Re: QCA2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Oops. I said: "because it forces "--pinentry-mode loopback", which suppresses that." I should have said "because it forces "--no-tty", which suppresses that." Sorry about that. .Ron - -- Ron Murray PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761 On Sat, 2022-09-10 at 22:44 -0400, Ron Murray wrote: > Hi Albert. > > OK. I see that it works for a command-line program (I didn't know > about qcatool, to be honest). Perhaps I didn't make it clear, but my > project is a GUI program, using Qt5. Currently, QCA invokes the gpg > executable (although I gather there are plans to switch to GPGME), > and there are, as far as I know, only three ways to feed gpg with a > passphrase when it needs one: > > - Have gpg request it directly on the console, as you describe, > > - Directly, on the command line (not a good idea), and > > - Via gpg-agent. > > gpg, when invoked manually, opens up a pinentry dialog, which > collects the passphrase and feeds it to gpg-agent. QCA doesn't seem > to contain the necessary assuan code to do that. Furthermore, it > can't request for it on the console because it forces "--pinentry- > mode loopback", which suppresses that. Besides, you don't want to use > the console for anything when you're running a GUI program. > > Since QCA invokes the gpg executable anyway, it makes more sense > to just let gpg bring up a pinentry dialog. > > I've attached the patch that fixes the library to do just that. I > don't think it adds much more than 10-12 lines to the code. > > Thanks, > > .Ron > > -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEETZlw4yMXM0sUHntjEvfoZbXi52EFAmMdYXkACgkQEvfoZbXi 52G3pQ//YrUazYg8t50Us/es/XZ6GqzGtIllVE7Z7+MxHL4s3VfQuJAhhMPw0elC 2bvldmeNbNL37lLMgRjNn/8WEiJtuhKCIPUuoYqn5wWXWk8jrNLGaPoucqqd3CPg osTe/lmQ2I6HmbFOM22kZBRHJkk0I8DY05CN+8pAaLc2wRiyEQOHyFKUEHRMKb7z PodWoeqEg3Qmn3H+TlezGeXlbtkKc6t1Qi0tXPWrtPoQSWGxLTNhm0T+qIeR5xD2 qy4Fi7c5QLpRKTsH8iDGEkhFlZY6tC4ah5GMCrbTZ2BwHJXgK4FnyZ7kyedW3YRT huoLFDWgFm9v41TTFX8L1PoeG8LieqlKRIfZPV+16unHwuGLJMAcb9uSjE+SBQi1 Gc501WsAPAlScmNaz+qeZyhelmsDC4RJU6+K25gbYHvQGhckUtXzLJLxx2rIJfHx CTujjJDkObzQDFRtttEh5c61EcPoxq4n0yjSfDCCx9ECS0rBnuMx+NZw9Kb5HYwM d38vnO+yXlZGnEZ8ePHznF4oNNzJ2qUuACDPKfJxYdReAiZMfXtcUsIzJ/XDu3pm wQqAHuPW6hXFCJ9VyMrnkNlZoru67y+CKv3r6s2zeFKHkwl2ynzxg/tR8yDHyMRg 88B0B/t8xGCLvuJo5QOhM7aiDg0VTw/p+gdfoBMJNzIg3MlfzaE= =Cwwg -END PGP SIGNATURE-
Re: QCA2
Hi Albert. OK. I see that it works for a command-line program (I didn't know about qcatool, to be honest). Perhaps I didn't make it clear, but my project is a GUI program, using Qt5. Currently, QCA invokes the gpg executable (although I gather there are plans to switch to GPGME), and there are, as far as I know, only three ways to feed gpg with a passphrase when it needs one: - Have gpg request it directly on the console, as you describe, - Directly, on the command line (not a good idea), and - Via gpg-agent. gpg, when invoked manually, opens up a pinentry dialog, which collects the passphrase and feeds it to gpg-agent. QCA doesn't seem to contain the necessary assuan code to do that. Furthermore, it can't request for it on the console because it forces "--pinentry-mode loopback", which suppresses that. Besides, you don't want to use the console for anything when you're running a GUI program. Since QCA invokes the gpg executable anyway, it makes more sense to just let gpg bring up a pinentry dialog. I've attached the patch that fixes the library to do just that. I don't think it adds much more than 10-12 lines to the code. Thanks, .Ron -- Ron Murray PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761 On Sat, 2022-09-10 at 11:31 +0200, Albert Astals Cid wrote: > El dissabte, 10 de setembre de 2022, a les 5:00:26 (CEST), Ron Murray > va > escriure: > > I'm working on a project using Qt5, GPG and QCA2, the latter > > because > > it can encrypt and decrypt PGP messages. This, of course, involves > > using the qca-gnupg plugin. > > > > Encryption went fine (there's no need to sign anything (at the > > moment, anyway)). Decryption, however, presented a problem: How to > > get > > the password into gpg? I tried following the one example that I > > could > > find (eventhandlerdemo.cpp), but I could never get the > > PasswordAsker > > to, you know, actually ask for a password. > > Works fine here [1], i do > > ./bin/qcatool-qt5 message encrypt