changing the user PIN for a smartcard in a script

Florin Andrei florin at
Wed Oct 29 22:29:07 CET 2014

I'm programming the smartcards on a bunch of YubiKey NEO tokens. Before 
I give the token to the user, I would like to allow them to pick a new 
user PIN and set it. I don't need to know their PIN and I actually don't 
*want* to know it.

Ideally, I would run a script, have the user type in the new PIN, and 
the script would run "gpg --change-pin", do another thing with the PIN 
string after that, then discard it.

The problem, of course, is that pinentry is launched. Now the user has 
to type the PIN several times. It's cumbersome and error-prone.

I've learned how to disable the pinentry GUI...


...but that's not much better. I tried to write an Expect script with 
autoexpect, but curses makes a mess of the Expect code.

I don't want to send the PIN to the clipboard and retrieve it with 
CTRL-V, as that's not a good place for it to be, even temporarily.

Any ideas?

Florin Andrei

More information about the Gnupg-users mailing list