I wrote a pinentry dispatcher; is it a sane thing to do/use?

Olivier Mehani shtrom at ssji.net
Wed Aug 16 13:56:09 CEST 2017

Hi list,

# Context

I connect to an OS X machine either locally or via SSH.

When local, I use pinentry-mac and forward my SSH agent to gpg-agent.

When remote, I use $SSH_AUTH_SOCK from the forwarded connection (I'm
also trying to forward the gpg-agent socket, but it doesn't work
reliably due to leftover sockets, so let's ignore that for now).

# Problem

I can't interact with pinentry-mac when connecting over SSH, so
I'd like to fallback to pinentry(-curses).

Potential solution: I just banged out this script, which I am thinking
about using as `pinentry-program /PATH/TO/HOME/bin/pinentry-dispatch`

	#!/bin/sh -x
	GPG_SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"


	case "${UNAME}" in
			case "${SSH_AUTH_SOCK}" in
					exec "${PINENTRY_MAC}"
					exec "${PINENTRY_BREW}"
			exec "${PINENTRY}"

This way, I could just `gpg-connect-agent 'killagent' /bye` from my SSH
session, and next time the agent spawns, it would fallback to the non-mac

# Question

Is it sane?

My money is on “not very”, but I'd like a more educated discussion.

One of the issues I can see is that the script is in my HOME, which
could be more easily compromised than the rest of the system, and the
script trivially replaced by something that captures the data (but then
again, my gpg-agent.conf could also be overwritten).

Can you see any other issue with (or the idea of using such a dispatcher
to start with)?

(Please CC me on replies, as I only sporadically check the list through

Olivier Mehani <shtrom at ssji.net>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655
Confidentiality cannot be guaranteed on emails sent or received unencrypted.

More information about the Gnupg-users mailing list