Integrate pinentry-mac into pinentry
Werner Koch
wk at gnupg.org
Tue Feb 24 14:51:27 CET 2015
On Tue, 24 Feb 2015 12:37, Mento at gpgtools.org said:
> Normally the message comes from gpg and not from gpg-agent.
Right, that is the case for OpenPGP messages. But after all gpg-agent
decides what to display. The gpg-agent command SETKEYDESC is used to
tell gpg-agent about the OpenPGP properties and desired operation of the
requested key. However, gpg-agent may eventually be changed to screen
that information for correctness. This is in particular important when
gpg is used via a remote socket.
> Btw. the same attack could be used on pinentry, to show a fake message.
Conceptually it is not allowed that pinentry is used by other software
than gpg-agent. Today gpg-agent is mostly used within the same security
boundary as gpg (under the same user and on the same box) and thus there
is no enforcement of it. However, using a SE-Linux it is possible to
enforce that even on current systems.
PINENTRY_USER_DATA was implemented to allow the use of a web interface
for Pinentry.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list