GnuPGv2 & 'pinentry' on Linux w/ remote access

Sander Smeenk ssmeenk at freshdot.net
Wed Mar 22 15:46:32 CET 2017


Hi,

I'm trying to make the big step from GnuPG v1 to v2 but i'm experiencing
agonizing pains caused by the forced use of "pinentry" by gpg-agent and
friends, or rather the way the GPG_TTY stuff works?

I'm on Linux and i am not using Unity/Gnome/whatever, so i start X by
calling 'startx' and it invokes my .xsession that has ...

| GPG_TTY=$(tty)
| export GPG_TTY
| eval $(gpg-agent --daemon)

... where ssh-agent used to be, just before starting the window manager.
Then i have this gpg-agent.conf:

| enable-ssh-support
| pinentry-program /usr/bin/pinentry-curses
| default-cache-ttl 300
| max-cache-ttl 999999

With this config, trying to decrypt a GPG-file, everything stalls
and undescriptive errors appear after staring at a blinking cursor
for quite some time.

So i learned that i could update GPG_TTY from my shellrc by doing...

| GPG_TTY=$(tty)
| export GPG_TTY
| gpg-connect-agent updatestartuptty /bye >/dev/null

... every time a new shell spawns. This kind-of works.
At least the pinentry pops up in a terminal.

For GPG-related commands, the pinentry seems to pop-up at the terminal
that is running a GPG-related command, but trying to use ssh randomly
pops the pinentry in a terminal unrelated to where i am running ssh.
Probably the terminal that was started last?

Then, when i then ^C the ssh command that is seemingly hanging because
a pinentry popped up on some other workspace's terminal, the pinentry
program on the unrelated terminal completely messes up said terminal.

Sometimes resulting in *'s being displayed while typing, or letters
disappearing from the input altogether. In such situations it turns out
pinentry-curses was still running, even though my shell was also
interactive.

I can't fathom what i am doing wrong but i must be doing something wrong.

Any tips?

And i haven't even started looking at "how can u use a gpg-agent that
is already running on a box that i am logging in remotely" yet, sort of
what 'keychain' can do with ssh-agent.

Regards,
-Sndr.
-- 
| How can there be self-help "groups"?
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2



More information about the Gnupg-users mailing list