gpgagentProject
ActivePublic

Members

  • This project does not have any members.

Recent Activity

Tue, Aug 20

gniibe added a comment to T2011: gnupg should notify cancellation of its operation to gpg-agent to kill pinentry.

It was fixed in GnuPG master by rGc395f8315362: agent: Terminate pinentry process gracefully, by watching socket. and rG374a0775546b: agent: Close a dialog cleanly when gpg/ssh is killed for CONFIRM..
Those will be in GnuPG 2.3.

Tue, Aug 20, 3:32 AM · Bug Report, gpgagent
dkg reopened T2011: gnupg should notify cancellation of its operation to gpg-agent to kill pinentry as "Open".
Tue, Aug 20, 2:44 AM · Bug Report, gpgagent
dkg added a comment to T2011: gnupg should notify cancellation of its operation to gpg-agent to kill pinentry.

This appears to be https://bugs.debian.org/850946 and it does not appear to be fixed to me.

Tue, Aug 20, 2:43 AM · Bug Report, gpgagent

Fri, Aug 2

werner triaged T4661: gpg-agent "getinfo cmd_has_option" is frequently wrong as Low priority.
Fri, Aug 2, 9:51 AM · Documentation, gpgagent

Wed, Jul 31

dkg reopened T4661: gpg-agent "getinfo cmd_has_option" is frequently wrong as "Open".

Please update the documentation for the function in that case.

Wed, Jul 31, 4:49 PM · Documentation, gpgagent
werner closed T4661: gpg-agent "getinfo cmd_has_option" is frequently wrong as Invalid.

No, it was not in mind. I introduced this only for backward compatibility. It will be extended iff we have a need for it.

Wed, Jul 31, 8:51 AM · Documentation, gpgagent

Tue, Jul 30

gniibe added a comment to T4661: gpg-agent "getinfo cmd_has_option" is frequently wrong.

My understanding is: it was introduced by rG370f841a0135: Enhanced last patch. in 2009 to give information to client (for a specific command at that time), possibly in a hope that server side would support the feature for all commands (and client could benefits).

Tue, Jul 30, 8:59 AM · Documentation, gpgagent

Mon, Jul 29

dkg created T4661: gpg-agent "getinfo cmd_has_option" is frequently wrong.
Mon, Jul 29, 8:54 PM · Documentation, gpgagent

Jul 11 2019

gniibe added projects to T4563: gpg-agent fails to sign request: gpgagent, Info Needed.

Which SSH client are you using?

Jul 11 2019, 8:42 AM · Info Needed, gpgagent, Bug Report
gniibe claimed T4587: pinentry-gnome3 grabs input (is system modal) despite`--no-global-grab` or `OPTION no-grab`.

gpg-agent side is fixed to relax the error handling.

Jul 11 2019, 7:57 AM · gpgagent, pinentry

Jul 9 2019

werner closed T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32 as Resolved.
Jul 9 2019, 3:22 PM · gpgagent, gnupg, Bug Report

Jul 1 2019

werner triaged T4588: gpg-agent should guess pinentry's full path (using $PATH) if `pinentry-program` does not supply a full path as Normal priority.
Jul 1 2019, 9:34 PM · libassuan, gpgagent
werner added a comment to T4588: gpg-agent should guess pinentry's full path (using $PATH) if `pinentry-program` does not supply a full path.

As I said we do this with all GnuPG components. Pinentry is a bit of exception because it is an external package.
I have also had bug reports which later turned out that a wrong pinentry was used; I prefer to know eactly which pinentry is used. Regarding your concrete problem I suggested to add a note with the full name of the pinentry or to change the error message to something better understandable.

Jul 1 2019, 9:34 PM · libassuan, gpgagent
dkg added a comment to T4588: gpg-agent should guess pinentry's full path (using $PATH) if `pinentry-program` does not supply a full path.

So this is a defense against an adversary capable of creating a pinentry-wrapper somewhere in $PATH, but not capable of modifying gpg-agent.conf? It sounds to me like this is a defense against a very unusually-constrained attacker, at the expense of regular, common bug reports and user confusion.

Jul 1 2019, 6:24 PM · libassuan, gpgagent
werner removed a project from T4588: gpg-agent should guess pinentry's full path (using $PATH) if `pinentry-program` does not supply a full path: Bug Report.

GnuPG invokes its components always with their absolute file name. We want to mitigate attacks where malware creates a pinentry wrapper somewhere in an improper set PATH.

