I'm starting a local gpg-agent on my Mac, with the extra-socket option. Then I connect to a remote site using SSH, forwarding the remote S.gpg-agent socket to the local S.gpg-agent.extra socket. This works: ssh -R /remotehome/.gnupg/S.gpg-agent:/localhome/.gnupg/S.gpg-agent.extra remotesystem When I want to sign something on the remote machine, the pinentry dialog pops up locally and asks for the password, which is the way it should work. However, when I start typing my password, some of the key presses obviously goes into pinentry (they are displayed as *) whereas some key presses ends up in the shell that runs on the same tty as the pinentry process. ┌────────────────────────────────────────────────────────────────┐ │ Note: Request from a remote site. │ │ │ │ Please enter the passphrase to unlock the OpenPGP secret key: │ │ "My name " │ │ 4096-bit RSA key, ID MYKEYIDXXX0000YYY, │ │ created 2015-06-17 (main key ID MYMAINKEYIDXXX0000YYY). │ │ │ │ │ │ Passphrase: t*i*e_____________________________________________ │ │ │ │ │ └────────────────────────────────────────────────────────────────┘ Pressing Return has a chance of either sending the mangled password to gpg, or sending whatever key presses that didn't go into pinentry to the shell:

/bin/ksh: tie: not found

How do I get pinentry to grab _all_ keys from the tty? The local machine is a Mac running GnuPG 2.1.14 (compiled from pkgsrc). The remote site is either a Linux machine with the same version of GnuPG or an OpenBSD machine with GnuPG version 2.1.15 (no difference). The extra-socket option is the only option enabled in my gpg-agent.conf. The environment variable GPG_TTY is correctly set, and running gpg-connect-agent updatestartuptty /bye locally will move the tty on which pinentry starts up, but with the same problem. Doing gpg-connect-agent updatestartuptty /bye on the remote machine results in

$ gpg-connect-agent updatestartuptty /bye
gpg-connect-agent: connection to agent is in restricted mode
ERR 67109115 Forbidden

... which is what I kinda expect should happen. Changing from the curses interface to the tty interface for pinentry makes no difference. These are the only two pinentry interfaces available to me. I do not run X11. --- Update: With the local system running OpenBSD 6.3 (GnuPG 2.2.9) and the remote being some Ubuntu system (GnuPG 2.1.11), it's even worse with _no_ key presses going into pinentry and everything being read by the shell.

I can't decrypt my passwords with pass neither with gpg directly.

gpg: encrypted with rsa4096 key, ID id, created creation_date
      "name "
      gpg: public key decryption failed: No pinentry
      gpg: decryption failed: No pinentry

It does not show a prompt dialog asking for the master password. It says "no pinentry" but the program is installed:

$ ls /usr/bin/pinentry*
/usr/bin/pinentry
/usr/bin/pinentry-curses
/usr/bin/pinentry-emacs
/usr/bin/pinentry-gnome3
/usr/bin/pinentry-gtk-2
/usr/bin/pinentry-qt
/usr/bin/pinentry-tty

Please, I need help asap because I can't login into nothing without my passwords, which are all encrypted with GPG.

In short (Edit 1): How to make gpg -qd --pinentry-mode loopback out.gpg cache the passphrase for a period of time in the cli. It used to cache but now it doesn't. Edit 2: I have tried this thing in both Kubuntu 24.04 Live iso image and a very old live iso image from 2017 called GParted live. In Gparted live iso, --pinentry-mode loopback caches the passphrase but not in Kubuntu live iso. Edit 3: I have tested in Kubuntu 22.04, 23.10 and 24.04 using https://distrosea.com and gpg --pinentry-mode loopback symmetric decryption does indeed not cache the passphrase except 22.04. And now the boring details: In Kubuntu 22.04, I used to use these commands to create an encrypted file from stdin and to decrypt it: gpg --pinentry-mode loopback --output out.gpg --symmetric - to encrypt gpg --pinentry-mode loopback -qd out.gpg to decrypt. While in a terminal session, the decryption command used to ask for the passphrase once for a certain time and I don't remember I did anything to get this behavior. Now I have upgraded to Kubuntu 24.04 (by fully erasing the disk). But now, the decryption command above always asks for the passphrase in the same terminal session. If I remove --pinentry-mode loopback, then the pinentry-qt dialog kicks and finally the decryption command stops asking for the passphrase for subsequent decryption commands with --pinentry-mode loopback. So pinentry-qt correctly caches the passphrase but any subsequent--pinentry-mode loopback command requires a passphrase input with pinentry-qt in order not ask for the passphrase again. I installed pinentry-tty and set the config in ~/.gnupg/gpg-agent.conf to: pinentry-program /usr/bin/pinentry-tty and reloading the agent by: gpg-connect-agent reloadagent /bye. This actually solves my problem by decrypting without using --pinentry-mode loopback. But what I want is the old (no config) behavior so I can get rid of updating all my scripts.

I have 2 video cards and installed the nvidia driver:

❯ lspci -nnk | grep -iA3 -E "(vga|NVIDIA).*(controller|GeForce)"
00:02.0 VGA compatible controller : Intel Corporation HD Graphics 620 [8086:5916] (rev 02)
        DeviceName:  Onboard IGD
        Subsystem: Hewlett-Packard Company HD Graphics 620 [103c:82c1]
        Kernel driver in use: i915
--
01:00.0 3D controller : NVIDIA Corporation GM108M [GeForce 940MX] [10de:134d] (rev a2)
        Subsystem: Hewlett-Packard Company GM108M [GeForce 940MX] [103c:82c1]
        Kernel driver in use: nvidia
        Kernel modules: nouveau, nvidia_drm, nvidia

and modules loaded:

❯ lsmod | grep -iE '(iris|965|915|nouveau|nvidia)'
nvidia_drm             94208  4
nvidia_modeset       1556480  2 nvidia_drm
nvidia_uvm           3481600  2
nvidia              62734336  87 nvidia_uvm,nvidia_modeset
i915                 4108288  39
i2c_algo_bit           20480  1 i915
drm_buddy              20480  1 i915
ttm                   110592  1 i915
intel_gtt              28672  1 i915
drm_display_helper    229376  1 i915
video                  77824  2 i915,nvidia_modeset
cec                    86016  2 drm_display_helper,i915

having:

❯ sudo lshw -c video | grep 'configuration'
       configuration: depth=32 driver=i915 latency=0 resolution=3840,2160
       configuration: driver=nvidia latency=0

**For some reason, OpenGL (EGL) crushes and OpenGL (GLX) provides**:

❯ glxinfo | grep "OpenGL renderer"   
libGL error: glx: failed to create dri3 screen
libGL error: failed to load driver: nouveau
OpenGL renderer string: Mesa Intel(R) HD Graphics 620 (KBL GT2)

Qt5 (e.g. kwalletd5) fails:

❯ kwalletd5 
kf.wallet.kwalletd: Lacking a socket, pipe: 0 env: 0
libGL error: glx: failed to create dri3 screen
libGL error: failed to load driver: nouveau

I do not understand whi libGL is looking for nouveau when nouveau is not installed. I understand the nouveau is for legacy NVIDIA and this NVIDIA card (i.e. GM108M [GeForce 940MX] with NV118) should use nvidia driver. eglinfo creates a crashdump, that makes be guess that the driver was not properly compiled for this kernel ... ?!? (wondering ...)

❯ coredumpctl info eglinfo
           PID: 3006 (eglinfo)
           UID: 1026 (alex)
           GID: 1000 (alex)
        Signal: 6 (ABRT)
     Timestamp: Sun 2023-10-08 10:50:39 EDT (1h 3min ago)
  Command Line: /usr/bin/eglinfo
    Executable: /usr/bin/eglinfo
 Control Group: /user.slice/user-1026.slice/user@1026.service/app.slice/app-org.kde.kinfocenter-1e5614d213e84a2fac7e745b95873f3b.scope
          Unit: user@1026.service
     User Unit: app-org.kde.kinfocenter-1e5614d213e84a2fac7e745b95873f3b.scope
         Slice: user-1026.slice
     Owner UID: 1026 (alex)
       Boot ID: 0e078812604c40b896a2926936fed0ed
    Machine ID: 5e088a0fd5f24ea3ba800ad0886bc587
      Hostname: azx360
       Storage: /var/lib/systemd/coredump/core.eglinfo.1026.0e078812604c40b896a2926936fed0ed.3006.1696776639000000.zst (present)
  Size on Disk: 2.0M
       Message: Process 3006 (eglinfo) of user 1026 dumped core.
                
                Stack trace of thread 3006:
                #0  0x00007f8f4878483c n/a (libc.so.6 + 0x8e83c)
                #1  0x00007f8f48734668 raise (libc.so.6 + 0x3e668)
                #2  0x00007f8f4871c4b8 abort (libc.so.6 + 0x264b8)
                #3  0x00007f8f4871d390 n/a (libc.so.6 + 0x27390)
                #4  0x00007f8f4878e7b7 n/a (libc.so.6 + 0x987b7)
                #5  0x00007f8f4878f30e n/a (libc.so.6 + 0x9930e)
                #6  0x00007f8f4878f480 n/a (libc.so.6 + 0x99480)
                #7  0x00007f8f48791a38 n/a (libc.so.6 + 0x9ba38)
                #8  0x00007f8f48793dc1 __libc_calloc (libc.so.6 + 0x9ddc1)
                #9  0x00007f8f46733bb1 n/a (libnvidia-eglcore.so.535.113.01 + 0x1533bb1)
                #10 0x00007f8f46741a91 n/a (libnvidia-eglcore.so.535.113.01 + 0x1541a91)
                #11 0x00007f8f46741b12 n/a (libnvidia-eglcore.so.535.113.01 + 0x1541b12)
                #12 0x00007f8f46741ce0 n/a (libnvidia-eglcore.so.535.113.01 + 0x1541ce0)
                #13 0x00007f8f48242f72 n/a (libEGL_nvidia.so.0 + 0x42f72)
                #14 0x00007f8f482485a4 n/a (libEGL_nvidia.so.0 + 0x485a4)
                #15 0x000055846b68f824 n/a (eglinfo + 0x8824)
                #16 0x000055846b6932f5 n/a (eglinfo + 0xc2f5)
                #17 0x000055846b68b2b6 n/a (eglinfo + 0x42b6)
                #18 0x00007f8f4871dcd0 n/a (libc.so.6 + 0x27cd0)
                #19 0x00007f8f4871dd8a __libc_start_main (libc.so.6 + 0x27d8a)
                #20 0x000055846b68b6e5 n/a (eglinfo + 0x46e5)
                ELF object binary architecture: AMD x86-64

more, looking to understand from inxi:

❯ inxi -Gx
Graphics:
  Device-1: Intel HD Graphics 620 vendor: Hewlett-Packard driver: i915
    v: kernel arch: Gen-9.5 bus-ID: 00:02.0
  Device-2: NVIDIA GM108M [GeForce 940MX] vendor: Hewlett-Packard
    driver: nvidia v: 535.113.01 arch: Maxwell bus-ID: 01:00.0
  Device-3: Suyin HP TrueVision FHD RGB-IR driver: uvcvideo type: USB
    bus-ID: 1-5:2
  Display: x11 server: X.Org v: 21.1.8 driver: X: loaded: intel,nvidia
    unloaded: modesetting dri: i965 gpu: i915 resolution: 3840x2160
  API: EGL Message: No EGL data available.
  API: OpenGL v: 4.6 vendor: intel mesa v: 23.2.1-arch1.2 glx-v: 1.4
    direct-render: yes renderer: Mesa Intel HD Graphics 620 (KBL GT2)
  API: Vulkan v: 1.3.264 drivers: nvidia surfaces: xcb,xlib devices: 1

here are the packages installed for video driver:

❯ pacman -Q | grep -iE '(nvidia|mesa|intel|cuda|vulkan|vdpau)'  
intel-gmmlib 22.3.11-1
intel-gpu-tools 1.27-2
intel-media-driver 23.3.3-1
intel-media-sdk 23.2.2-2
libvdpau 1.5-2
mesa 1:23.2.1-2
mesa-utils 9.0.0-3
nvidia 535.113.01-4
nvidia-settings 535.113.01-1
nvidia-utils 535.113.01-2
vulkan-headers 1:1.3.264-2
vulkan-icd-loader 1.3.263-1
vulkan-tools 1.3.263-1
xf86-video-intel 1:2.99.917+923+gb74b67f0-1

Any guideline is much appreciated to fix OpenGL is much appreciated! Update: after some troubleshooting, I identified that the problem was not directly related to nvidia, although was triggered when installing Nvidia driver I identified that pinentry, used by gpg-agent had a problem getting the X or plasmashell device, probably to pop-up the dialog for the passphrase. A log about the issue:

[USER@MACHINE ~]$ Unsupported return type 65 QPixmap in method "grab"
Unsupported return type 65 QPixmap in method "grab"
Unsupported return type 65 QPixmap in method "grab"
Unsupported return type 65 QPixmap in method "grab"

