pinentry-mac is unsafe

Carlos's Avatar

Carlos

09 Oct, 2023 10:53 PM

Which of our tools is giving you problems?

pinentry-mac

Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):

pinentry-mac --version
pinentry-mac (pinentry) 1.1.1
Copyright (C) 2016 g10 Code GmbH

Describe your problem. Add as much detail as possible.

When I enter a passphrase for the first time it's added to my login keychain with pinentry-mac under "Always allow access by these applications", so it circumvents my gpg-agent ttl settings, in practice there is an infinite ttl even though I have configured ttl = 0.

I've running it like this for weeks without taking notice. Any rogue app in my local setup may have run pass or ssh with disastrous results.

What did you expect instead

Not to silently ignore my ttls by giving itself free access to my keys.

Describe steps leading to the problem.

Set pinentry-program to pinentry-mac, max-cache-ttl to 0, reload gpg-agent, create a new key or subkey or use an existent key that's not in the login keychain, then inspect the key that was added to the keychain, context menu -> get info -> access control.

Are you using any other Mail.app plugins?

No.

  1. Support Staff 1 Posted by Steve on 10 Oct, 2023 10:07 PM

    Steve's Avatar

    Hi Carlos,

    welcome to the GPGTools support platform. Sorry that GPG Suite is causing problems for you.

    Please see this KB-article on how to manage passwords for your keys.

    If you press the "Delete…" button to flush stored OpenPGP passwords from macOS keychain, then untick the option to store in keychain and repeat your steps, does the issue persist?

    Best,
    Steve

  2. 2 Posted by Carlos on 10 Oct, 2023 10:34 PM

    Carlos's Avatar

    Hi Steve, thank you for answering.

    If you press the "Delete…" button to flush stored OpenPGP

    Yes, starting from scratch the same happens. There are only two cases: either the password is added to the keychain AND pinentry-mac is registered as "always accept", or the password is not added to the keychain at all.

    IMO the options should be:
    - do nothing - add to the keychain (and from now on just ask the keychain passphrase) - never ask me again

  3. Support Staff 3 Posted by Steve on 11 Oct, 2023 10:07 PM

    Steve's Avatar

    Hi Carlos,

    we have created an issue for this problem and I connected this discussion with the existing issue. Should this discussion get closed, it will be re-opened as soon as the issue is closed. That way you stay in the loop and will receive info as soon as we have news.

    To get to the state I think you are looking to use, please open the keychain access entry, open the Access Control tab and remove the pinentry-mac entry from the list.

    Best,
    Steve

  4. 4 Posted by Carlos on 11 Oct, 2023 10:13 PM

    Carlos's Avatar

    Hi Steve, thank you for your answer.

    please open the keychain access entry, open the Access Control tab and remove the pinentry-mac

    Yes, this is what I'm doing right now, but it's easy to forget and you have to know that in the first place (I realised a bit too late!).

    Best regards,
    Carlos

  5. Support Staff 5 Posted by Steve on 11 Oct, 2023 10:18 PM

    Steve's Avatar

    Glad this works. And thank you for bringing this to our attention. Our focus currently is on Sonoma but we will discuss this internally.

    WHen you write you realised this too late, can you elaborate what has happened?

    If you want, I can switch this discussion to private or we can keep this public (which is the current state).

  6. 6 Posted by Carlos on 11 Oct, 2023 10:31 PM

    Carlos's Avatar

    WHen you write you realised this too late, can you elaborate what has happened?

    Sorry, I didn't want to imply that something actually happened, just that it had been going like that for weeks. Hopefully there was no leakage of data, but I can't say it for sure. Thing is that any extension, package or app that was running in my computer could have decrypted some secrets just like that.

  7. Support Staff 7 Posted by Steve on 11 Oct, 2023 10:33 PM

    Steve's Avatar

    Understood, thanks for elaborating.

  8. Steve closed this discussion on 11 Oct, 2023 10:33 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac