New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tomb doesn't ask for a password when forging a key #166
Comments
I got this reported yesterday by a slackware dev. Needs a xhost +localhost to work with pinentry-gtk2 I plan to solve this by making pinentry-curses the hardcoded default, customizable from a new option --pinentry |
I believe that pinenty-gtk2 is SERIOUSLY better than the curses version, and it should be the default, just like it is right now. It prevents focus to be stealed (both from a keylogger or even by accident) and passwords written in the wrong place. This really is an issue for me, and part of what makes tomb "secure by usability". Please let |
I agree pinentry-gtk2 is better, please consider I'm an ardent supporter of pinentry and actively including in all my software and even other people's software. Please also note that right now pinentry-gtk2 is not the default. The default is pinentry, whatever that binary or symlink or alternative may lead to. Arguably here is Slackware's fault to configure that to something that does not work if run through sudo. But the default must work and not leave users clueless without asking a password. For this to happen, pinentry-curses must be the defaut. Users can configure both Tomb or gpg-agent.conf to use pinentry-gtk2. The problem arises for conscious OS developers and maintainers who want to configure a system-wide pinentry-gtk2 default. Hardcoding pinentry-curses may make it impossible to change such default without user's action and without defacing the curses version with the gtk2. Therefore I'm now considering to parse also |
Is there a clear reason why If someone has a system where pinentry-gtk2 is installed but not working, he/she should better fix THAT problem, or just install pinentry-curses, so that we can detect that pinentry-curses is our only solution. On many systems, you have a "pinentry" program that links to your favourite one; tomb should follow this hint, if it is available. I propose that looking for So if you are a user of a system where pinentry-gtk-2 is broken and you don't know why, you can just symlink /usr/bin/pinentry to pinentry-curses. Or you can remove pinentry-gtk-2. Or you can make it work (with the xhost thing). Or you can manually say |
I agree with @boyska that looking in other programs config is not good idea. I think we should go with plain |
Thanks guys, but I've reached a decision already :^) Good point parsing 3rd party confs should use validation. Users should |
This is solved by the latest pinentry refactoring. I managed to make pinentry-gtk-2 default if present and DISPLAY is set! Trick was to bypass the crappy wrapper by the distro, we call them directly. |
If it's now one, then it's the other... I've got another problem, and this time I'm completely clueless.
Well, this is what happens:
The password prompt never appears. Interesting fact:
tomb askpass
works as expected under both regular and superuser.Here's trace taken with
zsh -x
: https://gist.github.com/fsLeg/ab1774f5b95a7a653d84The text was updated successfully, but these errors were encountered: