[PATCH] doc: Note pinentry-mode for passphrase opts

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] doc: Note pinentry-mode for passphrase opts

Andre Heinecke
Hi,

The pinentry-mode should be mentioned in my opinion in the doc / manpage of
the passphrase options because they won't work if the pinentry-mode is not set
to loopback. This is similar to the already mentioned --batch requirement.

Attached Patch does this.

Best Regards,
Andre

--
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

0001-doc-Note-pinentry-mode-for-passphrase-opts.patch (2K) Download Attachment
signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] doc: Note pinentry-mode for passphrase opts

Daniel Kahn Gillmor-7
On Mon 2018-01-08 19:19:17 +0100, Andre Heinecke wrote:

> The pinentry-mode should be mentioned in my opinion in the doc / manpage of
> the passphrase options because they won't work if the pinentry-mode is not set
> to loopback. This is similar to the already mentioned --batch requirement.

I agree with the sentiment behind this change.  however, some of the
wording can be improved:

>  Note that this passphrase is only used if the option @option{--batch}
> -has also been given.  This is different from GnuPG version 1.x.
> +has also been given and @option{--pinentry-mode} has to be set to @code{loopback}.
> +This is different from GnuPG version 1.x and 2.0.x.

this should say something like "the requirement for loopback mode was
introduced in GnuPG version 2.1.$whatever". That makes it clearer and
less ambiguous to people who are trying to understand how to configure a
bunch of systems with different versions installed.

      --dkg

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] doc: Note pinentry-mode for passphrase opts

Andre Heinecke
Hi,

On Monday, January 8, 2018 4:54:35 PM CET Daniel Kahn Gillmor wrote:
> this should say something like "the requirement for loopback mode was
> introduced in GnuPG version 2.1.$whatever". That makes it clearer and
> less ambiguous to people who are trying to understand how to configure a
> bunch of systems with different versions installed.

Attached is a Version that takes this into account. I simplifyied to "since
Version 2.0 and since Version 2.1" There were some 2.1 versions where the
agent had to be configured with allow-pinentry-loopback etc. but I think we can
disregard such detail.

Best Regards,
Andre


--
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

0001-doc-Note-pinentry-mode-for-passphrase-opts.patch (2K) Download Attachment
signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] doc: Note pinentry-mode for passphrase opts

Daniel Kahn Gillmor-7
On Tue 2018-01-09 08:52:07 +0100, Andre Heinecke wrote:

> On Monday, January 8, 2018 4:54:35 PM CET Daniel Kahn Gillmor wrote:
>> this should say something like "the requirement for loopback mode was
>> introduced in GnuPG version 2.1.$whatever". That makes it clearer and
>> less ambiguous to people who are trying to understand how to configure a
>> bunch of systems with different versions installed.
>
> Attached is a Version that takes this into account. I simplifyied to "since
> Version 2.0 and since Version 2.1" There were some 2.1 versions where the
> agent had to be configured with allow-pinentry-loopback etc. but I think we can
> disregard such detail.
works for me.

      --dkg

PS I'm seeing a "bad signature" from you on the received e-mails that
   include these patches.  i dunno whether that's something you want to
   debug, but i'm happy to try to diagnose it with you off-list if you
   would find that useful.

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] doc: Note pinentry-mode for passphrase opts

Ben McGinnes
On Tue, Jan 09, 2018 at 12:12:51PM -0500, Daniel Kahn Gillmor wrote:
>
> PS I'm seeing a "bad signature" from you on the received e-mails
>    that include these patches.  i dunno whether that's something you
>    want to debug, but i'm happy to try to diagnose it with you
>    off-list if you would find that useful.

Really?  Both of those emails came up as "good signatures" for me,
albeit with the usual warnings that identity couldn't be confirmed
because I haven't signed or trusted Andre's key, but other than that
it seemed fine.

Regards,
Ben

P.S.  You might need to refresh my own key since I recently added a
      new signing subkey.  ;)

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] doc: Note pinentry-mode for passphrase opts

Daniel Kahn Gillmor-7
On Thu 2018-01-11 09:51:02 +1100, Ben McGinnes wrote:
> On Tue, Jan 09, 2018 at 12:12:51PM -0500, Daniel Kahn Gillmor wrote:
>>
>> PS I'm seeing a "bad signature" from you on the received e-mails
>>    that include these patches.  i dunno whether that's something you
>>    want to debug, but i'm happy to try to diagnose it with you
>>    off-list if you would find that useful.
>
> Really?  Both of those emails came up as "good signatures" for me,
> albeit with the usual warnings that identity couldn't be confirmed

thanks to Ben and Neal for the feedback, i'm now tracking the problem in
a local toolchain -- I can confirm that i have at least one set of tools
that does verify andre's signature correctly.  I can follow up on list
here if folks are interested once i've got a proper diagnosis.

> because I haven't signed or trusted Andre's key, but other than that
> it seemed fine.

(nitpick: you should never need to "trust" Andre's key to verify
signatures from it!  i think you just mean that neither you nor anyone
that you trust has directly certified Andre's key)

        --dkg

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] doc: Note pinentry-mode for passphrase opts

Ben McGinnes
On Thu, Jan 11, 2018 at 08:54:14AM -0500, Daniel Kahn Gillmor wrote:
> On Thu 2018-01-11 09:51:02 +1100, Ben McGinnes wrote:
>
> thanks to Ben and Neal for the feedback, i'm now tracking the
> problem in a local toolchain -- I can confirm that i have at least
> one set of tools that does verify andre's signature correctly.  I
> can follow up on list here if folks are interested once i've got a
> proper diagnosis.

I am a little curious, just in case it's the sort of thing which might
crop up in diagnosing other things.

>> because I haven't signed or trusted Andre's key, but other than that
>> it seemed fine.
>
> (nitpick: you should never need to "trust" Andre's key to verify
> signatures from it!  i think you just mean that neither you nor
> anyone that you trust has directly certified Andre's key)

Correct.

One of the other problems with living on Tatooine (Australia) is that,
to paraphrase, "if there's a brightest centre of civilisation, I'm on
the continent that's farthest from it."

So there's a (practical) limit to the extent of direct keysigning
which can occur following a face-to-face or other trusted and verified
out of band confirmation of identity and key control.


Regards,
Ben

_______________________________________________
Gnupg-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

signature.asc (235 bytes) Download Attachment