On 13/07/17 09:29, Ryan Lue wrote: > 1) I keep my dotfiles synced between multiple machines, and so try my > best to keep them platform-agnostic when I can. There are definitely > times when I can use conditionals to get different behavior on > different machines (like `if [ "$(uname)" = Darwin ]` in `.profile`), > but I don't even know if it's possible to set up `gpg-agent.conf` to > use `pinentry-mac` on one machine but `pinentry-gtk` on another.
Note how Debian handles system-wide, system-specific pinentry alternatives: /etc/alternatives/pinentry -> /usr/bin/pinentry-gtk-2 /etc/alternatives/pinentry-x11 -> /usr/bin/pinentry-gtk-2 /usr/bin/pinentry -> /etc/alternatives/pinentry /usr/bin/pinentry-curses /usr/bin/pinentry-gtk-2 /usr/bin/pinentry-x11 -> /etc/alternatives/pinentry-x11 If you use just "pinentry" or "pinentry-x11", you then use the alternatives system to select a specific one: --8<---------------cut here---------------start------------->8--- # update-alternatives --config pinentry There are 2 choices for the alternative pinentry (providing /usr/bin/pinentry). Selection Path Priority Status ------------------------------------------------------------ * 0 /usr/bin/pinentry-gtk-2 85 auto mode 1 /usr/bin/pinentry-curses 50 manual mode 2 /usr/bin/pinentry-gtk-2 85 manual mode Press enter to keep the current choice[*], or type selection number: --8<---------------cut here---------------end--------------->8--- It might give you an idea how to do it for you. I suspect it might even work if you wrap your pinentry in a shell script using if [ "$(uname)" but it lacks elegance. > 2) I chanced upon this presentation from a 2015 conference where the > presenter describes a setup for being able to ssh into a machine and > use its private keys locally by forwarding the remote machine's > gpg-agent socket to a local socket (slides 57–61 of 62): > > https://2015.rmll.info/IMG/pdf/an-advanced-introduction-to-gnupg.pdf > > and I imagine that just wouldn't work if you had graphical pinentry > on the remote machine. You could also use SSH's X forwarding. I haven't tried that, though. > There were a lot of strong opinions being thrown around that thread. I > suspect that a lot of people believe that taking an unconventional > approach to security is tantamount to opposing best practices. Hmmm, an understandable knee-jerk response. Knees don't always do your best thinking, though. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
