FS#49041 - [pinentry] Default /usr/bin/pinentry won't run on systems without GTK2 libs

Attached to Project: Arch Linux
Opened by Mark Laws (mdl) - Thursday, 21 April 2016, 20:31 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 19 May 2016, 04:50 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Copying from my mail to Gaetan:

The pinentry package symlinks /usr/bin/pinentry to pinentry-gtk-2 by
default, but unless people configure a different pinentry, it will
fail to run, because the pinentry package doesn't depend on the GTK2
libraries. You might want to consider changing the link to
/usr/bin/pinentry-tty, as it has no dependencies other than libassuan
and libgpg-error, or since you already have ncurses as a dependency,
/usr/bin/pinentry-curses would be fine too (but please don't make GTK2
a required dependency :)).

Additional info:
* package version: 0.9.7-1

Steps to reproduce: run /usr/bin/pinentry
This task depends upon

Closed by  Gaetan Bisson (vesath)
Thursday, 19 May 2016, 04:50 GMT
Reason for closing:  Upstream
Comment by Gaetan Bisson (vesath) - Thursday, 21 April 2016, 20:45 GMT
I second this change. In my opinion, pinentry-tty is the simpler, more robust version and should be the default. Of course, proponents of graphical apps might disagree. They are free to add `pinentry-program /usr/bin/pinentry-gtk2` to their gpg-agent.conf but the change in default behavior will likely be a surprise to them. However, if nobody complains, I will implement this in a couple of weeks.
Comment by Doug Newgard (Scimmia) - Thursday, 21 April 2016, 22:40 GMT
Search the bug reports (in the correct project). This was brought up and rejected multiple times. You're the maintainer now, though, so you can do it however you want.
Comment by Gaetan Bisson (vesath) - Friday, 22 April 2016, 03:30 GMT
Thanks Doug. I've looked at earlier bug reports. All explain that the user is free to choose whatever pinentry they like by changing the symlink and installing optional dependencies, but non explains why the default should be pinentry-gtk2. Personally I think it should be pinentry-tty. Upstream considers it the most secure alternative too. So unless someone brings up a good reason why we should stay with the gtk2 version as the default, I'll implement the requested change in a couple of weeks.
Comment by Gaetan Bisson (vesath) - Friday, 22 April 2016, 03:48 GMT
To elaborate on the security argument: Although I cannot remember where (somehow I assumed it was upstream), I read an article on the various pinentry implementations which concluded that pinentry-tty was the most secure and robust as it depends on very little, which implies that key presses go essentially straight from the keyboard driver through the kernel to the application, while with other implementations they also go through big scary things like the graphical stack and the widget library.

I also feel safer checking the terminal that asks me my password is the one where I knowingly ran an application that requires my private key. With pinentry-gtk2, I do not know what application spawned the pinentry popup; it could be a different one from the safe application I was expecting.
Comment by Lex Black (TrialnError) - Sunday, 24 April 2016, 10:35 GMT
Maybe upstream should be asked directly?
Because I also read about the thing, that under graphical environments it isn't that favourable to use the curses based one[0].
Please note it was regarding the curses one. Dunno if -tty is doing something different.
___
[0] https://github.com/dyne/Tomb/issues/166#issuecomment-64209629
Comment by Gaetan Bisson (vesath) - Sunday, 24 April 2016, 18:59 GMT
This comment argues that focus-stealing is a problem with terminal-based pinentries (both -curses and -tty are concerned). It seems to me that any adversary capable of stealing focus would also be able to spawn its own pinentry popup and mislead you into typing your passphrase in it. So in my opinion those two arguments balance each other.

Keyloggers are brought up but it seems to me they are actually more effective with graphical pinentries than terminal ones, simply because key strokes travel through more layers of code as I explained in my previous message.

And, those points aside, the problem of having a default pinentry that does not depend on heavy additional libraries (such as gtk2 or qt) remain.
Comment by Gaetan Bisson (vesath) - Thursday, 12 May 2016, 22:27 GMT
As good as my earlier arguments were, I think I am going to leave things as they currently are. For two simple reasons (that I somehow missed until now):
- defaulting to pinentry-gtk-2 is upstream's choice; see how PINENTRY_DEFAULT is defined in the configure script;
- we have a fallback on pinentry-curses for cases where DISPLAY is unset.

I am aware that the issue when gtk2 is missing remains, but maybe asking the user to add `pinentry-program /usr/bin/pinentry-tty` to their gpg-agent.conf is not too big an expectation in that case.
Comment by Mark Laws (mdl) - Thursday, 19 May 2016, 00:51 GMT
That workaround is good enough for me (or you can of course just symlink /usr/bin/pinentry to something else, though it'll get clobbered by upgrades--makes me wish Arch had an alternatives system :)).

Thanks!

Loading...