Re: CVS commit: pkgsrc/security/gnupg2

[Jan Danielsson <jan.m.danielsson%gmail.com@localhost>]

On 15/07/15 16:23, Greg Troxel wrote:
>>> Sort of realted, are we at the point where the gnupg2 package should
>>> build gpg, and gpg 1 should be deprecated?  I'm not clear on why we are
>>> still using gpg1.
>>
>> I believe gpg2 will work fine for many users.
> 
> Some people seem bothered by it, but I haven't seen specifics, just a
> general objection to some notion of complexity.    As I see it, the
> pinentry thing is the big complexity, but it's also useful, and gpg1
> uses pinentry, so I don't really see how gpg1/gpg2 are different.
> Perhaps it's that with gpg1 on the command line, you can type the
> passphrase manually, and you can't with gpg2, but I'm not clear on the
> details.

   I encountered a few different issues when trying to use gpg2 with
Thunderbird+Enigmail.  On NetBSD I couldn't get them to work at all (the
problem looked like it was in some enigmail/gpg2 glue somewhere, but I
couldn't get it to log what was going on).

   When I tried to get it working on my Mac using pkgsrc I encountered
other problems; like the pinentry-gtk window not appearing as its own
process and opening _behind_ other windows (in other words: it was
difficult to know that it was asking for a passphrase), plus it wouldn't
be able to cache passphrases, and it kept asking twice for each
operation.  I eventually tried MacGPG which has a native pinentry which
works much better.  Though the entire configuration is not perfect -- I
have seen some flakiness, like I couldn't make it use the right key on
one account (but it works fine with gpg1).  It was suggested that this
particular issue could be related to a new key file format in gpg2, and
copying key-files from another system can cause it to become confused..
 I don't remember the details, just that I had to do an ugly work-around
in order for it to accept the key for the account.

   When I get some spare time I'll give it another go on NetBSD now that
others are reporting that it's working.

   For those running gpg2 on NetBSD:

   Out of curiosity..  I know the big Linux distros have gone all
Windows/Mac:esque and "boot to GUI", so there are normally no issues
with hard-wiring gpg to use either pinentry-gtk or pinentry-qt,
depending on which gui you boot into.

   I boot up to text consoles and start X when I need it; but I tend to
use full screen text mode often enough that I don't want entering a
passphrase for gpg2 to be a reason to have to start X.  Does anyone have
a good solution which will Just Work(tm) in the sense that when I'm
using text consoles it'll use pinentry-tty, and when I'm running X (for
thunderbird, etc) it'll use pinentry-gtk?

-- 
Kind Regards,
Jan