Configuration hints for using gnupg (2.0.x) interchangeably with graphical frontend and in the terminal

Bjoern Kahl mls at bjoern-kahl.de
Wed Jun 1 21:36:03 CEST 2016


 Dear All,

 I am looking for hints or best practices to seamlessly mix use of
 GnuPG in the terminal and with frontends, in my case Enigmail in
 Thunderbird.

 I am on MacOS X (10.9.5 "Mavericks") with GnuPG installed through
 MacPorts as my main machine and also quite often logged into other
 Macs and other Linux boxes using SSH, coming from that main Mac.


 Problem:

 I quite often use gpg through Enigmail and also regularly use it in
 the terminal or when remotely logged into a box using ssh.

 Currently, whenever Enigmail needs a passphrase, it throws up a popup
 window (actually, it runs gpg, which runs the agent, which runs
 pinentry-mac, which throws up the window) _somewhere_: sometimes on
 the screen I am looking at, sometimes on another physical screen,
 sometimes hidden behind other windows, sometimes in the front.

 When using gpg in the terminal originally the same happened: Some
 random window popping up at some random spot on some random monitor.

 Even worse, when logging in through SSH, it throw up a pin entry
 window on the locked graphical session idling on the remote machine
 instead of in the terminal I am working in.


 Partial solution tried:

 I created a second gpg-agent.conf named "gpg-agent-term.conf" and
 configured the first to run pinentry-mac and the latter to run
 pinentry-curses.

 _Usually_ Enigmail/Thunderbird picks the first one and pops up its
 passphrase dialogue on one of my physical screens (I have no idea how
 it decides which one).

 If (and only if) I remember to explicitly start an agent with the
 second configuration, then gpg running in the terminal ask for my
 passphrase in that terminal.  But *only* in that terminal.  If I run
 gpg in another terminal, I either get the pinentry-mac (i.e. I forgot
 to set GPG_AGENT_INFO to the running "terminal-config" agent), or it
 asks me in that other terminal.  On an average day, I have about 10
 shell running in parallel, partly in terminal windows, partly in
 "screen" sessions in a single terminal window.  Searching through
 all my shells where the passphrase dialogue appeared is annoying.

 However, when I start an agent with the second configuration, before
 starting Thunderbird, then Enigmail ask me for a passphrase in the
 terminal where I started that agent.


 Questions:

 How can I configure gpg and the agent such that:

 - Whenever I run gpg in a terminal, it will ask me for my passphrase
   in exactly that terminal where I am interacting with it and expect
   the prompt?  I.e. on that TTY that is the controlling TTY of the
   gpg process I am interacting with?

 - Is there a way to have a single agent (with a single config file,
   so I can start it at first login and have it available in all
   terminals/shells and programs (e.g. Thunderbird) started from there)
   but still a graphical passphrase in programs which (no longer) have
   StdIn connected to a terminal or don't have a controlling TTY; and
   have a plain prompt in the terminal for programs that run in a
   terminal?


 I seriously doubt that there is any way to get back the just perfect
 behaviour of the old GnuPG 1.x where Enigmail would show a blocking
 dialogue attached to exactly that Thunderbird window where I was
 signing or decrypting a message.  But I hope there is at least a way
 to get the terminal version to prompt for the passphrase in the one
 spot where it makes sense: the TTY it is running in.


 Sorry for the long mail, and thanks for reading all this.  I tried to
 be precise on what my problem is and failed to be concise in the same
 time.


 Best regards

    Björn

-- 
|     Bjoern Kahl   +++   Siegburg   +++    Germany     |
|     "mls at -my-domain-"   +++    www.bjoern-kahl.de     |
| Languages: German, English, Ancient Latin (a bit :-)) |



More information about the Gnupg-users mailing list