Page MenuHome GnuPG
Create Task
Maniphest T5575

Supplying more than one passphrase or PIN using passphrase-fd
Open, LowPublic
Actions

Description

Developing a command line utility to provision PGP master key and subkeys and move subkeys to YubiKey security key.

When one runs following, I believe one can only supply single passphrase using passphrase-fd… but one also needs to supply YubiKey admin PIN.

echo -e "key 1\nkeytocard\n1\nkey 1\nkey 2\nkeytocard\n2\nkey 2\nkey 3\nkeytocard\n3\nsave" | gpg \
  --command-fd 0 \
  --passphrase-fd 3 \
  --pinentry-mode loopback \
  --edit-key 313E4740E10DE4EE\
  3<<<"foo"

Same limitation applies to scripting YubiKey user and admin PIN changes using gpg --change-pin where one needs to supply current and new PIN.

Is there a workaround? If not, supporting above use cases would be very useful when automating PGP/YubiKey provisioning at enterprise scale.

My goal is to generate passphrase and PINs randomly and only query first name, last name and email from user.

yubikey-prov.sh --first-name "John" --last-name "Doe" --email "johndoe@example.net"

Thanks for helping out!

Details

Version
gpg (GnuPG) 2.3.1

Event Timeline

sunknudsen created this task.Aug 29 2021, 4:38 PM
werner added projects: yubikey, gnupg.Aug 29 2021, 5:00 PM
werner added a subscriber: werner.

You can write your own pinentry script instead of the loopback thing. The use the envvar PINENTRY-USER_DATA to communicate with the pinentry.

Not related to the PIN thing but have you looked at gpg-card? it makes scripting easier and if there is somethin you need for your use-case we can add this.

sunknudsen added a comment.EditedAug 29 2021, 5:23 PM

Thanks for helping out @werner.

Is it possible to temporarily set pinentry executable using command line argument when running gpg --edit-key vs editing gpg-agent.conf?

The use the envvar PINENTRY-USER_DATA to communicate with the pinentry.

Promising. Would you happen to know where I can find some boilerplate capable of determining if passphrase vs admin PIN is prompted?

Reading above, I assume there is currently no “out-of-the-box” way to supply more than one passphrase or PIN using command line alone (aside from hacking something using expect)?

werner triaged this task as Low priority.Apr 28 2022, 9:12 AM