FS#49041 - [pinentry] Default /usr/bin/pinentry won't run on systems without GTK2 libs
Attached to Project:
Arch Linux
Opened by Mark Laws (mdl) - Thursday, 21 April 2016, 20:31 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 19 May 2016, 04:50 GMT
Opened by Mark Laws (mdl) - Thursday, 21 April 2016, 20:31 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 19 May 2016, 04:50 GMT
|
Details
Description:
Copying from my mail to Gaetan: The pinentry package symlinks /usr/bin/pinentry to pinentry-gtk-2 by default, but unless people configure a different pinentry, it will fail to run, because the pinentry package doesn't depend on the GTK2 libraries. You might want to consider changing the link to /usr/bin/pinentry-tty, as it has no dependencies other than libassuan and libgpg-error, or since you already have ncurses as a dependency, /usr/bin/pinentry-curses would be fine too (but please don't make GTK2 a required dependency :)). Additional info: * package version: 0.9.7-1 Steps to reproduce: run /usr/bin/pinentry |
This task depends upon
I also feel safer checking the terminal that asks me my password is the one where I knowingly ran an application that requires my private key. With pinentry-gtk2, I do not know what application spawned the pinentry popup; it could be a different one from the safe application I was expecting.
Because I also read about the thing, that under graphical environments it isn't that favourable to use the curses based one[0].
Please note it was regarding the curses one. Dunno if -tty is doing something different.
___
[0] https://github.com/dyne/Tomb/issues/166#issuecomment-64209629
Keyloggers are brought up but it seems to me they are actually more effective with graphical pinentries than terminal ones, simply because key strokes travel through more layers of code as I explained in my previous message.
And, those points aside, the problem of having a default pinentry that does not depend on heavy additional libraries (such as gtk2 or qt) remain.
- defaulting to pinentry-gtk-2 is upstream's choice; see how PINENTRY_DEFAULT is defined in the configure script;
- we have a fallback on pinentry-curses for cases where DISPLAY is unset.
I am aware that the issue when gtk2 is missing remains, but maybe asking the user to add `pinentry-program /usr/bin/pinentry-tty` to their gpg-agent.conf is not too big an expectation in that case.
Thanks!