[USER@MACHINE ~]$ journalctl -xe
Oct 13 17:00:17 MACHINE systemd-timesyncd: Contacted time server [REDACTED]:123 ([REDACTED].arch.pool.ntp.org).
Oct 13 17:04:55 MACHINE plasmashell: Could not find the Plasmoid for Plasma::FrameSvgItem(0x562417c320e0) QQmlContext(0x562413f2ad10) QUrl("file:///usr/share/pla>
Oct 13 17:04:55 MACHINE plasmashell: Could not find the Plasmoid for Plasma::FrameSvgItem(0x562417c320e0) QQmlContext(0x562413f2ad10) QUrl("file:///usr/share/pla>
Oct 13 17:09:04 MACHINE systemd-timesyncd: Timed out waiting for reply from [REDACTED]:123 ([REDACTED].arch.pool.ntp.org).
Oct 13 17:09:07 MACHINE plasmashell: trying to show an empty dialog
Oct 13 17:09:07 MACHINE plasmashell: file:///usr/share/plasma/plasmoids/org.kde.plasma.taskmanager/contents/ui/Task.qml:286: Unable to assign [undefined] to QStr>
Oct 13 17:09:07 MACHINE plasmashell: file:///usr/share/plasma/plasmoids/org.kde.plasma.taskmanager/contents/ui/Task.qml:286: Unable to assign [undefined] to QStr>
Oct 13 17:09:07 MACHINE systemd: Started System Settings - System Settings.
-- Subject: A start job for unit UNIT has finished successfully
-- Defined-By: systemd
-- Support: [REDACTED]
-- 
-- A start job for unit UNIT has finished successfully.
-- 
-- The job identifier is 590.
Oct 13 17:09:08 MACHINE systemsettings: file:///usr/lib/qt/qml/org/kde/kirigami.2/ScrollablePage.qml:200:9: QML MouseArea: Binding loop detected for property ">
Oct 13 17:09:08 MACHINE systemsettings: file:///usr/lib/qt/qml/org/kde/kirigami.2/ScrollablePage.qml:200:9: QML MouseArea: Binding loop detected for property ">
Oct 13 17:09:08 MACHINE systemsettings: QQmlEngine::setContextForObject(): Object already has a QQmlContext
Oct 13 17:09:14 MACHINE systemd-timesyncd: Timed out waiting for reply from [REDACTED]:123 ([REDACTED].arch.pool.ntp.org).
Oct 13 17:09:14 MACHINE systemd-timesyncd: Contacted time server [REDACTED]:123 ([REDACTED].arch.pool.ntp.org).
Oct 13 17:09:20 MACHINE kwalletd5: kf.wallet.backend: Setting useNewHash to true
Oct 13 17:09:20 MACHINE kwalletd5: kf.wallet.backend: Wallet new enough, using new hash
Oct 13 17:09:20 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:24 MACHINE kwin_x11: kwin_core: XCB error: 152 (BadDamage), sequence: 12493, resource id: 8467472, major code: 143 (DAMAGE), minor code: 3 (Subtract)
Oct 13 17:09:28 MACHINE kwalletd5: kf.wallet.backend: Setting useNewHash to true
Oct 13 17:09:28 MACHINE kwalletd5: kf.wallet.backend: Wallet new enough, using new hash
Oct 13 17:09:28 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:31 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:32 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:32 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:32 MACHINE kwin_x11: kwin_core: XCB error: 152 (BadDamage), sequence: 15002, resource id: 8467610, major code: 143 (DAMAGE), minor code: 3 (Subtract)
Oct 13 17:09:33 MACHINE kwin_x11: kwin_core: XCB error: 152 (BadDamage), sequence: 15530, resource id: 8467635, major code: 143 (DAMAGE), minor code: 3 (Subtract)
Oct 13 17:09:33 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:33 MACHINE kwin_x11: kwin_core: XCB error: 152 (BadDamage), sequence: 16073, resource id: 8467650, major code: 143 (DAMAGE), minor code:

Update: * I upgraded HP driver from F.10 to F.42 * Re-installed X, nvidia, gnupg, pinentry. * Everytime I start the X with nvidia driver, it fails. So I am falling back on Intel. The following is a diff between a working xorg.conf and the one that fails with nvidia:

$ diff xorg.conf xorg.conf.2023-10-23-a-failure.bak 
38a39
>     Driver         "nvidia"
40,43c41
     BusID          "PCI:1:0:0"
48a47
>     Option "AllowEmptyInitialConfiguration"
53a53,63
> EndSection
> 
> Section "Device"
>     Identifier "intel"
>     Driver "modesetting"
>     BusID "PCI:0:2.0" # e.g. PCI:0:2:0
> EndSection
> 
> Section "Screen"
>     Identifier "intel"
>     Device "intel"

**Update:** * Was able to trace the problem to eglinfo -B that produces a core dump as:

$ eglinfo -B    
GBM platform:
EGL API version: 1.5
EGL vendor string: NVIDIA
EGL version string: 1.5
EGL client APIs: OpenGL_ES OpenGL
OpenGL core profile vendor: NVIDIA Corporation
OpenGL core profile renderer: NVIDIA GeForce 940MX/PCIe/SSE2
OpenGL core profile version: 4.6.0 NVIDIA 535.113.01
OpenGL core profile shading language version: 4.60 NVIDIA
OpenGL compatibility profile vendor: NVIDIA Corporation
OpenGL compatibility profile renderer: NVIDIA GeForce 940MX/PCIe/SSE2
OpenGL compatibility profile version: 4.6.0 NVIDIA 535.113.01
OpenGL compatibility profile shading language version: 4.60 NVIDIA
malloc(): invalid next size (unsorted)

coredumpctl info 
(...)
  Signal: 6 (ABRT)
(...)
  Command Line: eglinfo -B
  Executable: /usr/bin/eglinfo
(...)
  Size on Disk: 2.1M
  Message: Process 3735 (eglinfo) of user 1026 dumped core.

                #0  0x00007fc48d23083c n/a (libc.so.6 + 0x8e83c)
                #1  0x00007fc48d1e0668 raise (libc.so.6 + 0x3e668)
                #2  0x00007fc48d1c84b8 abort (libc.so.6 + 0x264b8)
                #3  0x00007fc48d1c9390 n/a (libc.so.6 + 0x27390)
                #4  0x00007fc48d23a7b7 n/a (libc.so.6 + 0x987b7)
                #5  0x00007fc48d23db04 n/a (libc.so.6 + 0x9bb04)
                #6  0x00007fc48d23fdc1 __libc_calloc (libc.so.6 + 0x9ddc1)
                #7  0x00007fc48b133bb1 n/a (libnvidia-eglcore.so.535.113.01 + 0x1533bb1)
                #8  0x00007fc48b141ccc n/a (libnvidia-eglcore.so.535.113.01 + 0x1541ccc)
                #9  0x00007fc48cc42f72 n/a (libEGL_nvidia.so.0 + 0x42f72)
                #10 0x00007fc48cc485a4 n/a (libEGL_nvidia.so.0 + 0x485a4)
                #11 0x0000555f5f076c7d n/a (eglinfo + 0x6c7d)
                #12 0x0000555f5f07c279 n/a (eglinfo + 0xc279)
                #13 0x0000555f5f0742b6 n/a (eglinfo + 0x42b6)
                #14 0x00007fc48d1c9cd0 n/a (libc.so.6 + 0x27cd0)
                #15 0x00007fc48d1c9d8a __libc_start_main (libc.so.6 + 0x27d8a)
                #16 0x0000555f5f0746e5 n/a (eglinfo + 0x46e5)
                ELF object binary architecture: AMD x86-64

> **Note:** *I'm adding all these in case other will troubleshoot similarly, and my journey helps*

How to call pinentry from bash script so I am prompted for single input on the same terminal from which my script was invoked from and then pipe the entry to some other command via stdout for the sake of this question lets assume its echo. I would expect the answer to be something along the lines of

pinentry-tty  | echo

My question is not about: - gpg - ssh - git - How to use anything other than command line flavors of pinentry - How to set environmental variable using read -s Lets assume: - I made it pass second google page - I used pinentry info What would be great if the answer would work for version I currently have on my system but I don't expect you to test it.

pinentry-tty (pinentry) 1.2.0
Copyright (C) 2016 g10 Code GmbH
License GPLv2+: GNU GPL version 2 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

*I don't like the tone of my question but I am just trying to make it as clear as possible.*

Having a hard time figuring out the debugging steps for this behavior. I'll run some gpg command and, typically, about 20 seconds later a GUI Pinentry window will pop up where I type in my password and the command proceeds. Occasionally though, the prompt instantaneously appears in my terminal (without me changing any config). On other rare occasions, the GUI Pinentry will be instant. One time I noticed the GUI Pinentry was instant was when I was running on a single monitor. I typically have an external monitor connected to my laptop over HDMI. Another time I noticed I was getting prompted in my terminal was when my window manager had crashed, I killed the Xorg server process from a seperate TTY, then re-started my window manager. I'm running Manjaro Linux with StumpWM as the window manager. I'm not sure what other pieces of software or config are relevant to this.

When forwarding my gpg-agent to a remote server I am able to see the my private key listed. Even though I unlocked my key locally I still need to unlock it on the remote machine. However when I try to unlock on the remote machine it sends a pinentry to my local machine. When using pinentry-tty or pinentry-curses I am unable to enter my password. It has some strange behaviour that it receives some keystrokes and some are even shown as plain text.

pinentry --version
pinentry-curses (pinentry) 1.1.0

Local

gpg --version
gpg (GnuPG) 2.2.27

Remote

gpg --version
gpg (GnuPG) 2.2.12

These are my local config files: gpg-agent.conf

extra-socket /run/users/1000/gnupg/S.gpg-agent.extra
pinentry-program /usr/bin/pinentry-curses

ssh.config

Host remote
    HostName 
    User 
    RemoteForward /run/users/1000/gnupg/S.gpg-agent /run/users/1000/gnupg/S.gpg-agent.extra

Also on the remote server I added StreamLocalBindUnlink to /etc/ssh/sshd_config. To 'force' pinentry to show up on a certain terminal locally I had to use the command

gpg-connect-agent updatestartuptty /bye

As soon as I try to sign something on the remote server I get the following screen on my local terminal

┌────────────────────────────────────────────────────────────────┐
│ Note: Request from a remote site.                              │
│                                                                │
│ Please enter the passphrase to unlock the OpenPGP secret key:  │
│ "username "                                             │
│ 256-bit EDDSA key, ID 1234567890,                              │
│ created 2021-01-01.                                            │
│                                                                │
│                                                                │
│ Passphrase: __________________________________________________ │
│                                                                │
│                                                    │
└────────────────────────────────────────────────────────────────┘

When I try to enter my password I get the following:

┌────────────────────────────────────────────────────────────────┐
│ Note: Request from a remote site.                              │
│                                                                │
│ Please enter the passphrase to unlock the OpenPGP secret key:  │
│ "username "                                             │
│ 256-bit EDDSA key, ID 1234567890,                              │
│ created 2021-01-01.                                            │
│                                                                │
│                                                                │
│ Passphrase: *elo w**wd    ____________________________________ │
│                                                                │
│                                                    │
└────────────────────────────────────────────────────────────────┘

When I close out of pinentry I can see part of the plain text on the command line

> elo wd

Same behaviour when I use pinentry-tty. On my local machine I run Arch Linux but also the same behaviour exists on macos. For my terminal emulator I use simple terminal and iterm2 respectively. The remote machine runs Debian Buster. I would like to keep using pinentry-tty or pinentry-curses. Also would it be possible to 'unlock' my gpg private key locally and have that forwarded to remote instead of having to unlock it on the remote server? Edit: Seems the exact same thing has been asked over 4 years ago! https://unix.stackexchange.com/questions/325021/intermingled-input-when-using-local-gpg-agent-from-remote-site With no answer, unfortunately.

I have some libreoffice documents stored with "encrypt with gpg key" option. Today I was quite surprised when the document opened without requesting a passphrase. Eventually I found an entry for my gpg key in the system key and password manager, Seahorse, where the passphrase could be displayed. I conclude that I must have accidentally checked the "save in password manager" box in the pinentry dialog when I logged in the last time. A small mistake exposed a confidential document and my most important password. This appears to be the same problem as here: but in my case free access to the document and the Seahorse entry survive beyond the timeout defined in gpg-agent.conf, after echo RELOADAGENT | gpg-connect-agent and even after a reboot. I tried gnupg.conf no-allow-external-cache option, which causes a different pinentry dialog without the checkbox, but then the private key password is not accepted. Is there a way to remove or disable that checkbox in the pinentry dialog? My system: MX-linux 18.3_x64 December 15 2017 base: Debian GNU/Linux 9 (stretch) gpg (GnuPG) 2.1.18

I use gpg-agent for managing both PGP e SSH identities. The agent is started with a script like this gpg_agent_env="$XDG_CACHE_HOME/gpg-agent.env" export GPG_TTY="$(tty)" if ! ps -U "$USER" -o ucomm | grep -q gpg-agent; then eval "$({gpg-agent --daemon | tee $gpg_agent_env} 2> /dev/null)" else source "$gpg_agent_env" 2> /dev/null fi which is sourced whenever I run an interactive shell. Everything works fine with this setup but there is an issue. Let's say I: 1. open a terminal (launching the agent in background) and start working 2. after a while open a second terminal 3. do an action that requires entering a passphrase in the second terminal At this point gpg-agent will start pinentry-curses prompting a passphrase but it will do this in the first terminal which results in its output mixed with whatever was running (usually a text editor) with no way to resume the program or stop pinentry (it starts using 100% cpu and I have to kill it). I must be doing something wrong here. Anyone has experienced this? ### Update: I figured out this happens only for a prompt to unlock an SSH key, which looks like [this](https://lut.im/TfmmL5JMVe/CcXH06hdeCLyzsmH) , while prompts for PGP keys always open on the correct (i.e. current) tty.

