pinentry-mac is unsafe
Which of our tools is giving you problems?
pinentry-mac
Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...):
pinentry-mac --version
pinentry-mac (pinentry) 1.1.1
Copyright (C) 2016 g10 Code GmbH
Describe your problem. Add as much detail as possible.
When I enter a passphrase for the first time it's added to my login keychain with pinentry-mac under "Always allow access by these applications", so it circumvents my gpg-agent ttl settings, in practice there is an infinite ttl even though I have configured ttl = 0.
I've running it like this for weeks without taking notice. Any rogue app in my local setup may have run pass or ssh with disastrous results.
What did you expect instead
Not to silently ignore my ttls by giving itself free access to my keys.
Describe steps leading to the problem.
Set pinentry-program to pinentry-mac, max-cache-ttl to 0, reload gpg-agent, create a new key or subkey or use an existent key that's not in the login keychain, then inspect the key that was added to the keychain, context menu -> get info -> access control.
Are you using any other Mail.app plugins?
No.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Steve on 10 Oct, 2023 10:07 PM
Hi Carlos,
welcome to the GPGTools support platform. Sorry that GPG Suite is causing problems for you.
Please see this KB-article on how to manage passwords for your keys.
If you press the "Delete…" button to flush stored OpenPGP passwords from macOS keychain, then untick the option to store in keychain and repeat your steps, does the issue persist?
Best,
Steve
2 Posted by Carlos on 10 Oct, 2023 10:34 PM
Hi Steve, thank you for answering.
Yes, starting from scratch the same happens. There are only two cases: either the password is added to the keychain AND pinentry-mac is registered as "always accept", or the password is not added to the keychain at all.
IMO the options should be:
- do nothing - add to the keychain (and from now on just ask the keychain passphrase) - never ask me again
Support Staff 3 Posted by Steve on 11 Oct, 2023 10:07 PM
Hi Carlos,
we have created an issue for this problem and I connected this discussion with the existing issue. Should this discussion get closed, it will be re-opened as soon as the issue is closed. That way you stay in the loop and will receive info as soon as we have news.
To get to the state I think you are looking to use, please open the keychain access entry, open the
Access Control
tab and remove thepinentry-mac
entry from the list.Best,
Steve
4 Posted by Carlos on 11 Oct, 2023 10:13 PM
Hi Steve, thank you for your answer.
Yes, this is what I'm doing right now, but it's easy to forget and you have to know that in the first place (I realised a bit too late!).
Best regards,
Carlos
Support Staff 5 Posted by Steve on 11 Oct, 2023 10:18 PM
Glad this works. And thank you for bringing this to our attention. Our focus currently is on Sonoma but we will discuss this internally.
WHen you write you realised this too late, can you elaborate what has happened?
If you want, I can switch this discussion to private or we can keep this public (which is the current state).
6 Posted by Carlos on 11 Oct, 2023 10:31 PM
Sorry, I didn't want to imply that something actually happened, just that it had been going like that for weeks. Hopefully there was no leakage of data, but I can't say it for sure. Thing is that any extension, package or app that was running in my computer could have decrypted some secrets just like that.
Support Staff 7 Posted by Steve on 11 Oct, 2023 10:33 PM
Understood, thanks for elaborating.
Steve closed this discussion on 11 Oct, 2023 10:33 PM.