# how to disable (sanitize) gpg2 GUI features (pinentry)?

## gw

Whenever I try to do symmetric encryption with the new gpg2, a GUI window pops up (pinentry, the necessity of which I really fail to see) asking for the passphrase.

Within this window copy and paste is not possible (why?).

How can I disable this new "feature", that is: simply enter the passphrase from within my terminal application, or how can I at least make pinentry accept copy and paste?

Thanks

gw

----------

## sm4x

Same problem here. I'm trying to invoke gpg via a shell script, and this pinentry-ncurses thingy complains about missing S.gpg-agent and unknown LC_TYPE, so i have to fire up X (!) to use the gtk interface.

Ironically, the ncurses interface works when gpg is invoked directly and not from a shell script. 

So far I didn't find any solution to disable this completely useless feature, just found some hints that this is required now. On my BSD machines same thing, i went with the old gnupg version but this can't be a solution. I honestly don't know why a tool like gpg needs some stupid dependency like this.

Please let me know if you come up with something.

sm4x

----------

## Thorium

If you place

```
export DISPLAY=""
```

in your shell script before you call gpg, then the pinentry curses interface should be started instead of the gtk one.

----------

## sm4x

The ncurses interface *is* actually working, if I execute gpg directly from the command line. 

It ist just not working when invoked by a pipe, like 

```
cat somefile | gpg --symmetric -a > cryptfile
```

I guess the ncurses interface cannot be set up when it is called by another app. 

So is there any whay of completely diasabling this pinentry stuff and return to the passphrase dialog that the 1.4.8 had?

sm4x

----------

## Orothain

I don't know of any way to disable the pinentry stuff, but you can force it to use the curses interface by setting

```

pinentry-program /usr/bin/pinentry-curses

```

in ~/.gnupg/gpg-agent.conf (create the file if it doesn't exist).

----------

## Felig

The suggestion to set pinentry-program was confusing -- the gpg-agent man page refers to both pinentry-program and pinentry-pgm, and neither seemed to be useful.  I had to unset DISPLAY to skip the X popup which wants the passphrase, and then I got some horrible text dump without \r, looked like \n only of the kind that used to trigger my reflexes to type "stty sane ^J", but it wouldn't take input.  If that is the ncurses interface, it is useless.

This is really really annoying.  I DO NOT WANT the X interface.  I don't know what the ncurses interface is supposed to add over a simple read from /dev/console because what I have seen doesn't work.

Why can't this program revert to whatever behavior it had before of simply reading /dev/console?  What bright eyed genius decided we all needed X to read passphrases, and that as a consolation prize for us stone age cripples, we could fall back to a broken ncurses interface?

----------

## Konsti

This is very far beyond my understanding also. Is there any way to go back to oldscool console password input in any way? I did not found any yet...

----------

## Thimo

One can go back and emerge =gnupg-1.4.9 and therefore ignore that nasty behavior of gnupg-2.

As stated in the release notes of gnupg-2, gnupg-1.* will still be maintained. If you need to invoke gpg in pipes, this may be the way to go, at least until an appropriate console option is available for gnupg-2.* .

----------

## overlourd

gnupg-1.* seems to not work with enigmail, the gnupg-plugin for thunderbird. So downgrading isn't a solution for me.

The gnupg-plugin for vim works fine with gnupg-1.* but not with gnupg-2.*'s ncurses passphrase dialog, so I probably have to keep the crappy gtk one.

----------

## Thimo

Did you start a gpg-agent (with corresponding environment settings) prior to thunderbird?

If you do not use an agent, you have to disable the corresponding option in enigmail.

----------

## swimmer

 *overlourd wrote:*   

> gnupg-1.* seems to not work with enigmail, the gnupg-plugin for thunderbird. So downgrading isn't a solution for me.
> 
> The gnupg-plugin for vim works fine with gnupg-1.* but not with gnupg-2.*'s ncurses passphrase dialog, so I probably have to keep the crappy gtk one.

 

The vim-plugin seems to work now -> http://www.vim.org/scripts/script.php?script_id=661

(Still untested though)

HTH

swimmer

----------

## nlsa8z6zoz7lyih3ap

What is the current state of this situation?

I.e. make gnupg2 behave like gnupg so that  a script with the following line

```
find /home/owner/secure  | afio -ovZ -Pbzip2     -M1024m -|gpg -c  |split  -b500m - secure-bz2-
```

can be run without requiring pinentry or ncurses?

