GnuPG passphrase in Emacs minibuffer

[Andrew L. Moore]

To allow a GnuPG passphrase in the Emacs minibuffer, I use the external 
Emacs package pinentry.el in loopback mode*:

(setq epg-pinentry-mode 'loopback)

Unfortunately, this doesn't work on Debain-based systems without 
upgrading the pinentry source (use: git://git.gnupg.org/pinentry.git).

But it turns out that pinentry.el may not be required any more.  It is 
enough to add to the file ~/.gnupg/gpg.conf the line:

    pinentry-mode loopback

and to ~/.gnupg/gpg-agent.conf:

    allow-loopback-pinentry

Restart gpg-agent and that's it.  The most obvious difference is that 
pinentry.el provides a more informative prompt, e.g.,

    [[1399721]@slewsys.org] Please enter the passphrase to unlock the 
OpenPGP secret key:
    "Andrew L. Moore <alm@slewsys.org>"
    255-bit EDDSA key, ID 0x0AB16F2E536D3DB5,
    created 2021-11-01.:

versus when GnuPG runs PINEntry in loopback mode:

    Enter passphrase:

Notably, the PINEntry manual warns:

  Having Emacs get the passphrase is convenient, however, it is a
  significant security risk. Emacs is a huge program, which doesn't
  provide any process isolation to speak of. As such, having it handle
  the passphrase adds a huge chunk of code to the user's trusted
  computing base. Because of this concern, Emacs doesn't enable this by
  default...

I'm not sure if one of the methods above is more secure in this regard.

------------------------------------------------------------------------

* The full configuration of pinentry.el is as follows:

In ~/.emacs or other config file, add:

    (require 'pinentry)

    (setq epg-pinentry-mode 'loopback)
    (pinentry-start)

In ~/.gnupg/gpg-agent.conf add:

    allow-loopback-pinentry
    allow-emacs-pinentry

Then restart gpg-agent.