pgp P:df11 > > being df11 the short descriptor [2] of my key that has a passphrase, > enter > some > text on the command line and press Ctrl+D and then run > > ./bin/qcatool-qt5 message decrypt pgp > paste the text on the command line that the encrypt process entered, > press > Ctrl+D > > and feed it that and it ends up in the PassphrasePrompt class code > asking my > passphrase on the command line. > > Cheers, > Albert > > [1] Well, it needs a fix in the qcatool code, but that's > "irrelevant", the > library code is fine. > https://invent.kde.org/libraries/qca/-/merge_requests/89/diffs > > [2] you can use > qcatool-qt5 keystore list-stores > and > qcatool-qt5 keystore list ID_OF_THE_GPG_KEYRING > to try to find your short id if needed > > > I did discover, however, > > that if I first used gpg to decrypt something (and supplying my > > password to the agent in the process), that my program would > > successfully decrypt things until the agent timed out (i.e. ten > > minutes > > or so). > > > > I began to think that the problem lay in the qca2 library. I > > went > > through the source code and did a bit of tracing, and I found that > > QCA > > always supplies "--pinentry-mode loopback" on the gpg command line. > > This will never invoke the pinentry dialog, because that mode > > forces > > gpg to ask for a password on the command line, which, apart from > > being > > useless in a GUI application, won't work anyway because QCA also > > supplies "--no-tty" on the command line, and that suppresses > > console > > output. > > > > I managed to modify the qca-gnupg plugin code to replace "-- > > pinentry-mode loopback" with "--pinentry-mode default" when it's > > decrypting or signing a message, built the libraries, installed it, > > and > > now I get a proper pinentry dialog when I want to decrypt a > > message. > > > > So, the questions that I have are these: > > > > 1. I don't think that QCA, on its own, has any way to supply a > > password > > to gpg or gpg-agent (apart, I suppose, by supplying it on the > > command > > line, and nobody wants that), and anyway it's not implemented. But > > have > > I missed something? Has anyone got QCA to decrypt files with GPG > > lately? > > > > 2. Would this patch be useful for others? Note that it only affects > > the > > qca-gnupg plugin: the rest of QCA is untouched. > > >
QCA2
I'm working on a project using Qt5, GPG and QCA2, the latter because it can encrypt and decrypt PGP messages. This, of course, involves using the qca-gnupg plugin. Encryption went fine (there's no need to sign anything (at the moment, anyway)). Decryption, however, presented a problem: How to get the password into gpg? I tried following the one example that I could find (eventhandlerdemo.cpp), but I could never get the PasswordAsker to, you know, actually ask for a password. I did discover, however, that if I first used gpg to decrypt something (and supplying my password to the agent in the process), that my program would successfully decrypt things until the agent timed out (i.e. ten minutes or so). I began to think that the problem lay in the qca2 library. I went through the source code and did a bit of tracing, and I found that QCA always supplies "--pinentry-mode loopback" on the gpg command line. This will never invoke the pinentry dialog, because that mode forces gpg to ask for a password on the command line, which, apart from being useless in a GUI application, won't work anyway because QCA also supplies "--no-tty" on the command line, and that suppresses console output. I managed to modify the qca-gnupg plugin code to replace "-- pinentry-mode loopback" with "--pinentry-mode default" when it's decrypting or signing a message, built the libraries, installed it, and now I get a proper pinentry dialog when I want to decrypt a message. So, the questions that I have are these: 1. I don't think that QCA, on its own, has any way to supply a password to gpg or gpg-agent (apart, I suppose, by supplying it on the command line, and nobody wants that), and anyway it's not implemented. But have I missed something? Has anyone got QCA to decrypt files with GPG lately? 2. Would this patch be useful for others? Note that it only affects the qca-gnupg plugin: the rest of QCA is untouched. I'm using the current QCA version on Debian testing (2.3.4-1+b1). -- Ron Murray PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761