There are 2 users: user1 and user2. When trying to use gpg via sudo *(symmetric decryption)*: user1@host: sudo -u user2 gpg /home/user2/pass.gpg an error gpg: decryption failed: No secret key. I set it to --pinentry-mode loopback and the password request happens (right in the terminal), I type and the decryption happens. Tell me, is this approach safe? I can't understand how this option works. The GnuPG website says: > Redirect Pinentry queries to the caller. This enables the use of > gpgme_set_passphrase_cb because pinentry queries are redirected to > gpgme.

This is the content of my .gnupg/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-curses

When I try to retrieve a password from pass' store, e.g. via pass -c path/to/password in a very small-sized terminal window, the command errors like this:

gpg: decryption failed: No secret key

So it's an error from GnuPG, caused, I believe, by not enough space for ncurses to draw the pinentry dialog. Can anybody reproduce this? If so, where can I report this bug?

I am trying to decrypt a gpg file inside a script. When I run gpg -d file.gpg in the terminal, I get prompted to enter the password in a curses dialog box. But when I run a script containing that line, I get "gpg: decryption failed: No secret key", or a silent failure if not run from an interactive terminal. Ideally, if gpg is trying to run from a non-interactive shell (I think that's the word for what I mean but I'm not sure - basically if it's run from a script), when I'm running X, then I would like it to open a terminal window running pinentry-curses. If I set my pinentry program to run with qt or gtk, then a graphical window pops up every time, no matter where it comes from. That's the kind of behaviour I'd like to replicate - I just don't want it to depend on qt or gtk.

I use pinentry-qt most of the time, but in the specific case that I'm using pass, I would like to use pinentry-curses because of the faster startup time. Is there a way that I can configure pass to always call pinentry-curses, while keeping pinentry-qt the system default? The system is Fedora with KDE. This seems closely related but I don't know enough to apply it to pass: https://unix.stackexchange.com/q/236746/3056

**What is working** My gpg-agent pinentry works fine under X. I can run echo "test" | gpg2 -ase --default-recipient-self | gpg2 to cache my passwords and later run killall gpg-agent -1 to flush them. By default, it opens pinentry-gtk (from the looks of it) and prompts me for my password. **What is not working** However, if I try to run the same command without an X server, the it appears that gpg2 is hanging (no prompt or anything). If I kill it, then I can see that there is also a pinentry process which continues to exist but not anywhere useful. **What I expect to happen** I expect that running gpg2 without an X server would give me a pinentry-curses prompt, the same way that pass does. Additionally, I seem to remember that with older version of gpg, it just prompted me for my password from stdin, and I'm not quite sure why that doesn't happen either. **What I have tried** I have tried the following "fixes" but none have caused the aforementioned command to execute properly. In fact, forcing pinentry-curses causes the aforementioned command to fail even with the X environment (pass still works). - Setting pinentry-program /usr/bin/pinentry-curses in gpg-agent.conf` - Starting gpg-agent like this: gpg-agent --daemon --keep-tty --use-standard-socket --pinentry-program=/usr/bin/pinentry-curses - using an environment variable: export PINENTRY_USER_DATA="USE_CURSES=1” *Background info* I have a nearly empty .gpg-agent config file; all it has is cache timeouts. I am calling gpg-agent directly upon login like eval $(gpg-agent --daemon). I am not booting into X so I use getty to log in.

So I have pinentry popping up whenever I fresh boot my desktop environment (i3), asking for my main GPG main key password. I perhaps configured at some point some program to read some pass entry, but I forgot which one and where. And nevertheless, it'd be nice if pinentry would show and tell which program is requesting the main key unlock. Is there any way to do this?

