Avoid pinentry-gtk-2 when using console!

Roger rogerx at sdf.lonestar.org
Tue Jun 2 22:43:01 CEST 2009

On Tue, 2009-06-02 at 12:31 +0200, Werner Koch wrote:
> On Sun, 31 May 2009 07:49, rogerx at sdf.lonestar.org said:
> > if {environmental variable is set to console/gtk/qt3}
> >   use the specified pinentry flavor
> You can easily implement this with a little pinentry wrapper script and
> using the PINENTRY_USER_DATA envvar which is passed all the way from gpg
> to Pinentry.

Again, still sounds like a hack as (I could have done this here).  It's
the reason for posting this issue to this list (since others have the
same issue on the Internet).

> > I'm guessing, the current solution is to assume the user is a dumb X
> > user. ;-)
> Definitely not.  Pinentry pops up and grabs the keyboard for a good
> reasons: This makes it much harder to preset a faked Pinentry prompt and
> sniff the Passphrase entered by the user.  The curses version can't do
> that and thus the default is to use an X window if XDISPLAY is set.  If
> you fear faked popup windows you may modify pinentry to show a custom
> image.

Think it's paranoia unless one is on a public network or is being
aggressively sought after all the time.  If this is a issue, it sounds
more sensible for the administrator to use a compile time flag
(or .gnupg/option statement or environmental variable) which seeks to
make gpg/pinentry usage stricter.

Of course, then you run into a problem with users having access to their
$HOME/.gnupg option versus an /etc/gnupg file preventing writing for
enabling such a feature.  Hence, a compile time option being better.

> I am using gpg-agent for many years now and do almost all my work in
> xterms and Emacs.  It does not bother me if Pinentry popups due to
> background jobs every hour or so.

This is what drove me up the wall with Evolution.  Granted, it enhances
security if you're always entering the pin, but quickly hinders if a
user rarely uses gpg/pgp.

(Granted, I find X useful and prefer still strongly prefer the console.
Just don't try forcing the X windows down my throat like Windows
does. ;-)

In summary -- from info gathered from this thread -- there is no coded
solution besides hacking the current files with a script that will
permit the user to use the terminal /usr/bin/pinentry
or /usr/bin/pinentry-curses while within X. (Except unsetting the X
display variable which which then would cause all X apps to fail when
starting from the terminal.)


More information about the Gnupg-users mailing list