This series of commits adds support for detecting why TouchID authentication fails, as well as falling back to using pinentry-mac if the user selects the "Use Password..." option in the TouchID authentication prompt. If the user cancels the authentication, an empty password will be returned.
An important note to mention as part of this:
If pinentry-mac saved a passphrase in the keychain and the user chooses to use the "Use Password" fallback, pinentry-mac will read the passphrase from the keychain. If pinentry-mac was given the "Always allow" option, this means that returns the passphrase without prompting the user for any kind of password—which is a trivial way to bypass authentication entirely.
While I would argue that problem is more of a user-configuration problem than a problem with pinentry-touchid (since anyone with shell access could just replace the pinentry-program line in gpg-agent.conf with pinentry-mac to achieve the same thing), it's probably something worth mentioning regardless.
This series of commits adds support for detecting why TouchID authentication fails, as well as falling back to using
pinentry-macif the user selects the "Use Password..." option in the TouchID authentication prompt. If the user cancels the authentication, an empty password will be returned.An important note to mention as part of this:
If
pinentry-macsaved a passphrase in the keychain and the user chooses to use the "Use Password" fallback,pinentry-macwill read the passphrase from the keychain. Ifpinentry-macwas given the "Always allow" option, this means that returns the passphrase without prompting the user for any kind of password—which is a trivial way to bypass authentication entirely.While I would argue that problem is more of a user-configuration problem than a problem with
pinentry-touchid(since anyone with shell access could just replace thepinentry-programline ingpg-agent.confwithpinentry-macto achieve the same thing), it's probably something worth mentioning regardless.