QCA2
Ron Murray
rjmx at rjmx.net
Sun Sep 11 03:44:24 BST 2022
Hi Albert.
OK. I see that it works for a command-line program (I didn't know
about qcatool, to be honest). Perhaps I didn't make it clear, but my
project is a GUI program, using Qt5. Currently, QCA invokes the gpg
executable (although I gather there are plans to switch to GPGME), and
there are, as far as I know, only three ways to feed gpg with a
passphrase when it needs one:
- Have gpg request it directly on the console, as you describe,
- Directly, on the command line (not a good idea), and
- Via gpg-agent.
gpg, when invoked manually, opens up a pinentry dialog, which
collects the passphrase and feeds it to gpg-agent. QCA doesn't seem to
contain the necessary assuan code to do that. Furthermore, it can't
request for it on the console because it forces "--pinentry-mode
loopback", which suppresses that. Besides, you don't want to use the
console for anything when you're running a GUI program.
Since QCA invokes the gpg executable anyway, it makes more sense to
just let gpg bring up a pinentry dialog.
I've attached the patch that fixes the library to do just that. I
don't think it adds much more than 10-12 lines to the code.
Thanks,
.....Ron
--
Ron Murray <rjmx at rjmx.net>
PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761
On Sat, 2022-09-10 at 11:31 +0200, Albert Astals Cid wrote:
> El dissabte, 10 de setembre de 2022, a les 5:00:26 (CEST), Ron Murray
> va
> escriure:
> > I'm working on a project using Qt5, GPG and QCA2, the latter
> > because
> > it can encrypt and decrypt PGP messages. This, of course, involves
> > using the qca-gnupg plugin.
> >
> > Encryption went fine (there's no need to sign anything (at the
> > moment, anyway)). Decryption, however, presented a problem: How to
> > get
> > the password into gpg? I tried following the one example that I
> > could
> > find (eventhandlerdemo.cpp), but I could never get the
> > PasswordAsker
> > to, you know, actually ask for a password.
>
> Works fine here [1], i do
>
> ./bin/qcatool-qt5 message encrypt pgp P:df11
>
> being df11 the short descriptor [2] of my key that has a passphrase,
> enter
> some
> text on the command line and press Ctrl+D and then run
>
> ./bin/qcatool-qt5 message decrypt pgp
> paste the text on the command line that the encrypt process entered,
> press
> Ctrl+D
>
> and feed it that and it ends up in the PassphrasePrompt class code
> asking my
> passphrase on the command line.
>
> Cheers,
> Albert
>
> [1] Well, it needs a fix in the qcatool code, but that's
> "irrelevant", the
> library code is fine.
> https://invent.kde.org/libraries/qca/-/merge_requests/89/diffs
>
> [2] you can use
> qcatool-qt5 keystore list-stores
> and
> qcatool-qt5 keystore list ID_OF_THE_GPG_KEYRING
> to try to find your short id if needed
>
> > I did discover, however,
> > that if I first used gpg to decrypt something (and supplying my
> > password to the agent in the process), that my program would
> > successfully decrypt things until the agent timed out (i.e. ten
> > minutes
> > or so).
> >
> > I began to think that the problem lay in the qca2 library. I
> > went
> > through the source code and did a bit of tracing, and I found that
> > QCA
> > always supplies "--pinentry-mode loopback" on the gpg command line.
> > This will never invoke the pinentry dialog, because that mode
> > forces
> > gpg to ask for a password on the command line, which, apart from
> > being
> > useless in a GUI application, won't work anyway because QCA also
> > supplies "--no-tty" on the command line, and that suppresses
> > console
> > output.
> >
> > I managed to modify the qca-gnupg plugin code to replace "--
> > pinentry-mode loopback" with "--pinentry-mode default" when it's
> > decrypting or signing a message, built the libraries, installed it,
> > and
> > now I get a proper pinentry dialog when I want to decrypt a
> > message.
> >
> > So, the questions that I have are these:
> >
> > 1. I don't think that QCA, on its own, has any way to supply a
> > password
> > to gpg or gpg-agent (apart, I suppose, by supplying it on the
> > command
> > line, and nobody wants that), and anyway it's not implemented. But
> > have
> > I missed something? Has anyone got QCA to decrypt files with GPG
> > lately?
> >
> > 2. Would this patch be useful for others? Note that it only affects
> > the
> > qca-gnupg plugin: the rest of QCA is untouched.
> >
> > I'm using the current QCA version on Debian testing (2.3.4-
> > 1+b1).
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20220910/97bd3177/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ask-for-passphrase
Type: text/x-patch
Size: 2095 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20220910/97bd3177/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20220910/97bd3177/attachment.sig>
More information about the kde-core-devel
mailing list