7

I use mu4e, mu4e-send-delay to send emails with a delay, GPG to store my SMTP authentication, and pinentry to access GPG files. When I am prompted for the GPG encryption password in the mini-buffer but am typing in another buffer and don't notice it, Emacs remembers that entry and keeps trying to open the GPG file with that wrong password. I then get the *Error* buffer next to my other buffer:

Error while decrypting with "/usr/local/bin/gpg":

gpg: AES encrypted data
gpg: gcry_kdf_derive failed: Invalid data
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key

and a user dialog Emacs-x86_64-10_14, Buffer *temp* modified; kill anyway?, and buttons with Yes and No.

Emacs has the same behavior if I restart it, probably because pinentry remembers the password for the session.

How can I force Emacs or pinentry to prompt for a new password? And could I force that prompt to happen in a user dialog, which is more noticeable than the mini-buffer?

miguelmorin
  • 1,751
  • 11
  • 33
  • 1
    I don't use pinentry, so I cannot give you an exact recipe, but as it communicates with the gpg agent and has its own service, I'd start restarting the agent. `gpgconf --kill gpg-agent` – Muihlinn Sep 26 '19 at 08:38
  • Yes, this works. I had tried `ps -ef | grep gpg` to find the process ID of `gpg-agent` (if it's running, it will return 2 process IDs, one for `gpg-agent` and one for the search process itself), and then kill it with `kill `. This solution is much more elegant. – miguelmorin Sep 26 '19 at 08:48
  • How about the prompt for the password to happen in a user dialog? Could I configure the `gpg-agent` to forget passwords that fail at decryption? – miguelmorin Sep 26 '19 at 08:59
  • Possible duplicate: https://superuser.com/questions/586969/force-gpg-agent-to-forget-password/887987 – miguelmorin Sep 26 '19 at 09:02
  • 1
    What I do is having my passwords stored in encrypted files and telling the helper application (mbsync/msmtp) to use the password stored there in its conf file as result of a command like `gpg --quiet --for-your-eyes-only --no-tty --decrypt pwd-file.gpg`. The app will fail to login if you make typos, but you won't have to mess up with the agent recalling wrong passwords, it'll only recall it if it succeed. – Muihlinn Sep 26 '19 at 09:10
  • @Muihlinn I read [the Gnu appendix on GPG](https://www.gnu.org/software/emacs/manual/html_node/auth/GnuPG-and-EasyPG-Assistant-Configuration.html) and [the GPG directions](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html#Invoking-GPG_002dAGENT) but I'm still confused how I set up your commands. Is `mbsync/msmtp` the helper you use instead of `gpg-agent` or `epa`? Can you point me in the direction of setting up `gpg-agent` or one of your helpers? – miguelmorin Oct 06 '19 at 16:12
  • 1
    I set up this part years ago and I didn't recalled the gory details of it, so I looked upon it in detail. In the end looks like I do use gnome-pinentry nowadays but I'm prettry sure that I installed it later for something else. Allow me a few days to thread it back and elaborate a proper response @miguelmorin – Muihlinn Oct 06 '19 at 16:37

1 Answers1

11

Pinentry is only an interface, it doesn't keep any passphrase or permission, and neither does Emacs. It's GPG-agent that manages the ropes. For example, if the time expires or the process dies, you'll have to authenticate again. So just kill the agent:

gpgconf --kill gpg-agent

More info at the gnupg manual.

miguelmorin
  • 1,751
  • 11
  • 33
Muihlinn
  • 2,576
  • 1
  • 14
  • 22