Jul 1 2019, 10:02 AM · libassuan, gpgagent
gniibe changed the status of T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32 from Open to Testing.
Jul 1 2019, 6:14 AM · gpgagent, gnupg, Bug Report
gniibe added a commit to T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32: rG526714806da4: tools: gpgconf: Killing order is children-first..
Jul 1 2019, 6:14 AM · gpgagent, gnupg, Bug Report
gniibe added a commit to T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32: rG7c877f942a34: tools: gpgconf: Killing order is children-first..
Jul 1 2019, 6:13 AM · gpgagent, gnupg, Bug Report

Jun 27 2019

dkg created T4588: gpg-agent should guess pinentry's full path (using $PATH) if `pinentry-program` does not supply a full path.
Jun 27 2019, 5:35 PM · libassuan, gpgagent

Jun 25 2019

werner triaged T4580: Update the password checking algorithm as Low priority.
Jun 25 2019, 10:24 AM · gpgagent, Feature Request
dkg added a comment to T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32.

I'm unlikely to put a windows-specific patch into the debian source, as
i have no good way of testing it, and it wouldn't affect any binary that
we ship.

Jun 25 2019, 2:57 AM · gpgagent, gnupg, Bug Report

Jun 24 2019

gniibe added a comment to T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32.

@dkg, for your patch, it can be improved for Windows by using its event mechanism. You can see gnupg/scd/scdaemon.c.

Jun 24 2019, 4:00 AM · gpgagent, gnupg, Bug Report
dkg updated subscribers of T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32.

Hm, T4521 suggests that the two different cases should not be treated differently. If you think that they *should* cause distinct behavior, please do mention it over there!

Jun 24 2019, 2:24 AM · gpgagent, gnupg, Bug Report
gniibe added a comment to T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32.

There are two different cases: (1) By SIGTERM and (2) By KILLAGENT. It's true that the agent stops accepting on the listening socket for (1), but it's not the case for (2).
This particular problem is for the case (2).

Jun 24 2019, 1:59 AM · gpgagent, gnupg, Bug Report

Jun 21 2019

dkg added a comment to T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32.

@gniibe, thanks for the diagnosis! I agree that restarting or shutting down the backends should be done in the reverse order as a simple workaround.

Jun 21 2019, 6:24 PM · gpgagent, gnupg, Bug Report
gniibe added a comment to T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32.

Correct solution is to implement KILLAGENT synchronously, but it's somehow harder to implement.
Easier workaround is modifying gpgconf like:

Jun 21 2019, 3:47 AM · gpgagent, gnupg, Bug Report
gniibe edited projects for T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32, added: gnupg, gpgagent; removed gnupg (gpg22).

I found a race condition between KILLAGENT command and accepting another request.
Here is a patch to replicate the race condition :

Jun 21 2019, 2:33 AM · gpgagent, gnupg, Bug Report

Jun 4 2019

gniibe closed T2011: gnupg should notify cancellation of its operation to gpg-agent to kill pinentry as Resolved.
Jun 4 2019, 2:38 AM · Bug Report, gpgagent

May 29 2019

ideaantenna updated the task description for T4546: make check error on gnupg-2.2.15 and gpgme-1.13.0.
May 29 2019, 6:55 PM · Not A Bug, gnupg, gpgme, Bug Report
ideaantenna added projects to T4546: make check error on gnupg-2.2.15 and gpgme-1.13.0: gpgme, gnupg.
May 29 2019, 6:52 PM · Not A Bug, gnupg, gpgme, Bug Report
ideaantenna updated the task description for T4546: make check error on gnupg-2.2.15 and gpgme-1.13.0.
May 29 2019, 6:39 PM · Not A Bug, gnupg, gpgme, Bug Report
ideaantenna updated the task description for T4546: make check error on gnupg-2.2.15 and gpgme-1.13.0.
May 29 2019, 6:35 PM · Not A Bug, gnupg, gpgme, Bug Report
ideaantenna created T4546: make check error on gnupg-2.2.15 and gpgme-1.13.0.
May 29 2019, 6:30 PM · Not A Bug, gnupg, gpgme, Bug Report

May 28 2019

maiden_taiwan added a comment to T4542: gpg-agent loses characters when prompting for a GPG passphrase over SSH in Emacs.

I also tried adding this to my gpg-agent.conf file:

May 28 2019, 2:05 PM · Emacs, Documentation, pinentry, Bug Report
maiden_taiwan added a comment to T4542: gpg-agent loses characters when prompting for a GPG passphrase over SSH in Emacs.

Oh, in case it wasn't clear, the idea that another application (GNU emacs) is receiving keystrokes meant for the gpg-agent prompt is probably a security risk....

