Loading...
 

shimpsblog [en]
Blog Actions

Compiling GnuPG XVI: Pinentry

Blog post actions
Print
fmg Tuesday April 15, 2025

Situation

Generating a public/private key pair requires a passphrase - at least it is strongly recommended not to use empty passphrases. When a key is generated with gpg --gen-key or gpg --full-gen-key the user is asked to enter the passphrase and confirm it to avoid typos. This part is handled by the program pinentry which is invoked by gpg-agent, which itself is a supporting daemon for gpg.

The Problem

When the self compiled version is installed in a non-default folder without self compiled pinentry, this process fails. The gpg binary doesn't evaluate the PATH and the lookup for pinentry is limited to the folder where it is invoked from.

Solution Methods

Self Compiled

We can compile pinentry with the same configuration prefix as gnupg.

Quick and Dirty

We can set a symlink to the distribution's version of pinentry.

Copy to clipboard
cd /tmp/canary/install/bin
ln -s /usr/bin/pinentry pinentry

Configuration

We can define the configuration option pinentry-program /usr/bin/pinentry in the file gpg-agent.conf. But when the gpg-agent is running already, it doesn't know yet about the new configuration. It is possible to kill the gpg-agent, but in these cases you will lose all the settings handled by it, e.g. unlocked keys - this is quick and dirty. There is a better way.

Copy to clipboard
$ cat /tmp/canary/homedir/gpg-agent.conf
pinentry-program /usr/bin/pinentry
$ LD_LIBRARY_PATH="/tmp/canary/install/lib"
$ cd /tmp/canary/install/bin
$ ./gpg-connect-agent --homedir /tmp/canary/homedir reloadagent /bye
$ ./gpg --homedir /tmp/canary/homedir --gen-key


The program gpg-agent knows about the command line option --pinentry-program ${whatsoever}, but gpg doesn't. Thus you cannot pass it by invoking the latter with this option.

Conclusion

The configuration solution method is the best choice, since it can be done on user level and it can be combined with the self compiled solution method. A user can switch between distribution's and self compiled pinentry at any time. And it doesn't matter whether pinentry is part of the self compiled suite when configured to use the distribution version.

To be continued...