using pinentry-tty in a bash script (like read)

Question

Is there a way to use pinentry-tty directly in a bashscript? E.G. as a more secure replacement for 'read'. I was thinking of something like this:

local pass=$(pinentry-tty);

This allows me to enter several lines, but nothing gets saved to the variable.

Answer 1

The different pinentry implementations cannot easily be called the way you wanted to use it. It follows a simple protocol, which also enables several possibilities to configure prompts and print error messages. An example session, with GETPIN being the command issued on STDIN and foo being the passphrase the user entered, returned with other status messages on STDOUT:

$ pinentry
OK Pleased to meet you
GETPIN
D foo
OK

The full documentation is included in pinentry's source tarball, but also available online.

Answer 2

Here a full example with pinentry-curses

pass=$(/usr/bin/pinentry-curses --ttyname $(tty) --lc-ctype "$LANG" <<EOF | grep D | sed 's/^..//'
SETTIMEOUT 30
SETPROMPT Please enter your password:
SETOK Yes
SETCANCEL No
GETPIN
BYE
EOF
)
echo $pass

pinentry program uses this protocol. It's a little bit the same as SMTP if you know it.

The protocol commands here are:

SETTIMEOUT 30
SETPROMPT Please enter your password:
SETOK Yes
SETCANCEL No
GETPIN
BYE

You need to use the keyword BYE to quit the session.

You can configure it as you want with other command explained in the protocol documentation

The protocol documentation is the output of the info pinentry output.

ie:

sudo apt install -y info
sudo apt install -y pinentry-doc
info pinentry