Unsafe configuration of the pinentry program
Marius Spix
marius.spix at web.de
Tue Dec 30 14:55:00 CET 2025
Dear GnuPG devs,
I wanted to point out a potential security concern about gpg-agent.
I noted that an application with write access to an user's home
directory can easily compromise gpg-agent by overriding the key
pinentry-program in ~/.gnupg/gpg-agent.conf
This is a potential security risk, as it allows to switch the pinentry
plugin with a malicious version, which can be used to steal passwords.
I am not aware whether this vulnerability has ever been
exploited, but it would be trivial to do so. Therefore, I wonder why no
hardening mechanisms are used here.
In my opinion there should be additional checks, e. g. a restriction of
allowed pinentry paths (e. g. only /usr/bin and /usr/local/bin),
ownership checks (e. g. only allow binaries owned by root) or
warnings, when a non-standard pinentry-program setting is used. What do
you think?
Thank you very much for your time and for maintaining GnuPG.
Best regards
Marius Spix
More information about the Gnupg-users
mailing list