| View previous topic :: View next topic |
| Author |
Message |
danielittlewood
n00b
Joined: 13 Apr 2020
Posts: 60
|
 Posted: Fri Nov 06, 2020 12:30 pm Post subject: Pinentry curses prompt from a script? |
 |
|
If I have pinentry set to qt or gnome3, then when I try to decrypt something from a script I get a prompt to enter my passphrase. If I have it set to curses, then decrypting from a terminal is ok, but from a script it just fails silently. Is it possible to pop up a terminal running pinentry-curses, when decrypting from a script with an uncached passphrase?
_________________
With man it is impossible, but with gcc all things are possible. |
|
| Back to top |
|
 |
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 3007
Location: Edge of marsh USA
|
| Posted: Mon Nov 09, 2020 3:54 am Post subject: |
|
|
It works here if the script has "#!/bin/sh" as the first line and I select "Run in terminal"
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
danielittlewood
n00b
Joined: 13 Apr 2020
Posts: 60
|
| Posted: Wed Nov 25, 2020 7:43 pm Post subject: |
|
|
| figueroa wrote: | | It works here if the script has "#!/bin/sh" as the first line and I select "Run in terminal" |
Hi Andy, thanks for your reply.
The script I'm trying to run is below:
| Code: | #!/bin/sh
cd ~/.password-store
find -name '*.gpg' | sed 's/.gpg//' | sed 's/.\///' | dmenu | xargs pass -c
|
I get "gpg: decryption failed: No secret key".
However, I don't know what you mean when you say "I select Run in terminal" - this sounds like a prompt from some other program, I don't get such a prompt. Do you know what causes it?
Ideally I'd like to run this script through dmenu, which is my usual flow, so the script won't generally be called from a terminal. But while I was testing I couldn't debug it in the terminal, so I assume there is an issue there.
_________________
With man it is impossible, but with gcc all things are possible. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23070
|
| Posted: Wed Nov 25, 2020 8:03 pm Post subject: |
|
|
gpg accepts the argument --pinentry-program to choose what pinentry to run. You might be able to get the results you want if you specify a program that runs /usr/bin/xterm -e usual-pinentry-program-with-arguments. You would need to create such a script, and find how to tell pass to pass that argument to gpg. Why do you want to use a terminal to enter the passphrase when you are otherwise avoiding use of a terminal? Wouldn't it be easier and simpler to let gpg use a graphical pinentry in this case?
As an aside, your script could be simplified. You don't need 2 calls to sed. |
|
| Back to top |
|
|
danielittlewood
n00b
Joined: 13 Apr 2020
Posts: 60
|
| Posted: Wed Nov 25, 2020 8:36 pm Post subject: |
|
|
Thanks Hu,
The question is motivated by trying to see whether I could get by using only ncurses, and avoiding qt and gtk. I don't have a particularly good reason for doing that, I was just curious to see whether you could.
The thing I'm imagining is a pop-up terminal similar to the qt/gtk prompts, but running ncurses-pinentry. You're probably right that it's simpler to use one of the graphical prompts, but I couldn't see a good reason why this wouldn't work too and wanted to try it out.
_________________
With man it is impossible, but with gcc all things are possible. |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 3007
Location: Edge of marsh USA
|
| Posted: Wed Nov 25, 2020 9:13 pm Post subject: |
|
|
I'm a little baffled by the script that starts wtih "find."
Here is my actual script to display an encrypted png image with ImageMagick's convert program:
| Code: | #!/bin/sh
gpg -d -o - /scratch/Documents/chase.png.gpg | convert - -resize 500 x:
|
The script is in my path and I run it from the terminal. My default pinentry is pinentry-curses.
