Re: Problem with focus of pinentry on win7
thanks a lot Bernhard Am 26.11.2018 um 11:55 schrieb Werner Koch: > Hi! > > Here is my reply to the Enigmail list which explains why this is indeed > not just a problem of gpg and that we can't have a perfect solution. > > For security reasons Windows has strict rules on which process can put > itself into the focus. Enigmail needs to tell Pinentry, via gpg, that > it may take the focus and request input. This is implemented by a > callback mechanism all the way from Pinentry, via gpg-agent and gpg up > to the calling process (Thunderbird here). > > In the case of Enigmail, it needs to call AllowSetForegroundWindow with > the process handle of the just created gpg process. In turn, gpg > detects the Pinentry launch and calls AllowSetForegroundWindow on the > Process handle of the started Pinentry. Only then then Pinentry may > display itself. Further, when calling AllowSetForegroundWindow the > process must have its Window already in the foregorund. > > Sometimes other Windows get in the way and even a correct implemented > AllowSetForegroundWindow chain will not work. As per Windows security > architecture, the Pinentry will announce itself in the taskbar. > > I would recommend to increase the passphrase caching time so > that the Pinentry dialog is not required too often. Usually there is > not much security gain by always entering the passphrase: Any attacking > malware will first install a keylogger and can thus grab the passphrase > in any case. > > > Salam-Shalom, > >Werner > -- spitzhalde9 D-79853 lenzkirch bernhard.kle...@gmx.net www.b-kleine.com, www.urseetal.net - thunderbird mit enigmail GPG schlüssel: D5257409 fingerprint: 08 B7 F8 70 22 7A FC C1 15 49 CA A6 C7 6F A0 2E D5 25 74 09 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with focus of pinentry on win7
Hi! Here is my reply to the Enigmail list which explains why this is indeed not just a problem of gpg and that we can't have a perfect solution. For security reasons Windows has strict rules on which process can put itself into the focus. Enigmail needs to tell Pinentry, via gpg, that it may take the focus and request input. This is implemented by a callback mechanism all the way from Pinentry, via gpg-agent and gpg up to the calling process (Thunderbird here). In the case of Enigmail, it needs to call AllowSetForegroundWindow with the process handle of the just created gpg process. In turn, gpg detects the Pinentry launch and calls AllowSetForegroundWindow on the Process handle of the started Pinentry. Only then then Pinentry may display itself. Further, when calling AllowSetForegroundWindow the process must have its Window already in the foregorund. Sometimes other Windows get in the way and even a correct implemented AllowSetForegroundWindow chain will not work. As per Windows security architecture, the Pinentry will announce itself in the taskbar. I would recommend to increase the passphrase caching time so that the Pinentry dialog is not required too often. Usually there is not much security gain by always entering the passphrase: Any attacking malware will first install a keylogger and can thus grab the passphrase in any case. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpJZujOyq2X_.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Problem with focus of pinentry on win7
I have asked this in the enigmail mailing list and was referred to GNUPG but Patrick Brunschwig: > On 26.11.18 09:33, Bernhard Kleine wrote: >> I use enigmail with thunderbird 60.3.1 on win7. Enigmail asks me >> regularly for the passphrase via pinentry since I sign my mails. What I >> have noticed is that >> >> 1. the pinentry windows pops up. >> 2. I engage the passwordsave program to copy the passphrase >> 3. I try to use alt-tab to refocus on pinentry. >> 4. Mostly I go not to pinentry but to thunderbird. The focus on >> pinentry is lost. That focus had to be reestablished by manual >> manipulation. >> >> I think this is a bug. It would like to know where the bugreports of >> enigmail can be placed. > Enigmail bugs could be reported here: > https://sourceforge.net/p/enigmail/bugs/ > > *However* this is not a bug in Enigmail. Pinentry is a component of > GnuPG or gpg4win. Enigmail does not open pinentry, nor can it control > its focus. In other words, Enigmail does not ask you for your passphrase > - that's fully controlled by GnuPG. > > -Patrick > > > -- spitzhalde9 D-79853 lenzkirch bernhard.kle...@gmx.net www.b-kleine.com, www.urseetal.net - thunderbird mit enigmail GPG schlüssel: D5257409 fingerprint: 08 B7 F8 70 22 7A FC C1 15 49 CA A6 C7 6F A0 2E D5 25 74 09 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users