Hi list, # Context
I connect to an OS X machine either locally or via SSH. When local, I use pinentry-mac and forward my SSH agent to gpg-agent. When remote, I use $SSH_AUTH_SOCK from the forwarded connection (I'm also trying to forward the gpg-agent socket, but it doesn't work reliably due to leftover sockets, so let's ignore that for now). # Problem I can't interact with pinentry-mac when connecting over SSH, so I'd like to fallback to pinentry(-curses). Potential solution: I just banged out this script, which I am thinking about using as `pinentry-program /PATH/TO/HOME/bin/pinentry-dispatch` #!/bin/sh -x UNAME="$(uname)" GPG_SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" PINENTRY=/usr/bin/pinentry PINENTRY_BREW=/usr/local/bin/pinentry PINENTRY_MAC=/usr/local/bin/pinentry-mac case "${UNAME}" in "Darwin") case "${SSH_AUTH_SOCK}" in "${GPG_SSH_AUTH_SOCK}") exec "${PINENTRY_MAC}" ;; *) exec "${PINENTRY_BREW}" ;; esac ;; *) exec "${PINENTRY}" ;; esac This way, I could just `gpg-connect-agent 'killagent' /bye` from my SSH session, and next time the agent spawns, it would fallback to the non-mac pinentry. # Question Is it sane? My money is on “not very”, but I'd like a more educated discussion. One of the issues I can see is that the script is in my HOME, which could be more easily compromised than the rest of the system, and the script trivially replaced by something that captures the data (but then again, my gpg-agent.conf could also be overwritten). Can you see any other issue with (or the idea of using such a dispatcher to start with)? (Please CC me on replies, as I only sporadically check the list through GMane.) -- Olivier Mehani <sht...@ssji.net> PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users