Unchecking “Save in keychain” is not merely a recommendation, it's a MUST for certain workflows.
Explain for what workflows not following this advice breaks pinentry-touchid, how, and why, allowing people to make a more informed choice, instead of just thinking, “why would I disable saving to the keychain?, that's what I want”.
Clarify that “Save in keychain” still saves the entry to the keychain, just not by pinentry-mac, but by pinentry-touchid; more people will adhere to this “recommendation” if they realise it's merely a formality, and they're not actually giving up saving the entry to the Keychain.
With these three changes, I reckon most people will at least manually disable the checkbox every time they create a new entry for a new keypair, which may still result in some people forgetting when they renew their keypairs some years later, but it's better than the status quo.
Also, most people might still defaults write to make that the default, as even if they switch back to pinentry-mac, having to constantly enable that checkbox is better than causing a subtle breakage if they stick with pinentry-touchid that causes them to be unable to decrypt files and thinking their key is broken or something.
Honestly, this is just another reason to switch away from pinentry-mac at this point. It's a dead project, it creates work for the user — having to ensure the presence and right target of a symlink, having to remember this Save in keychain business, etc — and it kinda locks us in to its decisions.
At least a better fix for this particular issue might simply be to save the keypair without the comment, as the ID is still in the title, but that's a bit of a loss, so even better would be to search both with and without the comment before creating a new entry.
This fixes some language in the README.
pinentry-touchid, how, and why, allowing people to make a more informed choice, instead of just thinking, “why would I disable saving to the keychain?, that's what I want”.pinentry-mac, but bypinentry-touchid; more people will adhere to this “recommendation” if they realise it's merely a formality, and they're not actually giving up saving the entry to the Keychain.With these three changes, I reckon most people will at least manually disable the checkbox every time they create a new entry for a new keypair, which may still result in some people forgetting when they renew their keypairs some years later, but it's better than the status quo.
Also, most people might still
defaults writeto make that the default, as even if they switch back topinentry-mac, having to constantly enable that checkbox is better than causing a subtle breakage if they stick withpinentry-touchidthat causes them to be unable to decrypt files and thinking their key is broken or something.Honestly, this is just another reason to switch away from
pinentry-macat this point. It's a dead project, it creates work for the user — having to ensure the presence and right target of a symlink, having to remember this Save in keychain business, etc — and it kinda locks us in to its decisions.At least a better fix for this particular issue might simply be to save the keypair without the comment, as the ID is still in the title, but that's a bit of a loss, so even better would be to search both with and without the comment before creating a new entry.