pinentry-mac: use apple watch / touchID to unlock gpg key

floge77's Avatar

floge77

05 Feb, 2020 09:21 PM

Hey all,

I have this suggestion or feature request in mind for a longer time...
I would like to use my apple watchs feature "unlock with apple watch" or touchID to unlock my gpg key.
I would expect this possibility as a button in the pinentry-mac application.
I do not like to store my password for the gpg key in apple's keychain because once my mac is unlocked another person could use all my passwords (e.g. I forgot to lock my mac, another persons goes shopping with all my passwords).

Even if I am a Software Developer by myself and would love to open a pull-request ,I have no experience in c, objective-c at all and a really hard time reading/understanding the code. Besides of that I could not manage to find examples on forums.developer.apple.com

  1. Support Staff 1 Posted by Steve on 10 Feb, 2020 12:58 PM

    Steve's Avatar

    Hi floge77,

    welcome to the GPGTools support platform. And thanks for taking the time to ask about this feature request.

    Touch ID is a mechanism to unlock a password stored in a certain location. This works well for apps like 1Password. It does not work well for GPG Mail as that is not an app but a mail plugin.

    So storing the password in macOS keychain is still the best option. Note that the passwords in macOS keychain are protected with your user password. If you are worried about leaving your mac unlocked, that is indeed a problem if your mac lives in a shared environment. The best solution to that problem is using an automatic screensaver which is password protected. Not owning an Apple Watch, but maybe it is possible to use the watch to lock your mac as soon as you leave it.

    Hope this helps,
    Steve

  2. 2 Posted by Florian on 10 Feb, 2020 01:41 PM

    Florian's Avatar

    Hi Steve,
    thanks for your thoughts, but I guess there is a misunderstanding.
    My proposal or feature request is not for GPG Mail, but for pinentry-mac: https://github.com/GPGTools/pinentry-mac

    I would love to have a button there which I then can use to paste the password to pinentry-mac / unlock the gpg key.
    See the screenshot attached.

    Best regards
    Florian

  3. Support Staff 3 Posted by Steve on 10 Feb, 2020 04:06 PM

    Steve's Avatar

    As I tried to point out: pinentry-mac is not capable of storing the password in its own storage as there is no such thing (currently). There would be little to no added security compared to storing the password in macOS keychain with a mac, which is locked whenever you leave it, which would be the best practice in shared office spaces in the like.

  4. 4 Posted by Robert Meerman on 24 Jun, 2020 12:34 PM

    Robert Meerman's Avatar

    Is it possible to use macOS keychain to store / cache the password, but be prompted for TouchID every time pinentry-mac wants to use it?

    I'm content trusting macOS keychain, but am looking for a way to use biometrics to authorise every use of my GPG key, particularly when forwarding it via SSH tunnels to remote systems I perform maintenance on.

    I've been spoilt by macOS sudo integration with TouchID [1], and would love to use it with GPG.

    .. [1] TouchID for sudo is opt-in, cf. https://apple.stackexchange.com/a/306324/21948

  5. Support Staff 5 Posted by Luke Le on 24 Jun, 2020 03:25 PM

    Luke Le's Avatar

    Hi Robert,

    unfortunately we don't think that this is possible.
    If you have an easier to type macOS password, the closest you can get is to being asked for that every time you are trying to sign or decrypt some content.

    If you are interested in that I'd be happy to guide you through configuration.

  6. 6 Posted by Robert Meerman on 24 Jun, 2020 03:53 PM

    Robert Meerman's Avatar

    Thanks for replying and the offer of assistance. I'm comfortable setting it up myself.

    Regards,
    Robert

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac