Integrate pinentry-mac into pinentry

Hans-Christoph Steiner hans at
Wed Feb 25 15:28:09 CET 2015

Werner Koch:
> On Sun, 22 Feb 2015 16:13, patrick at said:
>> That's a _very_ good idea!
> Seconded.
>> I'd say that this should be OK. Automake should probably simply be
>> able to determine that it's compiling for OS X and then use the XCode
>> project.
> Nope.  That that is a bad idea.  The build system is based on standard
> Makefiles generated via automake and autoconf and I am strongly against
> any other build systems.  We have this discussion every few years
> related to Windows and I do not want to repeat this.  It is important to
> be able to cross-build everything using a free (and audit-able platform).
> Form my understanding Xcode is a non-text proprietary thing like Visual
> Studio projects for Windows.
> If there is a sound reason why _autoconf_ can't work on that platform, a
> dedicated config file might be acceptable (cf. the VMS port).  But for a
> BSD based OS I can's see a compelling reason.
>>> 4. pinentry-mac allows the calling app to define a custom message 
>>> to show. This is implemented using PINENTRY_USER_DATA. We allow 
>>> placeholders like %KEYID and %USERID. To fill the placeholders, we
>>>  parse the description from pinentry. This works in the most
>>> cases. The reason for this feature is, to allow some more
>>> informative and readable messages. e.g. We can tell the user for
>>> which email/file, he enters the passphrase. What do you think about
>>> that? Is this a desirable feature for pinentry?
>> I think this is a desirable feature of pinentry in general. Other
>> tools could profit from it as well.
> This violates the security barrier of gpg-agent.  Any application could
> trick a user into doing things he does not want.  For keys controlled by
> gpg-agent the shown key identification should come from gpg-agent
> without any user overridable string.
> It is a different thing to allow additional information to be displayed.
> If there is a need for it it can be added but it should be specified in
> the gpg-agent/pinentry protocol.

I'm not sure this provides any real protection, and it does make for a worse
UI, which generally translated into worse security.  A malicious app could
just make a custom pinentry app that looks however it wants, and basically
make a phishing interface that also interacts with gpg-agent.  If you don't
trust your locally installed apps, there is not much you can do about it in
the software.


PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

More information about the Gnupg-devel mailing list