(pre)cache password rather than use allow-loopback-pinentry

Dirk-Willem van Gulik dirkx at webweaving.org
Thu Jul 20 20:04:48 CEST 2017

With gpg2; it seems that as soon as you cat a batch.command sequence in - one can no longer use a pure terminal style TTY approach to having the agent fetch your password (gpg: signing failed: Inappropriate ioctl for device, gpg: make_keysig_packet failed: Inappropriate ioctl for device) as soon as the TTY is used for the patch file.

Instead on 2.1.15 one has to use allow-loopback-pinentry in the gpg-agent.conf to make constructs such as:

	cat batch.commands | gpg2 --no-tty —batch —passphrase-XX XX --command-fd 0 --pinentry-mode loopback  …

possible to make this work.  And that works fine.

Now obviously that leaves the tasks of getting the password to something to put it in file, filedescriptor or cmd-arg. Which is not ideal. As gpg-agent and pineentry are made for that.

So - is there any way to allow a (for the occasionally specially started gpg-agent) to ask and pre-cache the password ?

And then let the batch.commands (which does a complex dance of subkey renewal and some chip card shuffling) run against that ?

Or to somehow use a pure TTY based pinentry in such a setting (it is an off line machine with barely more than a serial connection).

Insights much appreciated !


More information about the Gnupg-users mailing list