Page MenuHome GnuPG
Create Task
Maniphest T1611

gpg should use main key-id when talking to gpg-agent
Closed, ResolvedPublic
Actions

Description

If I start gpg-agent, and then sign something, I need to specify the
passphrase (as expected). I can then sign new documents without having
to enter a passphrase again.

If I then try to decrypt something, I need to specify the passphrase
again. In the pinentry I see that I am asked for a different ID. The
main key ID is also included in the dialogue box.

Why does not gpgv use the main key ID when it talks to gpg-agent? Then
I would not have to enter the same passphrase twice.

(This becomes more of a problem when using gpg-preset-passphrase to
pre-load the passphrase. The cache-id of the main key ID is just what
the gpg2 --fingerprint prints out, with the colons removed, but the
cache-id of the subkey used for decryption is not as easy to figure
out. The only way I found was to enable debug in the gpg-agent, and
see it in the logs there.)

I have seen this using gpg 1.4.11, and the problem is still present
on the master branch of the Git repo.

(Note: I wish to work more with the bugtracker. I have a fix for issue
1561, 1526, 1467 (all dups) that I'd like to attach to one of them, so
please grant me the User role.)

Details

Version
2.1.0-beta293

Event Timeline

lmamane set Version to 2.1.0-beta293.Jan 31 2014, 12:02 PM
lmamane added projects: gnupg, Bug Report.
lmamane added a subscriber: lmamane.
lmamane added a comment.Jan 31 2014, 12:05 PM

I attach a small shellscript that demonstrates the problem. It must be run in an
environment where no agent is running. This has been tested under Ubuntu Linux.
If prompted for a passphrase, use "abc". Please read the script before running it.

lmamane added a comment.Jan 31 2014, 12:05 PM

423_show-with-pinentry1 KBDownload

werner added a subscriber: werner.Jan 31 2014, 4:11 PM

gpg-agent does not known about OpenPGP. Thus the concept of primary and and
secondary (sub) keys is also unknown to it. The second reason why this can't be
done is because each key part may have a different passphrase. GPG tries to
make them all the same but it is possible for a user to change that or import
subkey with different passphrases.

Now, what could be done is to tell gpg-agent to try the passphrase of a
different key before asking the user. This requires a hint mechanism so that
gpg can tell gpg-agent about related keys. We have something similar in the key
creation code. If you would like this, please change the priority to "feature
request". It is possible that such a feature request has already been entered.

[role changed to User]

lmamane added a comment.Jan 31 2014, 10:59 PM

I was not aware that the subkey can have a different passphrase. That
does indeed complicate things.

I like your idea to tell gpg-agent about related keys. I think that would
solve the problem. (I did look at the existing feature requests but did
not find a duplicate.)

lmamane added a project: Feature Request.Jan 31 2014, 10:59 PM
lmamane removed a project: Bug Report.
werner added a project: Restricted Project.Sep 17 2014, 7:07 PM

What I implemented now is a simple one item cache for the last used passphrase.
This works in all standard cases. Trying more keys is not possible because
unprotecting a key introduces a delay to help against dictionary attacks.

werner closed this task as Resolved.Dec 19 2014, 8:46 AM
werner claimed this task.
werner removed a project: Restricted Project.