pinentry-mac completely disables prompt for GPG passphrase

Question

This is weird. I am using pass and pinentry-mac to unlock my passwords. My gpg-agent.conf uses pinentry-mac as its pinentry-program.

I'm not sure if I updated some dependency recently but suddenly decrypting passwords is now possible without asking for passphrase which I find as a serious problem. This is not a problem with pass as if I try using gpg directly to decrypt my encrypted files directly in terminal session, it's the same.

If I disable pinentry-mac then it starts working and I'm asked to put my passphrase every time. Any idea what can be the cause? I have tried restarting / killing gpg-agent and logging out of my user account (even restarting the machine) but result is the same.

Answer 1

I have asked on GPG mailing list what's up and I've got interesting response:

pinentry-mac has recently been upgraded to a different version which is based on pinentry upstream but with some specific macOS patches. This behavior you are seeing might be related to the "Save in keychain" option being set to "on" by default.

Try opening macOS Keychain Access, search for "GnuPG" and delete the entry if you find one (create a backup if necessary first).

After that, run the following commands in Terminal:

$ defaults write org.gpgtools.pinentry-mac UseKeychain -bool NO
$ killall pinentry-mac gpg-agent

Now try signing / decrypting something and you should be asked for your passphrase.

Basically I updated pinentry-mac via homebrew and did not realize this was a new default behaviour and did not notice that the checkbox for saving passphrase into system keychain was turned on by default.

I have raised the issue on mailing list as I consider this dangerous default. This is response:

I’ve filed an issue with the folks at homebrew. In their case I also don’t think it is a good choice especially since the default behavior was different before the update.

So maybe they will fix it, maybe not.