Also, from a symbolic link on the Desktop (running OpenBox with PCManFM controlling the desktop) clicking on the desktop icon pops up a dialog, and I select "run in terminal." The password dialog comes up in the terminal. The prompt for "run in terminal" is probably from PCManFM.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
danielittlewood
n00b
Joined: 13 Apr 2020
Posts: 60
|
| Posted: Wed Nov 25, 2020 9:32 pm Post subject: |
|
|
| figueroa wrote: | | I'm a little baffled by the script that starts wtih "find." |
Sorry  might not be the best script I ever wrote! The idea is just that ".password-store" holds a bunch of password.gpg files, the script gets the basenames, pipes them into dmenu for one to be selected, and then pipes the selected one into pass to decrypt it. Internally, pass calls gpg.
Perhaps the difference is that gpg gets called from a script, or from inside pass? In any case, I don't get a prompt when running pinentry-ncurses. I don't have a desktop environment per se, so maybe that's not surprising.
_________________
With man it is impossible, but with gcc all things are possible. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23070
|
| Posted: Wed Nov 25, 2020 9:48 pm Post subject: |
|
|
gpg can be run from a script. However, if you run the script with no tty, and gpg needs to use a pinentry program that requires a tty, then the pinentry program fails for the lack of the tty, and then gpg fails because pinentry failed. Your choices are:- Run the script with a tty
- Run a pinentry that does not need a tty
- Wrap invocation of the pinentry in a helper that will ensure pinentry has a tty, even when gpg itself does not
We know the first path works because OP told us that in the second sentence of the first post. We know the second path works because OP told us that in the first sentence of the first post. We don't know that the third path works, but I would expect it to work if done correctly. In fact, the third path is what the OP asked "Is it possible to ...", and I suggested how to do it.  |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 3007
Location: Edge of marsh USA
|
| Posted: Wed Nov 25, 2020 10:00 pm Post subject: |
|
|
Try OpenBox. It's light and lovable.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
danielittlewood
n00b
Joined: 13 Apr 2020
Posts: 60
|
| Posted: Wed Nov 25, 2020 10:39 pm Post subject: |
|
|
@Hu I had a go at implementing your suggestion. It looks like pinentry-program is an option for gpg-agent rather than gpg. I added to my $HOME/.gnupg/gpg-agent.conf:
| Code: | | pinentry-program /home/daniel/bin/pinentry-st |
and created the script /home/daniel/bin/pinentry-st:
| Code: | #!/bin/sh
st -e pinentry-curses |
but I get:
| Code: | $ gpg -d ~/.password-store/gentoo-forums.gpg
..
gpg: public key decryption failed: No pinentry
gpg: decryption failed: No secret key |
I tried changing to xterm too just in case and it's no better.
If I run pinentry-st from the command line I get the "OK pleased to meet you" (I don't know what this is, but it resembles what I get typing pinentry-curses in the command line). So I haven't figured this bit out yet.
@figueroa will do, thanks for the recommendation!
_________________
With man it is impossible, but with gcc all things are possible. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23070
|
| Posted: Wed Nov 25, 2020 11:29 pm Post subject: |
|
|
You are correct; that is a gpg-agent option. I started from info gnupg and searched for references to pinentry. I did not notice that info had navigated me into the agent documentation.
Based on experiments here, it looks like pinentry magically knows which descriptors are used, rather than receiving them on the command line. You will need to arrange for the spawned pinentry to have its descriptors in the right place. This may be (but probably will not be) as simple as: | Code: | #!/bin/bash
exec {fd0}<&0 {fd1}>&1 {fd2}>&2
/usr/bin/xterm -e /bin/bash -c "/usr/bin/pinentry-curses $@ 0<&$fd0- 1>&$fd1- 2>&$fd2-" |
|
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 3007
Location: Edge of marsh USA
|
| Posted: Thu Nov 26, 2020 3:42 am Post subject: |
|
|
@danielittelwood
If you do try OpenBox, you may want to read through my LXDE to OpenBox thread here: https://forums.gentoo.org/viewtopic-t-1119739-highlight-openbox.html
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
|
Networking & Security
