I ran into a strange edge case on macOS Mojave 10.14.6, GnuPG 2.2.17 and Git 2.21.0 (Apple Git-122).
If a YubiKey is used to store private keys and pinentry-curses is used to enter the pin, everything works fine (a pin is prompted for and replaced by asterisks as it is typed) when a git push is initiated from iTerm2 (build 3.3.6).
But if a git push is initiated in Visual Studio Code (version 1.36.1) or Tower (version 2.6.6, build 359), pinentry-curses reveals the pin as it is type (see attachment).
Perhaps I am doing something wrong? Feels like a big deal from an opsec perspective.
How can I fix this?