[wishlist] Pinentry does not allow to paste into it, why?!

Same issue here. This really sucks as I am using KeePassX ... please let us at least know what we have to change in the source code to patch this.

Eike confirms;
This is still issue in 9.10

pushing this bug (or feature)... hope there will be a fix in lucid

It's an intentional upstream feature. The whole point of pinentry is that the password doesn't leak anywhere in plain text. Using copy and paste defeats that.

@Peter Eisentraut: Do you think it is possible to ask the user twice if he wants to copy/past and have this security risk?
I am not a professional regarding GnuPG and can't imagine how big the security risk will be. My computer, that only I am using, is completely encrypted so maybe the security risk would be quite low as no one else can access the file system - except malware or similar which is not such a big risk for unix-like operating systems as far is I understood.

The purpose of the pinentry package is to have a secure passphrase entry. If you want a nonsecure one, you can probably implement that in about 30 lines of shell script. Or just remove the passphrase from your private key. Not that I recommend that. :)

@Peter Eisentraut most of the time I want to type my passphrase in but occasionally I want to generate some large 128 or more character random text as the passphrase as I don't intend to ever have to type the thing in and just want a very secure passphrase which will be stored on an encrypted medium protected by an air gap. I don't want to have to type in 128 or more random characters (because I will make mistakes and it will take ages) hence pinentry should allow copy and paste (but perhaps warn people).

The problem I was having is that GPG uses pinentry and so I couldn't set a passphrase for a key signing key without using "--gpg-agent-info=foo" to temporarily disable it by making it point to an invalid program causing gpg to fall back to normal command line entry.

I am still having this problem in Ubuntu 10.04 (lucid)

@Daniel Thomas: Glad to have a third person here that demands a copypasta function :)

Sorry, fourth person would be correct.

I don't know if Werner is the cause of this intentional defect or if someone else put this dreadful idea into pinentry.

Regardless of the fact that it's an upstream issue, someone who can code needs to fork pinentry and change this from a permanent defect to a default setting that can be overridden for those of us who actually know what we're doing.

Drag & drop from a key storage file (like keepassx) does NOT expose your passphrase to the clipboard.

Same issue here. Have some GPG-Keys with long pass phrases stored in KeesPassX. Cannot use them in Ubuntu/Linux because of this annoying behavior. So my Keys are completely useless. If I would get any kind of feedback, like an info that the use of c&p is unsure and I will do this on my own risk, then it would be OK. But in this way it is completely unuseable crap for me.

Let there be five people. For me a secure key is more important than preventing copy&paste.

I don't care about technical issues, this is pure psychology. If I am forced to type in a strong passphrase every session I will change it to a insecure one or use none at all. So this behaviour will not improve security. There is more than bits and bytes, there are users which have to be considered, too!

That itch itched me too long and I "fixed" it for qt :

http://koospol.nl/cms/index.php/computer/pinentry-qt4-en

Perhaps someone can hack that for gtk as well.

yeah, please fix that.

who wants to enter a password like

TAAxuQZ4jCNEi8gDNzn3WPzqoS-vASso_h9ydykvenwYhtD8mFqK

manually??

proudly generated with keepassx ;)

I fixed the problem by using the KeePassX Auto-Type function (using Gnome). This bug doesn't seem to get fixed soon, so that's maybe the best solution at the moment.

As part of the resolution of Bug #162585, Todd A. Jacobs asked me to post a new bug regarding KeePassX. But it seems there is already one here so I will post in it. :)

I quote from #162585. Todd: "I will mark this bug invalid, since it isn't actually a bug, but would encourage you to file a bug against pinentry-gtk2 about the inability to interoperate with KeePassX, as that is certainly a usability issue that is likely to surprise a great number of users."

Hello everyone.

I have made some changes to pinentry-qt4 to enable copy/paste. As i found out, at some point they moved from QString to secqstring (which is std::basic_string) and did commented defines, that enable ContextMenu and CopyPaste.

