sendings passwords with gpg-agent?

Werner Koch wk at
Mon Jul 21 17:24:03 CEST 2008

On Mon, 21 Jul 2008 12:03, adam at said:

> The main problem I have is that the gpg-agent UI sucks. For instance,
> with symmetric decryption, it just says "Enter password", which leaves
> the user wondering "which password??". They'll probably enter their

This is for sure not good.  However there is no other information
available.  Symmetric only encryption is usually only used in unattended
settings and thus there is no need for a pinentry (Use --passphrase-fd).

Please suggest a wording for the prompt uside with symmteric encryption.

> Second, there's no obvious way to cache the passwords, so the user would
> think he has to to type them in for every file in a multi-file

Well these are one-off passphrases and it does not make sense to cache
them - use public-key encryption instead.  To allow for passphrase
caching we would need to implement a key management for symmetric
encryption; i.e. to use a random key protected by a passphrase.  This is
quite some work becuase you need to have all the code to distribute such
protected symmetric passphrases.

> And finally, unit tests for libraries that script GPG behind the scenes
> can't be run automatically. The gpg-agent dialog pops up a hundred times
> during the tests.

Hmmm, gpg2 uses quite some regression tests without any problems.  On my
todo list is a loopback-pinentry which would allow to test the entire
gpg-agent/gpg[sm] passphrase system.  But well, regression tests are a
lot of work and a work most people don't won't to pay for and finding
volunteers is evene harder.  Yes, there should be far more regresseion

> This would be a moot point if there was a GPG library, but the official

There is one:  gpgme.  gpgme even has a lot rof regression tests.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list