the simple goal here is to be able to invoke pinentry(1) (a part of GNU Privacy Guard) from the command line, passing some of the most likely options as command line flags. the retrieved secret can be returned as output (to stdout) or copied to the system clipboard.
i did this, really, because i don’t particularly like the UI of ssh-askpass(1) (sorry if the link is broken).
pinentry(1) works hard to keep the secret (pin) secure, trying, e.g., to not allow pin to end up on the disk (by keeping it in unpagable memory). cli-pinentry, sadly, doesn’t do all this, and MAY ALLOW A PIN that would otherwise be kept safe to be LEAKED.
possibly, cli-pinentry is as secure as ssh-askpass.
your mileage may vary, and the author of this program makes NO WARRANTIES about the safety and/or security of the program. do NOT use this program for “vital” secrets.
in addition to some “standard” python packages (os, sys, termios), cli-pinentry requires the following python packages:
these can be installed by, e.g., pip(1) or “apt-get install”, depending on your setup.
the pyperclip package itself requires either xclip(1) (preferred) or xsel(1).
cli-pinentry | [-h,–help] | # print help message |
[{-c,–copy}] | # don’t print result, rather copy to clipboard | |
[–desc descriptivetext] | # pinentry’s “SETDESC” command | |
[–prompt prompt] | # pinentry’s “SETPROMPT” command | |
[–ok text] | # pinentry’s “SETOK” command | |
[–cancel text] | # /pinentry’s “SETCANCEL” command | |
[–pinentry “pinentry”] | # which program to use (e.g., “pinentry-curses”) |
to get help:
cli-pinentry -h
to run, using pinentry-curses:
cli-pinentry --pinentry pinentry-curses
cli-pinentry tries to disallow the output being printed on the terminal. but, if you really need to see what you typed in, you can always pipe the output of cli-pinentry through cat(1):
cli-pinentry | cat