gpg-agent and allow-loopback-pinentry
patrick at enigmail.net
Sun Dec 28 17:06:36 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 28.12.14 06:59, NIIBE Yutaka wrote:
> On 12/26/2014 09:35 PM, Patrick Brunschwig wrote:
>> I would like to be able to have the user enter type the
>> passphrase in my application and then request gpg to do its job.
>> But with gpg 2.1 this is simply not possible.
> Perhaps, it's due to the design of newer GnuPG as a whole. It's
> (partially) possible with loopback mode, though.
> Let me explain my understandings. Here is a figure which shows the
> user [some mail user agent like thunderbird] gpg frontend or gpgme
> library gpg agent <--------------------------------> pinentry
> secret handled by libgcrypt -OR- by scdaemon smartcard/token
> It is gpg-agent which calls pinentry, on demand. There are some
> use cases when PIN is not asked back through host PC.
> (1) A smartcard can be configured requiring PIN input at the first
> use only, but not requiring everytime.
> (2) It is also possible, for some smartcard reader, to ask user
> PIN input by its pinpad, not through host PC.
> I understand that application developers have to care controlling
> its passphrase input, and it's largest use cases. But, please
> understand there are some people who want control the input in
> different ways, with valid reasons.
That's all clear and understood, and I have no issue with it. My only
problem is that it's difficult (and awkward) for an application that
wraps GnuPG to enable the loopback mode -- it requires to modify
gpg-agent.conf and restart gpg-agent.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Gnupg-devel