(pre)cache password rather than use allow-loopback-pinentry
Dirk-Willem van Gulik
dirkx at webweaving.org
Thu Jul 20 20:04:48 CEST 2017
With gpg2; it seems that as soon as you cat a batch.command sequence in - one can no longer use a pure terminal style TTY approach to having the agent fetch your password (gpg: signing failed: Inappropriate ioctl for device, gpg: make_keysig_packet failed: Inappropriate ioctl for device) as soon as the TTY is used for the patch file.
Instead on 2.1.15 one has to use allow-loopback-pinentry in the gpg-agent.conf to make constructs such as:
cat batch.commands | gpg2 --no-tty —batch —passphrase-XX XX --command-fd 0 --pinentry-mode loopback …
possible to make this work. And that works fine.
Now obviously that leaves the tasks of getting the password to something to put it in file, filedescriptor or cmd-arg. Which is not ideal. As gpg-agent and pineentry are made for that.
So - is there any way to allow a (for the occasionally specially started gpg-agent) to ask and pre-cache the password ?
And then let the batch.commands (which does a complex dance of subkey renewal and some chip card shuffling) run against that ?
Or to somehow use a pure TTY based pinentry in such a setting (it is an off line machine with barely more than a serial connection).
Insights much appreciated !
More information about the Gnupg-users