Integrate pinentry-mac into pinentry

Roman Zechmeister Mento at
Tue Feb 24 12:37:24 CET 2015

Hello Werner!

> This violates the security barrier of gpg-agent.  Any application could
> trick a user into doing things he does not want.  For keys controlled by
> gpg-agent the shown key identification should come from gpg-agent
> without any user overridable string.
> It is a different thing to allow additional information to be displayed.
> If there is a need for it it can be added but it should be specified in
> the gpg-agent/pinentry protocol.

My idea is not to allow to override the shown Fingerprint/KeyID.
The idea is to allow a more intuitive and informative message.

Normally the message comes from gpg and not from gpg-agent.
The message could also come from any other software using gpg-agent directly.
Also have a look at my last mail on the devel list (22 Feb, 17:55).
Btw. the same attack could be used on pinentry, to show a fake message.

Regards, Mento

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150224/615da103/attachment.sig>

More information about the Gnupg-devel mailing list