May 28 2019, 2:01 PM · Emacs, Documentation, pinentry, Bug Report
maiden_taiwan created T4542: gpg-agent loses characters when prompting for a GPG passphrase over SSH in Emacs.
May 28 2019, 2:00 PM · Emacs, Documentation, pinentry, Bug Report

May 27 2019

werner added a commit to T4326: Reloading gpg-agent with disable-scdaemon set does not stop scdaemon.: rG9ccdd59e4e1e: agent: Stop scdaemon after reload when disable_scdaemon..
May 27 2019, 9:24 AM · Bug Report, scd, gpgagent

May 23 2019

gniibe closed T4326: Reloading gpg-agent with disable-scdaemon set does not stop scdaemon. as Resolved.

Simply sending "KILLSCD" is implemented.

May 23 2019, 3:19 AM · Bug Report, scd, gpgagent
gniibe added a commit to T4326: Reloading gpg-agent with disable-scdaemon set does not stop scdaemon.: rG7158a5696dc8: agent: Stop scdaemon after reload when disable_scdaemon..
May 23 2019, 3:18 AM · Bug Report, scd, gpgagent

May 21 2019

werner closed T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte as Resolved.

Also fixed for 2.2

May 21 2019, 9:16 AM · gpgagent, ssh
werner added a commit to T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte: rG6e39541f4f48: agent: For SSH key, don't put NUL-byte at the end..
May 21 2019, 9:16 AM · gpgagent, ssh
werner closed T4273: agent: Request insertion of smartcard when no card present as Resolved.

The behaviour related to ssh key access is due to the way ssh works: After a connection has been established to a server ssh presents to to the server all identities (public keys) it has access to (meaning it has a corresponding private key). Thus we can't tell ssh all the keys we have because that would be an information leak and may also take too long. Because the user may in some cases not want to use the ssh-agent but resort to ssh command line input of the passphrase, we do not insist on using a key known by gpg-agent.

May 21 2019, 9:13 AM · Feature Request, Documentation, gpgagent
gniibe added a commit to T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte: rG479f7bf31ce4: agent: For SSH key, don't put NUL-byte at the end..
May 21 2019, 8:54 AM · gpgagent, ssh
gniibe claimed T4502: keys added via gpg-agent's ssh-agent interface are stored in private-keys-v1.d/ with a trailing null byte.

I located the bug in agent/command-ssh.c.
Our practice is two calls of gcry_sexp_sprint; One to determine the length including last NUL byte, and another to actually fills the buffer.
The first call return +1 for NUL byte.
The second call fills NUL at the end, but returns +0 length (length sans last NUL).

May 21 2019, 8:48 AM · gpgagent, ssh
werner triaged T4522: gpg-agent's EXPORT_KEY command does not tell its pinentry SETKEYINFO , preventing use of external passphrase cache as Low priority.
May 21 2019, 7:45 AM · Feature Request, gpgagent
ctubbsii added a comment to T4522: gpg-agent's EXPORT_KEY command does not tell its pinentry SETKEYINFO , preventing use of external passphrase cache .

I spent a lot of time trying to figure out how to automate the interface between my preferred password store (gnome-keyring, via libsecret), but with the loopback pinentry mode changes in gpg 2.1, it is much harder (if not impossible) to do. Having passphrase caching is the only thing preventing me from choosing a weaker passphrase on my gpg keyring.

May 21 2019, 2:03 AM · Feature Request, gpgagent
ctubbsii added a comment to T4522: gpg-agent's EXPORT_KEY command does not tell its pinentry SETKEYINFO , preventing use of external passphrase cache .

Disallowing passphrase caching is likely to have the unintended consequence of users choosing weaker passphrases that are more easily memorized and/or typed. Caching should be permitted, IMO. This puts more decisions about passphrase management into the control of the user.

May 21 2019, 1:38 AM · Feature Request, gpgagent

May 20 2019

dkg added a comment to T4522: gpg-agent's EXPORT_KEY command does not tell its pinentry SETKEYINFO , preventing use of external passphrase cache .

And yet, that interface is already being used by the agent-transfer utility in monkeysphere. The interface exists, it is not marked in any way as unusable or deprecated or off-limits, so it is used.

May 20 2019, 11:38 PM · Feature Request, gpgagent
werner triaged T4521: gpg-agent behavior on SIGTERM differs from KILLAGENT handling as Normal priority.
May 20 2019, 9:30 AM · Bug Report, gpgagent
werner added a comment to T4522: gpg-agent's EXPORT_KEY command does not tell its pinentry SETKEYINFO , preventing use of external passphrase cache .

That is on purpose. Exporting of a secret key should in theory not be possible at all via gpg. In practice we need a way to export a key, but that should be the exception and thus we do not want any caches for passphrases to have an effect.

May 20 2019, 9:29 AM · Feature Request, gpgagent