From 1ea35ffe165c181c3f86d39ef6da35370e0092f5 Mon Sep 17 00:00:00 2001
From: Daniel Gonzalez Gasull <gasull@users.noreply.github.com>
Date: Fri, 9 Nov 2018 13:16:47 +0800
Subject: [PATCH] Update split-gpg.md

Sorry for proposing this change, since it evens puts into question the existence of the page and even Split GPG.  Maybe I should also submit a bug to https://github.com/QubesOS/qubes-issues .  I just followed the [contribution suggestions](https://www.qubes-os.org/doc/doc-guidelines/#contribution-suggestions).
---
 security/split-gpg.md | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/security/split-gpg.md b/security/split-gpg.md
index cba62a39..5497551b 100644
--- a/security/split-gpg.md
+++ b/security/split-gpg.md
@@ -74,14 +74,18 @@ signed before the operation gets approved. Perhaps the GPG backend domain
 could start a Disposable VM and have the to-be-signed document displayed
 there? To Be Determined.
 
-- The Split GPG client will fail to sign or encrypt if the private key in the
-GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
-for device"* error. Avoid setting passphrases for the private keys in the GPG
-backend domain, it won't provide extra security anyway, as explained before. If
-you have a private key that already has a passphrase set use
-`gpg2 --edit-key {key_id}`, then `passwd` to set an empty passphrase. Be aware
-that `pinentry-ncurses` doesn't allow setting empty passphrases, so you would need
-to install `pinentry-gtk` for it to work.
+- **Split GPG is unusable due to the following problem**:
+The Split GPG client will fail to sign or encrypt if the private key in the 
+GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl 
+for device"* error. Avoid setting passphrases for the private keys in the GPG 
+backend domain, it won't provide extra security anyway, as explained before. 
+Unfortunately you can set empty passphrases no matter what `pinentry-*` package 
+you are using.  If you are generating a new key pair, or if you have a private 
+key that already has a passphrase and use 
+`gpg2 --edit-key {key_id}`, then `passwd`, then pinentry won't allow setting an 
+empty passphrase.  This is true for any pinentry packages like `pinentry-ncurses` 
+and `pinentry-gtk` in Fedora, and for `pinentry-curses`, `pinentry-gtk2` and 
+`pinentry-gnome` in Debian.
 
 ## Configuring Split GPG ##