gpg-agent doesn't forget passphrase on SIGHUP
Open, NormalPublic

Description

Contrary to what the manpage says, GPG agent doesn't appear to forget
passphrases on SIGHUP.

In the following excerpt, I first check that I have the right PID, and that it's
the only running agent. I sign a random file, send a SIGHUP to the agent, then
sign that file again. Though the passphrase should have been forgotten, no query
is made, and the file is re-sign straight away. My PGP key is on an OpenPGP
smart card (with an SCR335 USB reader), and I'm using Poldi for logins.

shtrom@gloduk:~$ cat .gpg-agent-info
GPG_AGENT_INFO=/home/shtrom/.gnupg/S.gpg-agent:5359:1
SSH_AUTH_SOCK=/home/shtrom/.gnupg/S.gpg-agent.ssh
SSH_AGENT_PID=5359
shtrom@gloduk:~$ echo $GPG_AGENT_INFO
/home/shtrom/.gnupg/S.gpg-agent:5359:1
shtrom@gloduk:~$ ps ax | grep 5359
5359 ? Ss 0:36 gpg-agent --daemon --write-env-file
--scdaemon-program /usr/bin/scdaemon --use-standard-socket --default-cache-ttl
43200 --enable-ssh-support --default-cache-ttl-ssh 43200
shtrom@gloduk:~$ ps ax | grep gpg-agent
5359 ? Ss 0:36 gpg-agent --daemon --write-env-file
--scdaemon-program /usr/bin/scdaemon --use-standard-socket --default-cache-ttl
43200 --enable-ssh-support --default-cache-ttl-ssh 43200
shtrom@gloduk:~$ gpg -s 2004ronan_ipsec_performance.pdf
shtrom@gloduk:~$ kill -HUP 5359
shtrom@gloduk:~$ gpg -s 2004ronan_ipsec_performance.pdf

I've noticed this problem on both Gentoo and Arch Linux.

Details

Version
2.0.17
shtrom set Version to 2.0.17.May 18 2011, 1:46 PM
shtrom added projects: gnupg, Bug Report.
shtrom added a subscriber: shtrom.
werner added a subscriber: werner.

There is no cache for smartcards; depending on the type of smartcard they
remember their PIN until they are powered down. With the OpenPGP card you may
use the gpg forcesig subcommand to force a PIN entry for each use of the
signature key.

BTW, a much easier way to clear the passphrase is

gpgconf --reload gpg-agent

So, I understand this can't be fixed in software?

This is annoying in my set up. I enjoy the cached PIN, but when my station locks
after a given timeout, and as I do authentication through Poldi and the card
caches the PIN, moving the mouse is all it takes to unlock the machine. Oh well,
I'll try to find a work-around, then (;

However, maybe it would be a interesting feature to add to the specs of a future
iteration of the OpenPGP card: a “forget” command, which could in turns be sent
by the agent on SIGHUP.

werner added a project: poldi.

In this case it is a bug in poldi. Reassigning.

neal assigned this task to gniibe.Nov 6 2015, 2:36 PM
neal added a subscriber: gniibe.