Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

gpg can't prompt for passphrase #615

Closed
technomancy opened this Issue Jun 1, 2012 · 10 comments

Comments

8 participants
Owner

technomancy commented Jun 1, 2012

gpg has no way to suppress the passphrase prompt when gpg-agent used, (--quiet is ignored) so when decrypting the ~/.lein/credentials.clj.gpg file we have to choose between forcing use of an unlocked gpg-agent (with --batch) and showing the prompt even when unnecessary. Since the prompt screws up M-x clojure-jack-in, we've currently opted for --batch.

Somehow gpg is able to print output to stdout even when using clojure.java.shell/sh, which supposedly captures all output and puts it in the :out key of its return value. Even calling System/setOut cannot suppress the output.

Owner

technomancy commented Jun 1, 2012

This is not an issue when using gnome since gnome-keyring can prompt for a passphrase even with gpg --batch. It's only been confirmed as a problem on Macs.

Collaborator

ato commented Jun 1, 2012

gpg and other programs like sudo achieve this feat by opening /dev/tty and writing to it directly instead of via stdout. On Linux you can ditch the tty with setsid gpg ... but if you don't pass --batch it will just complain gpg: cannot open tty '/dev/tty': No such device or address and abort.

Collaborator

ato commented Jun 1, 2012

I guess there's this:

 gpg --no-tty --command-fd 0 --status-fd 1 --decrypt [...]
[GNUPG:] ENC_TO [...]
[GNUPG:] USERID_HINT [...]
[GNUPG:] NEED_PASSPHRASE [...]
[GNUPG:] GET_HIDDEN passphrase.enter

Not sure if that's helpful to this particular situation thoiugh.

Owner

technomancy commented Jun 10, 2012

I think the solution is to point people towards https://github.com/funtoo/keychain since this should allow them to have the same behaviour that gnome-keyring offers on any platform.

Contributor

lynaghk commented Nov 3, 2012

For anyone who stumbles on this thread via the Google: I couldn't get any of the gpg stuff in homebrew + the keychain mentioned above working on OS X 10.7. Installing gpg via the package here https://www.gpgtools.org/installer/index.html did the trick, though.

katox commented Nov 28, 2013

Just leaving a comment for anyone who has "everything" set up correctly and still no askpass dialog appears anywhere. Make sure that you have "use-agent" option explicitly enabled in ~/.gnupg/gpg.conf. See gpg option list.

You can test the config with

 gpg --quiet --batch --decrypt ~/.lein/credentials.clj.gpg

Leiningen should pick it up automatically when the command above works correctly.

Contributor

jakemcc commented Dec 2, 2013

Thanks @katox. That was helpful and solved issue I was having.

My issue is a bit different. This command prompts for passphrase properly on my machine but it does not work with Leiningen.

gpg --quiet --batch --decrypt ~/.lein/credentials.clj.gpg

It's hanging for a while after I execute lein repl and then print out these messages

$ lein repl
Could not decrypt credentials from /Users/xxx/.lein/credentials.clj.gpg
pinentry-curses: no LC_CTYPE known - assuming UTF-8
pinentry-curses: no LC_CTYPE known - assuming UTF-8
pinentry-curses: no LC_CTYPE known - assuming UTF-8
pinentry-curses: no LC_CTYPE known - assuming UTF-8
pinentry-curses: no LC_CTYPE known - assuming UTF-8
gpg-agent[1009]: command get_passphrase failed: Invalid IPC response
gpg: problem with the agent: Invalid IPC response
gpg: decryption failed: No secret key

My guess is that for some reason, Leiningen can't present enter-passphrase page of gpg. I don't know exactly that it's an issue on Leiningen or gpg2 or gpg-agent or pinentry.

My workaround is to use GUI version of gpg GPG Suite. Now when I execute 'lein repl', it prompts for passphrase on GUI instead.

I spent like half a day figuring out this. Hope this writeup save your time.

manuelp commented May 16, 2014

@visibletrap I owe you a beer! 👍

Hi, I have met the same problem using cmd on Windows 10. I found the cmd doesn't support the prompt for password.
At last, I changed to use Git Bash to resolve this problem. Good luck :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment