diff --git a/init.org b/init.org index 2d12914..a62b8a2 100644 --- a/init.org +++ b/init.org @@ -358,10 +358,58 @@ The *pass* command gives a super practical way to store secrets encrypted using *gpg* and use them in *.envrc* files, batch scripts on the command line and, of course, in *Emacs*. + + +For setups with GnuPG >= 2.1, pinentry package is not needed anymore. + +Quote from the Emacs News.26 file: + +*** The pinentry.el library has been removed. +That package (and the corresponding change in GnuPG and pinentry) +was intended to provide a way to input passphrase through Emacs with +GnuPG 2.0. However, the change to support that was only implemented +in GnuPG >= 2.1 and didn't get backported to GnuPG 2.0. And with +GnuPG 2.1 and later, pinentry.el is not needed at all. So the +library was useless, and we removed it. GnuPG 2.0 is no longer +supported by the upstream project. + +To adapt to the change, you may need to set 'epa-pinentry-mode' to the +symbol 'loopback'. Alternatively, leave 'epa-pinentry-mode' at its +default value of nil, and remove the 'allow-emacs-pinentry' setting +from your 'gpg-agent.conf' configuration file, usually found in the +'~/.gnupg' directory. + +Note that previously, it was said that passphrase input through +minibuffer would be much less secure than other graphical pinentry +programs. However, these days the difference is insignificant: the +'read-password' function sufficiently protects input from leakage to +message logs. Emacs still doesn't use secure memory to protect +passphrases, but it was also removed from other pinentry programs as +the attack is unrealistic on modern computer systems which don't +utilize swap memory usually. + +See also a discussion on why pinentry was removed from Emacs core. + +So a setup may now consist of: + +In Emacs' user-init-file: + +#+BEGIN_SRC elisp +(require 'epg) +(setq epg-pinentry-mode 'loopback) +#+END_SRC + +In ~/.gnupg/gpg-agent.conf: + +#+BEGIN_SRC text :tangle no +allow-emacs-pinentry +# on Mac OS +pinentry-program /usr/local/bin/pinentry-mac +#+END_SRC + +*** Enable pass secrets + #+BEGIN_SRC emacs-lisp - ;; enable unix password-store - ;;(use-package epg) - ;;(setq epg-pinentry-mode 'loopback) (auth-source-pass-enable) #+END_SRC