Project

General

Profile

Bug #11099

Decide which pinentry we want to ship

Added by segfault almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
02/09/2016
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

We are currently shipping pinentry-gtk2 from Debian jessie.
There are multiple problems with it:

  • It causes the GNOME shell menus to become unresponsive (#11038)
  • It is not well integrated within GNOME (#9555)
  • It doesn't allow pasting which makes it hardly usable with KeePassX, because it needs the autotype feature, which:
    • is unintuitive to use (in contrast to the copy/paste method, which every user knows how to use)
    • is buggy (#10940)
    • by default types the user name together with the passphrase, which won't unlock the PGP key and keeps the user confused about what happened, because pinentry only displays dots instead of the characters typed
    • makes it much more likely to leak the password in general, as it types enter automatically after it types the password, so it automatically SENDS the password in IRC if you accidentally focussed the client before you use the autotype feature (this is not true in the case of the pinentry, because it grabs the keyboard - but I don't think users should have to use the autotype at all)

Related issues

Related to Tails - Feature #9555: Include a pinentry GUI that's well integrated within GNOME Rejected 06/10/2015
Related to Tails - Bug #11038: pinentry and gnome shell's top bar cause freeze Resolved 02/01/2016
Related to Tails - Feature #11239: Ship pinentry-gtk2 from jessie-backports Resolved 03/15/2016
Related to Tails - Bug #12733: Seahorse fails to import private PGP keys: pinentry-gtk-2 passphrase prompt not displayed Resolved 06/19/2017

History

#1 Updated by segfault almost 4 years ago

On #9555 there is a discussion about replacing pinentry-gtk2 with pinentry-gnome3, but I think this would break usability with KeePassX even more:
While all the pinentries in debian stretch (which is the first debian version which contains pinentry-gnome3) allow pasting, pinentry-gnome3 disables focussing other windows. So you can't even use KeePassX' autotype feature anymore. Now, in order to paste your password when prompted for it, you have to close the pinentry, copy your password and then redo the GnuPG operation to make the pinentry reappear.
On the other hand, it might be slightly better in regard to security than pinentry-gtk2, because it prevents pasting your clipboard (which might contain your passphrase) with the middle mouse button.

The best in regard to usability would be to use pinentry-gtk2 from stretch with no-grab in .gnupg/gpg-agent.conf which allows pasting, disables the keyboard grabbing and fixes #11038. dkg wrote this in regard to the security of keyboard grabbing pinentries:

I suspect that dkg (now Cc'ed on this bug report) will be able to explain off the top of his head why we want GnuPG pinentry software that steals keyboard and mouse focus. Daniel?

sure. there are two reasons i can think of immediately (there might be more):

  • grabbing the keyboard makes it so that you can't accidentally send password keypresses to backgrounded windows (we've all seen pastes into IRC, for example) -- if the pinentry is present, and you're typing a password, it won't let you do that by accident.
  • properly grabbing the keyboard (see XGrabKeyboard(3)) is intended to also prevent malicious fellow X11 clients from trying to sniff your keypresses.

That said, I'm more confident in the former rationale than the latter. X11 is old and sprawling, and there might ways around an XGrabKeyboard that i'm unaware of (or possibly just bugs). furthermore, truly malicious tools could just mimic the look of pinentry themselves and if they get the timing right, they can grab the keyboard and do the same thing, leaving the user with no effective way to tell whether this pinentry is a "good" or a "bad" one.

So according to this the keyboard grabbing has the main advantage of (1) preventing accidental password leaks while the pinentry is open and (2) the advantage that a not too sophisticated attacker, who managed to compromise the system, might have a hard time to sniff your passphrase.
I'm sure this has been discussed in depth by the GnuPG folks and they considered the additional security of the keyboard grabbing more important than the usability issues. But since we ship KeePassX since a long time and I think it is very useful for Tails users, and usability is Tails' main weakness, I still want to argue in favor of disabling the keyboard grabbing. So here are my thoughts on dkg's points:

  1. While pinentry prevents me from leaking my PGP passphrase, I use many other passwords and for every one of these I still have to take care myself about not leaking them. Also, if I accidentally leak my PGP passphrase, I can create a new one and change it in my PGP key (of course still something that should definitely not happen).
  2. I think an attacker who compromises Tails is very sophisticated and dkg already gave an example on how to circumvent this.

