-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor PIN/passphrase handling #211
Conversation
@rendaw Could you please take a look? |
libagent/device/ui/pinentry_gpg.py
Outdated
|
||
def main(): | ||
"""Use GPG pinentry program to interact with the user.""" | ||
args = ['pinentry'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we make this configurable?
With the module name it's a bit more complex since it adds a second layer of configuration. It might need to be an absolute path too in some circumstances since PATH is empty in cron, systemd, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right...
I have added an option to pass arguments to configure the actual binary that is executed by pinetry_gpg.py
at 1a50d0a.
libagent/device/ui/pinentry_gpg.py
Outdated
expect(p, [b'OK']) | ||
|
||
desc = sys.stdin.read().encode('ascii') | ||
write(p, b'SETDESC ' + libagent.gpg.agent.serialize(desc) + b'\n') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh awesome, I should have known you already had a function for this.
This looks really good, and thanks for doing this! I realize the pinentry thing isn't that important if you have a keypad, but I'm out of luck there. Just one comment about configuring the passphrase program. I'll make a separate PR for docs after this is merged. |
Haha, right! Sorry, I don't mean to be dropping links to my own project. Until someone makes a nicer alternative I figure it's helpful though. |
Sorry, just noticed one other thing. With the normal GPG agent, information about the environment ( I couldn't find any information in the gpg-agent/pinentry assuan specs about what values should be forwarded unfortunately. I thought forwarding everything might be okay - if the pinentry doesn't understand the option it will ignore it I believe. Just sending the display/tty ones might be okay too. Relatedly, gpg2 also adds the |
Thanks for the review! |
I agree it's much simpler, and I don't know a good way to integrate it easily. Aside from passing the data between processes you also have to funnel it through all the functions. I tried it out and I think it has issues in a couple situations as it is now though:
I think 1 is particularly important since otherwise the pinentry won't be usable on systems with no desktop environment (ex: servers). |
Good points... thanks for the testing! |
1a50d0a
to
17798bd
Compare
@rendaw Please take a look :) (use |
This looks really good 👍 . So for GPG it passes options, and for SSH it uses the environment? That seems like the best option given the SSH protocol I think. I'll try it out tomorrow but I doubt I'll have much else to say :) |
Ah, it looks like it might not be possible to change |
Oops... you're right! |
This would allow easier customization.
6236822
to
4782aa2
Compare
4782aa2
to
0c9fc33
Compare
I've added the following command-line flags to SSH and GPG tools:
Please take a look :) |
This works great for me! I didn't try reinitializing the gpg part but I added the flags to run-agent.sh and GPG and SSH both work. I'll get started on documentation updates. |
Many thanks for the idea, the code and the testing! |
This should allow easier integration of custom PIN/passphrase entry tools (e.g. #202).