Page MenuHome GnuPG
Create Task
Maniphest T5772

pinentry-mac: PIN not escaped when using quality bar
Open, NormalPublic
Actions

Description

pinentry-mac does not escape the PIN in INQUIRE QUALITY messages to the client. It should.

Observed with:

$ pinentry-mac --version
pinentry-mac (pinentry) 1.1.1
Copyright (C) 2016 g10 Code GmbH
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

To reproduce:

  1. Run pinentry-mac.
  2. Enable the quality bar by sending the SETQUALITYBAR message.
  3. Request a PIN by sending the GETPIN message.
  4. Enter a single % character in the PIN prompt.
  5. Observe that pinentry-mac sends "INQUIRE QUALITY %" to the client. It should escape the % and instead send "INQUIRE QUALITY %25".

Transcript:

$ pinentry-mac
OK Pleased to meet you
SETQUALITYBAR
OK
GETPIN
INQUIRE QUALITY %

Details

Version
1.1.1

Event Timeline

twpayne created this task.Jan 12 2022, 2:08 PM
ikloecker added a subscriber: ikloecker.Jan 12 2022, 3:15 PM

We provide lots of different flavors of pinentry, but we do not provide pinentry-mac. You'll have to talk to the people you got pinentry-mac from.

werner triaged this task as Normal priority.Jan 12 2022, 3:23 PM
werner removed a project: MacOS.
werner added a subscriber: werner.

I don't know about pinentry-mac but it seems to be another name for
one our our regular pinentry variants.

The best way to test such thing is:

$ gpg-connect-agent --exec /usr/local/bin/pinentry
> /definq QUALITY foo
> /let foo 1
> setqualitybar
OK
> getpin
INQUIRE QUALITY %
ERR 83886179 Operation cancelled <Pinentry>

And you are right, it is not escaped but it should do that because
gpg-agent is unescaping it.

twpayne added a comment.Jan 12 2022, 9:48 PM

You'll have to talk to the people you got pinentry-mac from.

Sorry, I tried :) I installed pinentry-mac using using the Homebrew formula, which points to https://github.com/GPGTools/pinentry as being the source. However, the GPGTools/pinentry repo has issues disabled so I eventually ended up here.