gpg-agent and allow-loopback-pinentry

Patrick Brunschwig patrick at
Sun Dec 28 17:06:36 CET 2014

Hash: SHA256

On 28.12.14 06:59, NIIBE Yutaka wrote:
> On 12/26/2014 09:35 PM, Patrick Brunschwig wrote:
>> I would like to be able to have the user enter type the
>> passphrase in my application and then request gpg to do its job.
>> But with gpg 2.1 this is simply not possible.
> Perhaps, it's due to the design of newer GnuPG as a whole.  It's 
> (partially) possible with loopback mode, though.
> Let me explain my understandings.  Here is a figure which shows the
> relationship:
> user [some mail user agent like thunderbird] gpg frontend or gpgme
> library gpg agent <--------------------------------> pinentry 
> secret handled by libgcrypt -OR- by scdaemon smartcard/token
> It is gpg-agent which calls pinentry, on demand.  There are some
> use cases when PIN is not asked back through host PC.
> (1) A smartcard can be configured requiring PIN input at the first
> use only, but not requiring everytime.
> (2) It is also possible, for some smartcard reader, to ask user
> PIN input by its pinpad, not through host PC.
> I understand that application developers have to care controlling
> its passphrase input, and it's largest use cases.  But, please
> understand there are some people who want control the input in
> different ways, with valid reasons.

That's all clear and understood, and I have no issue with it. My only
problem is that it's difficult (and awkward) for an application that
wraps GnuPG to enable the loopback mode -- it requires to modify
gpg-agent.conf and restart gpg-agent.

- -Patrick

Version: GnuPG v2


More information about the Gnupg-devel mailing list