gpg issues

[Robert Collins]

On Tue, 2006-02-14 at 12:12 -0600, John A Meinel wrote:
> So I figured out why gpg cannot start the pinentry program. And it is
> because we are piping the information into stdin, which means that there
> is no terminal for pinentry to run on.
> 
> So what we want to be doing is creating a temporary file, and then using
> "gpg --clearsign /tmp/foo.aoeuaoeu" rather than "echo 'foo' | gpg
> --clearsign".
> 
> (Note I tested it, echo foo | gpg --cl does indeed fail to run pinentry).
> 
> I think this would be perfectly safe to do for gpg. But I have to ask
> people who use other front-ends like agpg, etc. I would guess that they
> let you supply the file to sign, otherwise they would not act like plain
> gpg. (Also, are other front-ends as necessary now that gpg natively
> supports gpg-agent?)
> 
> I just want to make sure that it is safe for me to make these changes.
> 
> I'm also wondering if we want the default command to be "gpg --batch
> --no-tty". Probably not, but I thought I would ask.

Well, I know of some number of people using gnome-gpg for instance. So I
think other front ends are needed. Re: temp files, as long as we make a
temp dir with appropriate permissions (007) write the file in there and
then read the signature, sure. I think the pipe approach is much better
if we can use it. Does pinentry just need a pty ? I smell a bug in
pinentry to be honest, because gpg on its own (the default command)
works fine for me - it prompts for the password in the terminal using
the secure facilities (can't remember the api name right now, sorry).

Rob

-- 
GPG key available at: <http://www.robertcollins.net/keys.txt>.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060215/57011976/attachment.pgp