[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Small patch to enable use of gpg-agent with pgg

From: Sascha Wilde
Subject: Re: Small patch to enable use of gpg-agent with pgg
Date: Sun, 26 Mar 2006 20:11:30 +0200
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux)

Simon Josefsson <address@hidden> wrote:
> Sascha Wilde <address@hidden> writes:
>> Here is an example[0] from my own experience:
>> - A user logs in on machine 'A' and starts the gpg-agent.
>> - He leaves the machine, but stays logged in...
>> - Now he uses machine 'B' to log in on machine 'A':
>>   the environment is setup to use the already running gpg-agent
>>   (automatically, in an login script)
>> - He starts Emacs/Gnus and tries to sign, decrypt whatever...
>> - The agent runs and is working, everything seems fine, but the user
>>   isn't queried for the passphrase ... what happened?
>> - The User _is_ actually queried, but the pinentry program is started
>>   on the X11 Display or tty of machine 'A'.
>> I think this is a design problem of the gpg-agent.  And yes, there are
>> several ways to circumvent this problem, but I think it would be very
>> convenient, if I could tell pgg to just ignore any agent and ask for
>> the passphrase.
> This example seems strange.  How would the user's second session get
> the GPG_AGENT_INFO environment variable that points to the gpg-agent
> running in the user's first session?  Without that, I don't think it
> will work as you describe.

You are right, but that is the way things work, when you follow the
official gpg-agent documentation:

| [...]  If you don't use an X server, you can also put this into your
| regular startup file `~/.profile' or `.bash_profile'.  It is best
| not to run multiple instance of the `gpg-agent', so you should make
| sure that only one is running: `gpg-agent' uses an environment
| variable to inform clients about the communication parameters. You
| can write the content of this environment variable to a file so that
| you can test for a running agent.  [...]

> I'm not sure I see any disadvantage (except code complexity) with
> Daiki's approach.

Having a second thought on the subject I agree.

The problem exists (even in simpler use cases: when you login on the
text console and start an X server from there, the pinentry will
always appear on the console) but it is only related to gpg-agent
design and the documented use pattern -- so the place where this
problems should be discussed and solved is gnupg development.

I'll write the gnupg developers on this subject.

Sascha Wilde 
- no sig today... sorry!

reply via email to

[Prev in Thread] Current Thread [Next in Thread]