GnuPG is just not good software
Look, I know that GnuPG means well, but really, does anyone actually tell them that, from a user interface perspective, it's bad?
If all you ever do is use it within a desktop environment, maybe you're okay. But if you don't, heaven help you.
Look at gpg-agent and pinentry. First of all, there's so many versions of pinentry: pinentry-tty, pinentry-curses, pinentry-gtk-2, and other toolkits. Turns out they don't even all work the same, which is kind of amazing when you consider what they're supposed to do.
(When trying to use gpg-agent as an ssh-agent, only pinentry-curses worked reliably. pinentry-gtk-2 required some extra thing where I entered the passphrase twice, for example.)
Things are really bad if you access your machine remotely. I run my
home server with an X session, but I ssh into it most of the time.
gpg-agent and pinentry can't handle that. You have to set
(now there's a hack), but even if you do, it doesn't matter. What
matters is the kind of pinentry you use.
- The tty version will totally mess up your terminal if you quit it. It's a dumpster fire.
- The curses version is better, but if you have to enter a passphrase
from the GUI (say, in Emacs), it doesn't work.
- If you add 'allow-emacs-pinentry' to the gpg-agent.conf, it doesn't seem to do anything.
- If you use the GTK one, if you have to enter a passphrase from an SSH session, then it pops up the dialog on the X server display.
- If the curses version kicks in on tmux, you may not know what terminal it shows up on, and the display is probably janky.
I got so tired of this bullshit that I set the time to live (ttl) on the passphrase to last effectively forever. I initially tried setting it to 18446744073709551616 (264): that caused gpg-agent to barf on startup. That's fine, because at least it doesn't do what it does when you set it to 4294967296 (232), which is accept it but require a passphrase every time you try to decrypt something. If you set it to 4294967295, it seems to last. (That value is 136.192519502 years, so I'm not going to wait it out. As of this writing, I haven't had to enter a passphrase again since I started it up.)
I really want to replace GnuPG with something else. I'd be happy with symmetric encryption since I only use it for 'pass' and I'm the only one to decrypt anything. There's probably a way I could get this to work by sending commands to gpg-agent, but I no longer care.