pinentry-mac: use apple watch / touchID to unlock gpg key
Hey all,
I have this suggestion or feature request in mind for a longer time...
I would like to use my apple watchs feature "unlock with apple watch" or touchID to unlock my gpg key.
I would expect this possibility as a button in the pinentry-mac application.
I do not like to store my password for the gpg key in apple's keychain because once my mac is unlocked another person could use all my passwords (e.g. I forgot to lock my mac, another persons goes shopping with all my passwords).
Even if I am a Software Developer by myself and would love to open a pull-request ,I have no experience in c, objective-c at all and a really hard time reading/understanding the code. Besides of that I could not manage to find examples on forums.developer.apple.com
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Steve on 10 Feb, 2020 12:58 PM
Hi floge77,
welcome to the GPGTools support platform. And thanks for taking the time to ask about this feature request.
Touch ID is a mechanism to unlock a password stored in a certain location. This works well for apps like 1Password. It does not work well for GPG Mail as that is not an app but a mail plugin.
So storing the password in macOS keychain is still the best option. Note that the passwords in macOS keychain are protected with your user password. If you are worried about leaving your mac unlocked, that is indeed a problem if your mac lives in a shared environment. The best solution to that problem is using an automatic screensaver which is password protected. Not owning an Apple Watch, but maybe it is possible to use the watch to lock your mac as soon as you leave it.
Hope this helps,
Steve
2 Posted by Florian on 10 Feb, 2020 01:41 PM
Hi Steve,
thanks for your thoughts, but I guess there is a misunderstanding.
My proposal or feature request is not for GPG Mail, but for pinentry-mac: https://github.com/GPGTools/pinentry-mac
I would love to have a button there which I then can use to paste the password to pinentry-mac / unlock the gpg key.
See the screenshot attached.
Best regards
Florian
Support Staff 3 Posted by Steve on 10 Feb, 2020 04:06 PM
As I tried to point out: pinentry-mac is not capable of storing the password in its own storage as there is no such thing (currently). There would be little to no added security compared to storing the password in macOS keychain with a mac, which is locked whenever you leave it, which would be the best practice in shared office spaces in the like.
4 Posted by Robert Meerman on 24 Jun, 2020 12:34 PM
Is it possible to use macOS keychain to store / cache the password, but be prompted for TouchID every time pinentry-mac wants to use it?
I'm content trusting macOS keychain, but am looking for a way to use biometrics to authorise every use of my GPG key, particularly when forwarding it via SSH tunnels to remote systems I perform maintenance on.
I've been spoilt by macOS sudo integration with TouchID [1], and would love to use it with GPG.
.. [1] TouchID for sudo is opt-in, cf. https://apple.stackexchange.com/a/306324/21948
Support Staff 5 Posted by Luke Le on 24 Jun, 2020 03:25 PM
Hi Robert,
unfortunately we don't think that this is possible.
If you have an easier to type macOS password, the closest you can get is to being asked for that every time you are trying to sign or decrypt some content.
If you are interested in that I'd be happy to guide you through configuration.
6 Posted by Robert Meerman on 24 Jun, 2020 03:53 PM
Thanks for replying and the offer of assistance. I'm comfortable setting it up myself.
Regards,
Robert
Steve closed this discussion on 23 Jul, 2020 03:16 PM.