Dangerous vulnerability: pinentry-mac completely and continuously disables prompt for GPG passphrase

Question

The short story: I just installed pinentry-mac and this asks me my passphrase only once but then decrypt gpg files without asking for passphrase

The long story:

I am running macos and I use gpg and pass as keychain.

I am not sure of why this happened but I updated several package on my machine and I think that gpg got updated to gpg2. When using pass I now got the following error message:

gpg: error running '/opt/local/bin/gpg-agent': exit status 2
gpg: failed to start gpg-agent '/opt/local/bin/gpg-agent': General error
gpg: can't connect to the gpg-agent: General error
gpg: error running '/opt/local/bin/gpg-agent': exit status 2
gpg: failed to start gpg-agent '/opt/local/bin/gpg-agent': General error
gpg: can't connect to the gpg-agent: General error
gpg: keydb_search failed: No agent running
gpg: error running '/opt/local/bin/gpg-agent': exit status 2
gpg: failed to start gpg-agent '/opt/local/bin/gpg-agent': General error
gpg: can't connect to the gpg-agent: General error
gpg: error running '/opt/local/bin/gpg-agent': exit status 2
gpg: failed to start gpg-agent '/opt/local/bin/gpg-agent': General error
gpg: can't connect to the gpg-agent: General error
gpg: keydb_search failed: No agent running
gpg: public key decryption failed: No secret key
gpg: decryption failed: No secret key

At that time the content of the file gpg-agent.conf was the following

max-cache-ttl 0
default-key 1234**************************

Following another question I installed pinentry via homebrew

pinentry-program /usr/local/bin/pinentry-mac

After that when in the terminal when opening a .gpg file I got a prompt outside of the terminal (which I didn't get before: I think it was Keychain) asking for my passphrase. I did not get the terminal based prompt that I had before. Thereafter, I was not asked my passphrase again and could open all the .gpg without passphrase

I then followed the answer of @user3056783 in pinentry-mac completely disables prompt for GPG passphrase This worked but 1. got the same prompt for passphrase and the problem reappeared and this time 1. I could not find the entry for GnuPG in keychain access and I have now to restart my machine so that it "forgets" my passphrase

That's a huge vulnerability. How can I solve this so that I get asked my passphrase for opening each gpg file?

Answer 1

Ok. The ugly workaround I found is to kill the gpg agent each time I use it by creating the following alias in my .zshrc:

alias pass="pkill -TERM gpg-agent; pass"

But I would be eager to now how to solve the problem more elegantly than this