GnuPG is just not good software

Look, I know that GnuPG means well, but really, does anyone actually tell them that, from a user interface perspective, it's bad?

If all you ever do is use it within a desktop environment, maybe you're okay. But if you don't, heaven help you.

Look at gpg-agent and pinentry. First of all, there's so many versions of pinentry: pinentry-tty, pinentry-curses, pinentry-gtk-2, and other toolkits. Turns out they don't even all work the same, which is kind of amazing when you consider what they're supposed to do.

(When trying to use gpg-agent as an ssh-agent, only pinentry-curses worked reliably. pinentry-gtk-2 required some extra thing where I entered the passphrase twice, for example.)

Things are really bad if you access your machine remotely. I run my home server with an X session, but I ssh into it most of the time. gpg-agent and pinentry can't handle that. You have to set GPG_TTY (now there's a hack), but even if you do, it doesn't matter. What matters is the kind of pinentry you use.

I got so tired of this bullshit that I set the time to live (ttl) on the passphrase to last effectively forever. I initially tried setting it to 18446744073709551616 (264): that caused gpg-agent to barf on startup. That's fine, because at least it doesn't do what it does when you set it to 4294967296 (232), which is accept it but require a passphrase every time you try to decrypt something. If you set it to 4294967295, it seems to last. (That value is 136.192519502 years, so I'm not going to wait it out. As of this writing, I haven't had to enter a passphrase again since I started it up.)

I really want to replace GnuPG with something else. I'd be happy with symmetric encryption since I only use it for 'pass' and I'm the only one to decrypt anything. There's probably a way I could get this to work by sending commands to gpg-agent, but I no longer care.

-- Geoff (comment@wozniak.ca)
2019-09-09T00:00:00-04:00