GPG autologin with pam, pinentry

Question

Recently I started using Neomutt with Luke´s mutt-wizward and therefore I have to setup pass and gpg, which were both new to me. I know how public and private key encryption works but after playing/reading around for some bit a few questions arises:

1. Luke recommend pam_gnupg in the readme from mutt-wizard. If I understand it correctly, it will automatically log you in your gpg-agent. But how is that even possible if user password and gpg passphrase doesn't match?

2. What does the "password Manager" in pinentry (I think its pinentry-gtk2)? How long does it save the password and where, etc (pinentry example)

3. At best I would love to get rid of pinentry popup and do the autologin with pam related to question 1 or some other way around but for now I don't know if I set it up correctly. Is it possible to test gpg-agent?

I am using arch without any login manager so after login into tty I run startx.

Answer 1

If I understand it correctly, it will automatically log you in your gpg-agent. But how is that even possible if user password and gpg passphrase doesn't match?

It isn't. The module only forwards the exact same password from login to gpg-agent.

What does the "password Manager" in pinentry (I think its pinentry-gtk2)? How long does it save the password and where, etc (pinentry example)

It uses libsecret, which almost always means GNOME Keyring (manageable through Seahorse). The storage is permanent and encrypted with your login password (GNOME uses pam_gnome_keyring to automatically unlock it).

gnome-keyring doesn't require other GNOME components. There exist other storage backends for libsecret, but none of them are production ready.

At best I would love to get rid of pinentry popup and do the autologin with pam related to question 1 or some other way around but for now I don't know if I set it up correctly. Is it possible to test gpg-agent?

Try signing something using gpg and see whether you get prompted for your passphrase:

echo asdf | gpg --armor --sign