[Gpg4win-users-en] gpg4win: cannot enter passphrase when creating key

Bernhard Reiter bernhard at intevation.de
Mon Nov 11 09:35:11 CET 2013 

Hi Alexander,

On Sunday 10 November 2013 at 14:34:36, Alexander Kriegisch wrote:
> I have a fresh installation
>   - of gpg4win 2.2.1
>   - on Windows XP Pro SP3 (German).

did you ever have Gpg4win or KDE Plattform 4 applications on this windows 
installations before? (This is a safety question, they may interfere with 
some Registry or Paths settings.)

> First I tried the vanilla version (only GnuPG command line), then later the
> full package with Kleopatra. 

Should not make a difference. 

> The result is always the same: I cannot create 
> a new key pair because somehow the passphrase is not captured correctly. On
> the command line the following happens: - Run cmd.exe
>   - gpg --gen-key
>   - The whole assistant works nicely until I get to the part where I
>     should enter my passphrase. Now nothing happens, I see no dots or
>     asterisks when entering the passphrase. I can enter it as many times
>     as I want to, the passphrase is not captured. I can only stop the
>     process via Ctrl-C. Then the passphrase is written to the console
>     as CLEAR TEXT(!) and treated as if I entered it as a command. 

Bringing up the pinentry application seems to be the issue.
If you call pinentry.exe on the command line do you get something?
If you get a prompt, try entering "getpin".

>     This is a security nightmare. 

You need to be more precise than this. Given that you would want to create
a new certificate on a secure system anyway, there does not seem to be much
of an additional attack vector if the certificate is not created at all.

>     I cannot understand how something like this 
>     can ever pass a test unnoticed.

Probably because it usually works, if we knew all the circumstances
where Gpg4win application would run, then it could have been tested.

> By the way, the same problem was reported long ago already, but nothing
> happened. See this thread:
> http://lists.wald.intevation.org/pipermail/gpg4win-users-en/2009-August/000
>349.html

Different version of Gpg4win, probably a different problem.
To be sure we had to have a way to reproduce the issue.

Best Regards and thanks for your report!
Bernhard


-- 
www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20131111/59e29736/attachment.sig>

More information about the Gpg4win-users-en mailing list