PINs that contain '%' will not work / setup.go and main.go use different methods to get the PIN

[svenpeter42]

thanks a lot for this great project. I just got new yubikeys and moved my new SSH keys to them using Yubikey-agent! While doing this I stumbled across a subtle issue though:

Right now setup.go uses terminal.ReadPassword while main.go uses github.com/gopasspw/gopass/pkg/pinentry.

The gopass pinentry communication code unfortunately has a subtle bug that replaces all % signs with %25 (see gopasspw/gopass#1621).

Due to this bug and the different implementations it's possible to create a PIN with a % sign during setup which will then be incorrectly read as %25 from pinentry when the agent is running in the background. This will then result in strange "agent refused operation" errors when using ssh.

The unescaping should probably be fixed in gopass/pkg/pinentry but I believe both setup.go and main.go should use the same method to request the PIN for consistency. If they had used the same method the failure would've already occurred during setup (because my PIN would've been > 8 chars) and it would've been a little bit easier to track this down.

If you agree I can create a PR to unify the get pin logic in main.go and setup.go on the weekend.

[AnomalRoil]

Now that gopasspw/gopass#1621 was solved, this will be easily solved once we'll release v1.11.1 of Gopass by simply doing:

pinentry.Unescape = true
if _, err := exec.LookPath(pinentry.GetBinary()); err != nil {                                  
    log.Fatalf("PIN entry program %q not found!", pinentry.GetBinary())
}

[svenpeter42]

Nice, thanks! 👍