Configuration hints for using gnupg (2.0.x) interchangeably with graphical frontend and in the terminal
mls at bjoern-kahl.de
Wed Jun 1 21:36:03 CEST 2016
I am looking for hints or best practices to seamlessly mix use of
GnuPG in the terminal and with frontends, in my case Enigmail in
I am on MacOS X (10.9.5 "Mavericks") with GnuPG installed through
MacPorts as my main machine and also quite often logged into other
Macs and other Linux boxes using SSH, coming from that main Mac.
I quite often use gpg through Enigmail and also regularly use it in
the terminal or when remotely logged into a box using ssh.
Currently, whenever Enigmail needs a passphrase, it throws up a popup
window (actually, it runs gpg, which runs the agent, which runs
pinentry-mac, which throws up the window) _somewhere_: sometimes on
the screen I am looking at, sometimes on another physical screen,
sometimes hidden behind other windows, sometimes in the front.
When using gpg in the terminal originally the same happened: Some
random window popping up at some random spot on some random monitor.
Even worse, when logging in through SSH, it throw up a pin entry
window on the locked graphical session idling on the remote machine
instead of in the terminal I am working in.
Partial solution tried:
I created a second gpg-agent.conf named "gpg-agent-term.conf" and
configured the first to run pinentry-mac and the latter to run
_Usually_ Enigmail/Thunderbird picks the first one and pops up its
passphrase dialogue on one of my physical screens (I have no idea how
it decides which one).
If (and only if) I remember to explicitly start an agent with the
second configuration, then gpg running in the terminal ask for my
passphrase in that terminal. But *only* in that terminal. If I run
gpg in another terminal, I either get the pinentry-mac (i.e. I forgot
to set GPG_AGENT_INFO to the running "terminal-config" agent), or it
asks me in that other terminal. On an average day, I have about 10
shell running in parallel, partly in terminal windows, partly in
"screen" sessions in a single terminal window. Searching through
all my shells where the passphrase dialogue appeared is annoying.
However, when I start an agent with the second configuration, before
starting Thunderbird, then Enigmail ask me for a passphrase in the
terminal where I started that agent.
How can I configure gpg and the agent such that:
- Whenever I run gpg in a terminal, it will ask me for my passphrase
in exactly that terminal where I am interacting with it and expect
the prompt? I.e. on that TTY that is the controlling TTY of the
gpg process I am interacting with?
- Is there a way to have a single agent (with a single config file,
so I can start it at first login and have it available in all
terminals/shells and programs (e.g. Thunderbird) started from there)
but still a graphical passphrase in programs which (no longer) have
StdIn connected to a terminal or don't have a controlling TTY; and
have a plain prompt in the terminal for programs that run in a
I seriously doubt that there is any way to get back the just perfect
behaviour of the old GnuPG 1.x where Enigmail would show a blocking
dialogue attached to exactly that Thunderbird window where I was
signing or decrypting a message. But I hope there is at least a way
to get the terminal version to prompt for the passphrase in the one
spot where it makes sense: the TTY it is running in.
Sorry for the long mail, and thanks for reading all this. I tried to
be precise on what my problem is and failed to be concise in the same
| Bjoern Kahl +++ Siegburg +++ Germany |
| "mls at -my-domain-" +++ www.bjoern-kahl.de |
| Languages: German, English, Ancient Latin (a bit :-)) |
More information about the Gnupg-users