I am using gnome-keyring as ssh-agent on my arch/ xfce system. Since I have multiple ssh-keys, I additionally have a password manager to store their keys. Adding those ssh-keys to the keyring works without any problems, however, I noticed that the password prompt grabs the keyboard entirely even if the window is not focused. That behavior prevents proper usage of the password manager, so I would like to disable it. Apparently gnome-keyring uses gcr to create its password prompts. Is there any way you can change the behavior of gcr globally to only grab the keyboard on focus or alternatively, is there a way to use alternative prompt generators, e.g. pinentry that have options to disable global keyboard grabbing?

I'm using (neo)mutt with GPG. I've set my gpg password to empty, but when I attempt to decrypt an incoming email, mutt still presents a pinentry dialogue box. If I just press Enter (with no string), the dialogue box will be dismissed, and the email decrypted as expected. Given that I have no gpg password, how can I suppress the dialogue box? The following lines are in my muttrc: source /usr/share/doc/mutt/samples/gpg.rc set pgp_use_gpg_agent = yes set pgp_sign_as = /usr/share/doc/mutt/samples/gpg.rc is available [here](https://github.com/neomutt/neomutt/blob/ee3fefef018eedc267cc7c73915228176bfa86e2/contrib/gpg.rc) , but essentially includes the following lines. set pgp_decode_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f" set pgp_verify_command="gpg --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f" set pgp_decrypt_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f" set pgp_sign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f" set pgp_clearsign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f" set pgp_encrypt_only_command="pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f" set pgp_encrypt_sign_command="pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f" set pgp_import_command="gpg --no-verbose --import %f" set pgp_export_command="gpg --no-verbose --export --armor %r" set pgp_verify_key_command="gpg --verbose --batch --fingerprint --check-sigs %r" set pgp_list_pubring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-keys %r" set pgp_list_secring_command="gpg --no-verbose --batch --quiet --with-colons --with-fingerprint --with-fingerprint --list-secret-keys %r" set pgp_good_sign="^\\[GNUPG:\\] GOODSIG" set pgp_decryption_okay="^\\[GNUPG:\\] DECRYPTION_OKAY" I'm not sure what else is relevant, but /home/lee/.gnupg/gpg-agent.conf contains pinentry-program /usr/bin/pinentry-qt I've also tested the following two commands, but both still present the password box. gpg --export-secret-keys gpg --export-secret-keys --batch --passphrase ''

Is mandatory to use pinentry with gpg2? Why is pinentry better over legacy prompt?

I was was using gpg --gen-key till I got to enter the passphrase where I get: ┌──────────────────────────────────────────────────────┐ │ Please enter Passphrase, │ │ │ │ Passphrase: ________________________________________ │ │ │ │ │ └──────────────────────────────────────────────────────┘ After some digging I found out this came from gpg-agent which in turn uses pinentry. All I can do here is enter passphrase (which works fine) and press tab, which makes the blinking cursor disappear. But how to I select ` or in pinentry`? gpg was installed on osx via brew When I try CTL+C I get: gpg: signal Interrupt caught ... exiting but can still continue typing a passphrase.

I'm having some trouble getting gpg (actually pass which uses gpg in the background) to work inside of tmux and a Yubikey Neo. When attempting to decrypt a file or sign something using gpg I get the following: $ gpg -d test.gpg gpg: sending command `SCD PKDECRYPT' to agent failed: ec=5.99 gpg: public key decryption failed: general error gpg: decryption failed: secret key not available This is only inside of tmux, if I attempt to run the same command in a normal zsh session directly in gnome-terminal it just works: gpg -d test.gpg helloworld pinentry will pop up, ask me for the PIN to unlock the Yubikey and proceed to decrypt the file. I think I narrowed the problem down to pinentry not being able to spawn. Setting the log level of the gpg-agent I get the following: gpg-agent: DBG: chan_6 GETINFO pid gpg-agent: DBG: chan_7 SETKEYINFO --clear gpg-agent: DBG: chan_7 SETDESC Please enter the PIN gpg-agent: DBG: chan_7 SETPROMPT PIN gpg-agent: DBG: chan_7 [[Confidential data not shown]] gpg-agent: DBG: chan_7 gpg-agent: DBG: chan_7 -> BYE gpg-agent: DBG: chan_6 -> CAN gpg-agent: DBG: chan_6 gpg-agent: DBG: chan_5 -> ERR 83886179 Operation cancelled Nothing suspicious jumps out at me, except a few OPTION statements that apparently aren't handled by pinentry but I get the same when calling from gnome-terminal. Setting the $DISPLAY variable also doesn't help, the error is identical. Am I missing something? Is there some other variable I need to set? And why doesn't this fall back to pinentry-ncurses if it can't open a graphical one?