropriate @code{DISPLAY} environment variable or the @code{--display} option. When using a text terminal: @example C: OPTION ttyname=/dev/tty3 S: OK C: OPTION ttytype=vt100 S: OK C: OPTION lc-ctype=de_DE.UTF-8 S: OK @end example The client should use the @code{ttyname} option to set the output TTY file name, the @code{ttytype} option to the @code{TERM} variable appropriate for this tty and @code{lc-ctype} to the locale which defines the character set to use for this terminal. @item Set the default strings To avoid having translations in Pinentry proper, the caller may set certain translated strings which are used by @pinentry{} as default strings. @example C: OPTION default-ok=_Korrekt S: OK C: OPTION default-cancel=Abbruch S: OK C: OPTION default-prompt=PIN eingeben: S: OK @end example The strings are subject to accelerator marking, see SETPROMPT for details. @item Passphrase caching Some environments, such as GNOME, cache passwords and passphrases. The @pinentry{} should only use an external cache if the @code{allow-external-password-cache} option was set and a stable key identifier (using SETKEYINFO) was provided. In this case, if the passphrase was read from the cache, the @pinentry{} should send the @code{PASSWORD_FROM_CACHE} status message before returning the passphrase. This indicates to GPG Agent that it should not increment the passphrase retry counter. @example C: OPTION allow-external-password-cache S: OK C: SETKEYINFO key-grip S: OK C: getpin S: S PASSWORD_FROM_CACHE S: D 1234 S: OK @end example Note: if @code{allow-external-password-cache} is not specified, an external password cache must not be used: this can lead to subtle bugs. In particular, if this option is not specified, then GPG Agent does not recognize the @code{PASSWORD_FROM_CACHE} status message and will count trying a cached password against the password retry count. If the password retry count is 1, then the user will never have the opportunity to correct the cached password. Note: it is strongly recommended that a pinentry supporting this feature provide the user an option to enable it manually. That is, saving a passphrase in an external password manager should be opt-in. The key identifier provided SETKEYINFO must be considered opaque and may change in the future. It currently has the form @code{X/HEXSTRING} where @code{X} is either @code{n}, @code{s}, or @code{u}. In the former two cases, the HEXSTRING corresponds to the key grip. The key grip is not the OpenPGP Key ID, but it can be mapped to the key using the following: @example # gpg2 --with-keygrip --list-secret-keys @end example @noindent and searching the output for the key grip. The same command-line options can also be used with gpgsm. @end table @node Implementation Details @chapter Implementation Details The pinentry source code can be divided into three categories. There is a backend module, which lives in @code{pinentry/}, there are utility functions, e.g., in @code{secmem/}, and there are various frontends. All of the low-level logic lives in the backend. This frees the frontends from having to implement, e.g., the Assuan protocol. When the backend receives an option, it updates the state in a @code{pinentry_t} struct. The frontend is called when the client either calls @code{GETPIN}, @code{CONFIRM} or @code{MESSAGE}. In these cases, the backend invokes the @code{pinentry_cmd_handler}, which is passed the @code{pinentry_t} struct. When the callback is invoked, the frontend should create a window based on the state in the @code{pinentry_t} struct. For instance, the title to use for the dialog's window (if any) is stored in the @code{title} field. If the is @code{NULL}, the frontend should choose a reasonable default value. (Default is not always provided, because different tool kits and environments have different reasonable defaults.) The widget needs to support a number of different interactions with the user. Each of them is described below. @table @gnupgtabopt @item Passphrase Confirmation When creating a new key, the passphrase should be entered twice. The client (typically GPG Agent) indicates this to the @pinentry{} by invoking @code{SETREPEAT}. In this case, the backend sets the @code{repeat_passphrase} field to a copy of the passed string. The value of this field should be used to label a second text input. It is the frontend's responsibility to check that the passwords match. If they don't match, the frontend should display an error message and continue to prompt the user. If the passwords do match, then, when the user presses the okay button, the @code{repeat_okay} field should be set to @code{1} (this causes the backend to emit the @code{S PIN_REPEATED} status message). @item Message Box Sometimes GPG Agent needs to display a message. In this case, the @code{pin} variable is @code{NULL}. At the Assuan level, this mode is selected by using either the @code{MESSAGE} or the @code{CONFIRM} command instead of the @code{GETPIN} command. The @code{MESSAGE} command never shows the cancel or an other button. The same holds for @code{CONFIRM} if it was passed the ``--one-button'' argument. If @code{CONFIRM} was not passed this argument, the dialog for @code{CONFIRM} should show both the @code{ok} and the @code{cancel} buttons and optionally the @code{notok} button. The frontend can determine whether the dialog is a one-button dialog by inspecting the @code{one_button} variable. @item Passphrase Entry If neither of the above cases holds, then GPG Agent is simply requesting the passphrase. In this case, the @code{ok} and @code{cancel} buttons should be displayed. @end