As I see it, those are the options we have now:

1. Use pinentry-gnome3

  • Pro:
    • Best security because it grabs both keyboard and mouse
    • Well integrated into GNOME
    • Fixes #11038 because it grabs the mouse
  • Contra:
    • Least usable with KeePassX

2. Use pinentry-gtk2 from stretch with no-grab

  • Pro:
    • Most usable with KeePassX
    • Fixes #11038 because of no-grab
  • Contra:
    • Worst security because it doesn't grab keyboard nor mouse
    • Not well integrated into GNOME
3. Keep using the keyboard grabbing pinentry-gtk2 and hope that #11038 will be fixed by the GnuPG folks or the GNOME folks or someone has a better idea on this whole matter.
  • Usability and Security stay the same
  • Still not well integrated into GNOME

#2 Updated by segfault almost 4 years ago

  • Related to Feature #9555: Include a pinentry GUI that's well integrated within GNOME added

#3 Updated by segfault almost 4 years ago

  • Related to Bug #11038: pinentry and gnome shell's top bar cause freeze added

#4 Updated by intrigeri almost 4 years ago

  • Status changed from New to Confirmed

#5 Updated by segfault almost 4 years ago

  • QA Check set to Dev Needed
  • Type of work changed from Discuss to Code

During the monthly meeting, we decided to go with option 2: Use pinentry-gtk2 from stretch with no-grab. This was based on the false assumption that no-grab would only fix #11038 with the pinentry-gtk2 from stretch, not the one from jessie. We actually also have the yet undiscussed option to use pinentry-gtk2 from jessie with no-grab, which fixes #11038 but doesn't allow pasting, so it still requires KeePassX' autotype feature (which is the status quo).

I will try to locate the commit which enables pasting, so we can fix this in the version packaged in jessie. I took a look at pinentry's git log and I think f9db9378 could be the commit I'm looking for: "gtk2: Replace the custom, secure entry widget with the standard widget". But this commit has a lot of changes and preceded pinentry 0.9.6, while jessie has 0.8.3-2 and stretch 0.9.7. So if this is indeed the commit responsible for being able to paste, I don't think it will be an easy fix.

#6 Updated by segfault almost 4 years ago

I just asked for backporting pinentry-gtk2 to jessie-backports:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817763

#7 Updated by intrigeri almost 4 years ago

  • Assignee set to segfault

Maybe this ticket should be closed, now that we have made a decision, and another one filed to track the follow-up actions? (If #9555 and friends are not enough.)

#8 Updated by segfault almost 4 years ago

  • Related to Feature #11239: Ship pinentry-gtk2 from jessie-backports added

#9 Updated by segfault almost 4 years ago

  • Status changed from Confirmed to Resolved

Maybe this ticket should be closed, now that we have made a decision, and another one filed to track the follow-up actions? (If #9555 and friends are not enough.)

Agreed.

#10 Updated by dkg almost 4 years ago

just to be clear: the only reason we're going with gtk-2 here is because of integration difficulties between gnome3 and keepassx?

i'd like to document exactly what those integration difficulties are, so we can be clear that these aren't actually things that upstream should consider a bug.

as i understand it:

  • it's possible to paste into a modern gnome3 pinentry, both with ctrl-C and with middle-click
  • it's not possible to launch new applications concurrently without dismissing the pinentry

so i think it's this last property (the fact that the pinentry is "system modal" due to the use of GcrSystemPrompt (https://developer.gnome.org/gcr/unstable/GcrSystemPrompt.html) instead of plain old GcrPrompt (https://developer.gnome.org/gcr/unstable/GcrPrompt.html) that is the relevant thing.

Is that correct?

#11 Updated by segfault almost 4 years ago

just to be clear: the only reason we're going with gtk-2 here is because of integration difficulties between gnome3 and keepassx?

Yes.

as i understand it:

it's possible to paste into a modern gnome3 pinentry, both with ctrl-C and with middle-click

Not entirely sure about middle-click, but I think so. Definitely possible with ctrl-v.

it's not possible to launch new applications concurrently without dismissing the pinentry

Yes.

so i think it's this last property (the fact that the pinentry is "system modal" due to the use of GcrSystemPrompt (https://developer.gnome.org/gcr/unstable/GcrSystemPrompt.html) instead of plain old GcrPrompt (https://developer.gnome.org/gcr/unstable/GcrPrompt.html) that is the relevant thing.

I didn't look at the code and don't know the GNOME API. It's not clear to me from the description, but if GcrSystemPrompt is the function that causes the pinentry to be whole screen and prevents focussing other windows, then yes, this might be the root of the problem.

#12 Updated by intrigeri over 2 years ago

  • Related to Bug #12733: Seahorse fails to import private PGP keys: pinentry-gtk-2 passphrase prompt not displayed added

Also available in: Atom PDF