Page MenuHome GnuPG

pinentry-mac: PIN not escaped when using quality bar
Open, NormalPublic


pinentry-mac does not escape the PIN in INQUIRE QUALITY messages to the client. It should.

Observed with:

$ pinentry-mac --version
pinentry-mac (pinentry) 1.1.1
Copyright (C) 2016 g10 Code GmbH
License GPLv2+: GNU GPL version 2 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

To reproduce:

  1. Run pinentry-mac.
  2. Enable the quality bar by sending the SETQUALITYBAR message.
  3. Request a PIN by sending the GETPIN message.
  4. Enter a single % character in the PIN prompt.
  5. Observe that pinentry-mac sends "INQUIRE QUALITY %" to the client. It should escape the % and instead send "INQUIRE QUALITY %25".


$ pinentry-mac
OK Pleased to meet you



Event Timeline

We provide lots of different flavors of pinentry, but we do not provide pinentry-mac. You'll have to talk to the people you got pinentry-mac from.

werner triaged this task as Normal priority.Jan 12 2022, 3:23 PM
werner removed a project: MacOS.
werner added a subscriber: werner.

I don't know about pinentry-mac but it seems to be another name for
one our our regular pinentry variants.

The best way to test such thing is:

$ gpg-connect-agent --exec /usr/local/bin/pinentry
> /definq QUALITY foo
> /let foo 1
> setqualitybar
> getpin
ERR 83886179 Operation cancelled <Pinentry>

And you are right, it is not escaped but it should do that because
gpg-agent is unescaping it.

You'll have to talk to the people you got pinentry-mac from.

Sorry, I tried :) I installed pinentry-mac using using the Homebrew formula, which points to as being the source. However, the GPGTools/pinentry repo has issues disabled so I eventually ended up here.