[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Documenting gpg-agent

From: Ken Manheimer
Subject: Re: Documenting gpg-agent
Date: Thu, 15 Feb 2007 11:33:47 -0500

i believe the patch/issue discussed below has slipped between the
cracks.  pgg-gpg-process-region still disregards a passed-in
passphrase, so that the gpg-agent prompts the user despite it having
been explicitly passed in as a parameter.

i can verify that the patch daiki ueno proposes in the discussion
settles the problem for me.  this being a security-related routine, it
would be nice to know that the "right" eyes, and not just "many eyes",
have evaluated it - and everyone waiting for someone else to be the
right eyes may be why it has languished...

i currently have a provision in allout to disable use of gpg-agent
within the critical region where this bug occurs, but it would be
better to correct pgg-gpg-process-region, and remove the workaround
from allout.  is there a way to get the change evaluated sufficiently?

On 12/25/06, Daiki Ueno <address@hidden> wrote:
>>>>> In <address@hidden>
>>>>>   Richard Stallman <address@hidden> wrote:
>     Since allout exploits the use of PGG's passphrase handling functions to
>     provide a custom passphrase handling, it's not a bug in PGG or gpg-agent,
>     I think.

> I am not convinced of that.  He says that PGG was ignoring the
> passphrases that allout passes in.  Why isn't that a bug?

I'm sorry for that I misunderstood his explanation and the current
gpg-agent support of PGG.  I just looked at the code and found it
actually has a bug.  PGG checks whether to use a given passphrase or
gpg-agent two times, for the first time a given passphrase wins, but for
the second time gpg-agent wins.  Here is a tiny patch to fix this.

Sascha, can you check this?

Index: lisp/pgg-gpg.el
RCS file: /sources/emacs/emacs/lisp/pgg-gpg.el,v
retrieving revision 1.19
diff -c -r1.19 pgg-gpg.el
*** lisp/pgg-gpg.el     17 Dec 2006 23:18:36 -0000      1.19
--- lisp/pgg-gpg.el     26 Dec 2006 01:00:29 -0000
*** 61,67 ****
    "GnuPG ID of your default identity.")

  (defun pgg-gpg-process-region (start end passphrase program args)
!   (let* ((use-agent (pgg-gpg-use-agent-p))
         (output-file-name (pgg-make-temp-file "pgg-output"))
          `("--status-fd" "2"
--- 61,67 ----
    "GnuPG ID of your default identity.")

  (defun pgg-gpg-process-region (start end passphrase program args)
!   (let* ((use-agent (and (null passphrase) (pgg-gpg-use-agent-p)))
         (output-file-name (pgg-make-temp-file "pgg-output"))
          `("--status-fd" "2"

Daiki Ueno

reply via email to

[Prev in Thread] Current Thread [Next in Thread]