GnuPG pinentry depending on GUI presence

macos gnupg

On MacOSX I'm using gnupg21 in order to sign git commit. Depending on project I'm currently working sometime I'm using IDE (here IntellijIDEA) to interact with git and sometime directly in terminal.

I had to setup

pinentry-program /usr/local/bin/pinentry-mac

to be able to continue working on IntellijIDEA.

However I'm not really fan about prompting GUI when I'm using terminal. Do you think is possible to configure gnupg21 to choose pinentry program regarding the situation?

  • On GUI -> /usr/local/bin/pinentry-mac
  • On terminal -> /usr/local/bin/pinentry

Edit: My current config files

gpg-agent.conf

enable-ssh-support
default-cache-ttl 14400
max-cache-ttl 86400
log-file /var/log/gpg-agent.log
pinentry-program /usr/local/bin/pinentry-mac

gpg.conf

keyserver hkp://keys.gnupg.net
no-tty
use-agent

Running Multiple gpg-agents

GnuPG's gpg-agent could be configured to use different sockets before GnuPG 2.1; you could have used different gpg-agents running in parallel with different configuration (pinentry implementations).

With GnuPG 2.1, this is not possible any more. GnuPG since 2.1 always uses a fixed socket path.

Pinentry Switching

The only clean possibility to enable such a feature is probably writing a pinentry "switch" implementation, deciding which actual pinentry to call depending on whether called from a command line or the GUI (for example, depending on what DISPLAY or tty variables are set).

Loopback Pinentry Mode

An alternative would be to use the loopback pinentry feature, which is disabled in gpg-agent by default for security reasons. Pinentry loopback will have gpg-agent query gpg for the passphrase instead of the out-of-band pinentry password query. This potentially opens security issues, as the rather large and complex GnuPG application (with a larger chance of vulnerabilities) gets access to the passphrase and thus the private key, which would otherwise be limited to the gpg-agent and pinentry implementation.

To do so anyway, add a line allow-loopback-pinentry in ~/.gnupg/gpg-agent.conf, killall gpg-agent (so it is restarted with the option enabled on the next time GnuPG wants to use it). When you want to use GUI pinentry, start GnuPG as normal; for command line operations, call gpg21 --pinentry-mode loopback instead (which of course could be an alias for gpg21).


Sorry for the late answer but I had the same question and found a solution that seems cleaner than changing the pinentry-program configuration and restarting gpg-agent every time.

Although it's not documented anywhere outside of the source, pinentry-mac will fall back to the curses CLI pin entry method if the PINENTRY_USER_DATA environment variable is set to USE_CURSES=1. You can leave pinentry-mac as the default in your gpg-agent.conf and slap:

export PINENTRY_USER_DATA="USE_CURSES=1"

in your bash profile or equivalent.

Related

Proxifier that supports UDP? [closed]
Ways to shut down/sleep and wake up hard drives on command?
Sharing Vim Yank Register
How to set up computer to boot from a network drive
How to remove remembered autocomplete items in Firefox and Chrome? [duplicate]
How to create a virtual sound device in Linux?
taskkill - end tasks with window titles ending with a specific string
Add Notepad to Right-click new menu in Windows 7
Least disruptive anti virus while working [closed]
How do I install Bash on Ubuntu on Windows 10?
Configure Tomcat 9 to act as a proxy for internal web server
Why/When to have a separate media server for images, mp3s, flvs etc?