I would be happy with app-crypt/gnupg-1.4.11, which is in portage, but it is not slotted and kdelibs demands gnupg-2.Last edited by nlsa8z6zoz7lyih3ap on Thu Jun 07, 2012 7:57 pm; edited 1 time in total

----------

## Felig

Good question.  I last used gpg an hour ago and still get that awful pinentry or ncurses entry.  I'd really like something simpler again.

----------

## MassimoM

GPG has alternative methods for passphrase input: pinentry (which is voluntarily not scriptable), from file (but the passphrase should be stored in clear on disk......  :Sad:  ), from command line argument (which is very insecure, cmdline arguments can be read easily from anyone) and from another FD.

You can do:

```

tar WHATEVER |gpg -c --passphrase-fd=3 3<<<$(echo this_is_the_passphrase) > WHATEVER.gpg

```

Details in the man page.

----------

## Apheus

What happens with pinentry emerged without gtk or qt use flag? Maybe even without ncurses use flag. If there is no other application needing graphical pinentry (like thunderbird[crypt] with enigmail), this should be possible.

----------

## nlsa8z6zoz7lyih3ap

 *Quote:*   

> What happens with pinentry emerged without gtk or qt use flag? Maybe even without ncurses use flag.

 

What happens with me is that it still uses ncurses.  Bizarre, isn't it.

----------

## khayyam

all ...

if you try and build pinentry without either gtk, gtk2, qt, or ncurses it fails:

```
./configure --disable-pinentry-curses --disable-pinentry-gtk --disable-pinentry-gtk2 --disable-pinentry-qt 

[...]

configure: error: No pinentry enabled.
```

As gnupg has no native method, and uses pinentry, this means there is no current method of escaping one or other "interface". If you were happy with how it once was, when a command line interface was an 'option', then step aside, linux is being made 'usable', and your antiquated thinking is standing in the way of progress.

The offical advice is "use gpg-agent", which in my case makes ... no, no, don't get me started. So, yes, this is a major annoyance, but unless some stop is put on this drive toward an ill concieved abstracted "user" (which is little more than a stratigists idea of the "usability" requirement for "developing markets") then I think we will see more and more of this type of "development".

best ... khay

----------

## HeXiLeD

It is quite stupid completely disable or make unavailable the use of copy and paste with pinentry.

It is only intelligent to do so in the minds of those who use passwords like: 12345 or abcdf, god, car, love and so on.

While i do understand the potential security risks (and i block java!)  that are around pasting passwords i do fee like asking the #$%$%#&*$&* developers of the application if they considered passwords like this: 

```
B:>\j*]-/z/mdd4EyGfXe{VP^nhjHRi78(n<W8D6wAN5_p<-Y"
```

And how are we suppose to know them. I do advocate security but pinentry intended functionality is simply STUPID and arrogant. At least an intelligent development would consider an option that would allow the user to select if he wants the functionality or not.

This stupid behaviour has prevented me to use openpgp with my email. All know and half working work arounds are just messy.

I am quite frustrated with all this pinentry crap.

Either i use small simple crackable passwords or i dont use openpgp at all.

pinentry-curses also does not work.

----------

## nlsa8z6zoz7lyih3ap

 *Quote:*   

> B:>\j*]-/z/mdd4EyGfXe{VP^nhjHRi78(n<W8D6wAN5_p<-Y"

 

That does sound like my kind of password too. Since I cut and paste large bizarre passwords,

I use the pinentry-ncurses interface, which does allow it.

There are some tricks to getting it to work.

(1)  

```
 USE="ncurses -caps -gtk -qt4 -static" emerge pinentry"
```

(2) Before using gpg 

```
export GPG_TTY=`tty`
```

NOTE: I also include the following:

```
export LANG="en_CA"
```

I hope that the above enables you to get cut and paste with pinentry-ncurses working.

Please  feel free to get back to me if you have any follow up comments or questions.

PS  I still find gpg vastly more useful to me than gpg2. I would install the old gpg (which is still in the portage tree)  except that it is not a "slotted" package and gpg2 is required by so much of the modern Desktop. I wonder if anyone knows how to make it into a slotted package?

----------

## HeXiLeD

No luck with thunderbird and your solution as i cannot get an interface to input the password.

and also in  gpg-agent.conf : 

```
pinentry-program /usr/bin/pinentry-curses

no-grab

default-cache-ttl 599940

max-cache-ttl 999999
```

I am however able to open the ncurses interface on a terminal and hat is about it.

pinetry should be removed from portage. It is useless for people who actually are interested in secure passwords.

----------

## nlsa8z6zoz7lyih3ap

 *Quote:*   

> No luck with thunderbird and your solution as i cannot get an interface to input the password. 

 

I have to apologize as I never thought of gui programs such as Thunderbird.  My frustration is that I only use gpg on the command line

and am now forced to jump through hoops to make it work.