table The layout of the three variants is quite similar. Here are the relevant elements that describe the layout: @table @gnupgtabopt @item @code{title} The window's title. @item @code{description} The reason for the dialog. When requesting a passphrase, this describes the key. When showing a message box, this is the message to show. @item @code{error} If GPG Agent determines that the passphrase was incorrect, it will call @code{GETPIN} again (up to a configurable number of times) to again prompt the user. In this case, this variable contains a description of the error message. This text should typically be highlighted in someway. @item @code{prompt}, @code{default-prompt} The string to associate with the passphrase entry box. There is a subtle difference between @code{prompt} and @code{default-prompt}. @code{default-prompt} means that a stylized prompt (e.g., an icon suggesting a prompt) may be used. @code{prompt} means that the entry's meaning is not consistent with such a style and, as such, no icon should be used. If both variables are set, the @code{prompt} variant takes precedence. @item @code{repeat_passphrase} The string to associate with the second passphrase entry box. The second passphrase entry box should only be shown if this is not @code{NULL}. @item @code{ok}, @code{default-ok} The string to show in the @code{ok} button. If there are any @code{_} characters, the following character should be used as an accelerator. (A double underscore means a plain underscore should be shown.) If the frontend does not support accelerators, then the underscores should be removed manually. There is a subtle difference between @code{ok} and @code{default-ok}. @code{default-ok} means that a stylized OK button should be used. For instance, it could include a check mark. @code{ok} means that the button's meaning is not consistent with such an icon and, as such, no icon should be used. Thus, if the @code{ok} button should have the text ``No password required'' then @code{ok} should be used because a check mark icon doesn't make sense. If this variable is @code{NULL}, the frontend should choose a reasonable default. If both variables are set, the @code{ok} variant takes precedence. @item @code{cancel}, @code{default-cancel} Like the @code{ok} and @code{default-ok} buttons except these strings are used for the cancel button. This button should not be shown if @code{one_button} is set. @code{default-notok} Like the @code{default-ok} button except this string is used for the other button. This button should only be displayed when showing a message box. If these variables are @code{NULL} or @code{one_button} is set, this button should not be displayed. @item @code{quality_bar} If this is set, a widget should be used to show the password's quality. The value of this field is a label for the widget. Note: to update the password quality, whenever the password changes, call the @code{pinentry_inq_quality} function and then update the password quality widget correspondingly. @item @code{quality_bar_tt} A tooltip for the quality bar. @item @code{default_pwmngr} If @code{may_cache_password} and @code{keyinfo} are set and the user consents, then the @pinentry{} may cache the password with an external manager. Note: getting the user's consent is essential, because password managers often provide a different level of security. If the above condition is true and @code{tried_password_cache} is false, then a check box with the specified string should be displayed. The check box must default to off. @item @code{default-cf-visi} The string to show with a question if you want to confirm that the user wants to change the visibility of the password. @item @code{default-tt-visi} Tooltip for an action that would reveal the entered password. @item @code{default-tt-hide} Tooltip for an action that would hide the password revealed by the action labeld with @code{default-tt-visi} @end table When the handler is done, it should store the passphrase in @code{pin}, if appropriate. This variable is allocated in secure memory. Use @code{pinentry_setbufferlen} to size the buffer. The actual return code is dependent on whether the dialog is in message mode or in passphrase mode. If the dialog is in message mode and the user pressed ok, return 1. Otherwise, return 0. If an error occurred, indicate this by setting it in @code{specific_err} or setting @code{locale_err} to @code{1} (for locale specific errors). If the dialog was canceled, then the handler should set the @code{canceled} variable to @code{1}. If the not ok button was pressed, don't do anything else. If the dialog is in passphrase mode return @code{1} if the user entered a password and pressed ok. If an error occurred, return @code{-1} and set @code{specific_err} or @code{locale_err}, as above. If the user canceled the dialog box, return @code{-1}. If the window was closed, then the handler should set the @code{close_button} variable and otherwise act as if the cancel button was pressed. @c --------------------------------------------------------------------- @c Legal Blurbs @c --------------------------------------------------------------------- @include gpl.texi @c --------------------------------------------------------------------- @c Indexes @c --------------------------------------------------------------------- @node Option Index @unnumbered Option Index @printindex op @node Index @unnumbered Index @printindex cp @c --------------------------------------------------------------------- @c Epilogue @c --------------------------------------------------------------------- @bye