[maxtaco]

There's one instance in which we prompt for your PGP password directly, since gpg doesn't give us command line access to the needed feature: that's adding the username <you@keybase.io> to your public key if it's not already there. Aside from that, we never need your PGP password and just rely on gpg to prompt for it when needed. If you're seeing other prompts, it could be bug, please let us know!

[rdl]

The point is that in a terminal window I have no idea what comes from the keybase binary vs. the gnupg binary it calls out to. You could throw up a convincing looking prompt, steal my passphrase (optionally crashing or passing it on to the real binary to delay suspicion), and then send the key and the passphrase back to your servers.

Realistically, I'm not going to validate the keybase binary, npm, etc. every time I update the app. (and even if I am, many users won't). And a "user of interest" could be given a "special" binary pretty easily.

[maxtaco]

Agreed. We wish there was a practical solution to this problem, but at some point, it's turtles all the way down.

[rdl]

If your binary output a text file or whatever with commands for GPG, which I could then execute and put back into keybase, that would solve the problem.

I agree, usability nightmare, but it would be a nice paranoid option.

[maxtaco]

Hmm, interesting idea. In general, there is only one sensitive operation per keybase invocation (though many signature verifications that use only public keys), so this is doable but cumbersome.

[rlpb]

If you care about this, then use an agent (eg. gpg-agent). With this general mechanism, you can arrange your own system, including something out-of-band if you wish.

[mitochondrion]

I'm three days late, but I'm interested in Keybase and wondering if I could bum an invite from you.