Do you know if it is possible to do high quality encryption from the command line without using gnupg?

----------

## nihil39

 *nlsa8z6zoz7lyih3ap wrote:*   

> Do you know if it is possible to do high quality encryption from the command line without using gnupg?

 

app-crypt/ccrypt

     Available versions:  1.9

     Installed versions:  1.9(10:49:48 PM 12/05/2012)

     Homepage:            http://ccrypt.sourceforge.net

     Description:         Encryption and decryption

Try to use ccrypt, I just asked for a version bump in bugzilla.

----------

## nlsa8z6zoz7lyih3ap

Thanks very much!  :Very Happy: 

I have installed it and am using it already.

----------

## nihil39

 *nlsa8z6zoz7lyih3ap wrote:*   

> Thanks very much! 
> 
> I have installed it and am using it already.

 

No problem! Can you please join the version bump request by asking and/or voting the bug in the following thread? https://bugs.gentoo.org/show_bug.cgi?id=446170

Version 1.10 adds new useful features. Thanks.

----------

## nlsa8z6zoz7lyih3ap

Done.

PS: The only time that I  submitted a version bump, I  also submitted the new ebuild.

Of course it doesn't automatically go into portage, but it makes it easier for the maintainer to proceed and may well hurry things along.

Are you interested in doing this?

----------

## nlsa8z6zoz7lyih3ap

Renaming  ccrypt-1.9.ebuild as ccrypt-1.10.ebuild  seems to be all that is required to make it compile and work in my private portage.

----------

## olek

If this is still of interest: I just stumbled upon the possibility to emerge app-crypt/pinentry-qt and e.g. choose it with eselect (pinentry-qt, not "...-qt4"!), which is capable of copy&paste.

----------

## eruvaer_ohta

 *olek wrote:*   

> If this is still of interest: I just stumbled upon the possibility to emerge app-crypt/pinentry-qt and e.g. choose it with eselect (pinentry-qt, not "...-qt4"!), which is capable of copy&paste.

 

Thanks a lot for this information! This stupid design of not allowing copy/paste in the standard gtk/qt4 implementation of pinentry has just been giving me headaches. pinentry-qt works, the only downside is that it shows the entered password in cleartext, but the copy/paste functionality clearly outweighs that for me.

----------

## khayyam

 *gw wrote:*   

> How can I disable this new "feature", that is: simply enter the passphrase from within my terminal application, or how can I at least make pinentry accept copy and paste?

 

gw, et al ...

I got *so* fed up with pinentry screwing up the tty when editing with vim I decided to do something about it, and so I'm bumping this just to say getting the old behavior is infact possible.

/etc/portage/package.mask

```
>=app-crypt/gnupg-2.0.22
```

... it turns out gnupg-1 is still in portage, and still maintained ... so, voila!

```
# emerge -p app-crypt/gnupg

[ebuild   D    ] app-crypt/gnupg-1.4.16
```

... depclean pinentry (and deps) ...

```
# emerge --depclean -a
```

... sanity! ...

```
% vim ~/test.gpg

You need a passphrase to unlock the secret key for user: "khayyam <user@domain.tld>"

4096-bit RSA key, ID FFFFFFFF, created xxxx-xx-xx (main key ID FFFFFFFFF)

Enter passphrase:
```

... unlike with pinentry keyboard navigation works (and please, no, this has nothing to do with GPG_TTY, or 'no-grab', etc).

Hopefully that helps someone ....

best ... khay

----------

## miroR

 *khayyam wrote:*   

>  *gw wrote:*   How can I disable this new "feature", that is: simply enter the passphrase from within my terminal application, or how can I at least make pinentry accept copy and paste? 
> 
> gw, et al ...
> 
> I got *so* fed up with pinentry screwing up the tty when editing with vim I decided to do something about it, and so I'm bumping this just to say getting the old behavior is infact possible.
> ...

 

khay, pls. accept my gratitude for your good programming.

Air-Gapped Gentoo Install, Tentative

https://forums.gentoo.org/viewtopic-p-7551458.html#7551458

Miroslav Rovis

www.CroatiaFidelis.hr

----------

## Gentlenoob

Hi all,

sorry for resurrecting that old thread... me too still on gpg1 because of that pinentry-nuisance. Now gnome-base/gvfs-1.26.3 seems to insist on pulling in gpg2. Any way to avoid that (least of masking)? Is there a simple way to make gpg 1 & 2 coexist?

Alternatively, any trick on getting back command line / stdin passphrase input ala gpg1 in gpg2 as well?

Thanks a lot!

----------