So "fix" have 3 part anyone with minor programming skill can impelement:
* define q_to_sec and sec_to_q conversion functions in secstring.h http://paste.ubuntu.com/663492/
* implement those functions in secstring.cpp: http://paste.ubuntu.com/663494/
* comment QT_NO_CLIPBOARD / QT_NO_CONEXTMENU / QT_NO_DRAGANDDROP defines at the beginning of the qsecurelineedit.h: http://paste.ubuntu.com/663496/
* (not recommended way) open qsecurelineedit.cpp and replace it with http://paste.ubuntu.com/663498/
* (recommended way) compare your qsecurelineedit.cpp with http://paste.ubuntu.com/663498/ and make appropriate changes (use sec_to_q and q_to_sec where needed). I also commentet QUnicoreControlComething becouse can't find where it's include.
* now configure pinentry (./configure --enable-pinentry-qt4) and make
* copy compiled binary to appropriate place.

Now your pinentry should be able to do basic copy/cut/paste operations.

Sorry for such "textual" fix, dunno how to make it more Ubuntish :)

I can confirm this bug in Kubuntu 12.04. This is extremely annoying. I regularly use gpg for symmetric encryption with huge (200+ bytes) autogenerated passphrases. The only practical way of entering such keys are by copy/paste.

Please fix this, as disallowing copy/paste encurages use of tiny and unsecure passwords (those that are memorable).

Count me as another person who would like to be able to paste in to pinentry-qt4.

This is a horrible deliberate usability problem that the upstream developers seem unwilling to address, and 'Marcus Brinkmann' says in http://lists.gnupg.org/pipermail/gpa-dev/2010-June/002506.html "There is nothing stopping distributions from doing the same integration work, if there is demand for it." It appears that distributions like Ubuntu are reponsible for overriding the upstream behavior.

It looks like OpenSuSE's pinentry-qt4 package is patched to allow copy/paste, according to http://rpmfind.net/linux/RPM/opensuse/12.3/i586/pinentry-qt4-0.8.1-18.1.1.i586.html . The patch seems to be available at https://build.opensuse.org/package/view_file?file=pinentry-0.8.1-allow_paste_qt4.patch&package=pinentry&project=openSUSE%3A12.1&rev=7a944e43c7904f6e93e24e838652c75d , which implements Dmitry's comments in #17.

I downloaded pinentry-0.8.1 and patched it according to http://koospol.nl/cms/index.php/computer/pinentry-qt4-en (I found this before the OpenSuSE package/patch), and copied the custom pinentry-qt4 to ~/bin. My .gnupg/gpg-agent.conf contains "pinentry-program /home/mruffalo/bin/pinentry-qt4" and I'm now able to paste long random passwords from KeePassX.

+1 for shipping either patch in the pinentry-qt4 package (and an equivalent change to the GTK version, if appropriate), since Ubuntu wouldn't be the first distribution to do so.

It will be possible to enable pasting with upcoming 0.8.4 of pinentry, see https://bugs.g10code.com/gnupg/issue1374

However, looking at older release dates it can take until end of the year.

And yes, I also need it, password managers are quite useless otherwise :/

I also wish pasting works. But when will it be updated in trusty?

Same here. KeePassX mega passwords that are impossible to type in.

Same here - tinfoilhat users should use HSM anyway, and there is no protection against keyloggers.

Threats should be continously assessed, and I find this issue a true usability problem.

please backport an updated version with copy/paste support to trusty

Upstream seems to think that this is fixed as of 0.9, and Ubuntu 15.10 has 0.9.5. Unfortunately, it doesn't seem to work for me with pinentry-gtk-2 or pinentry-gnome3 (but pinentry-qt4 does work).

https://bugs.gnupg.org/gnupg/issue2188

Pinentry-qt4 doesn't work here. The bug still persists. I really hope they get a fix soon.