Should I mark/announce GNOME as incompatible with gpg2 for now?

Werner Koch wk at
Thu Aug 28 15:30:23 CEST 2014

On Thu, 28 Aug 2014 12:46, stef at said:

> It seems that you don't want gpg2 used with GNOME 3.x as is (in its
> default configuration).

No, I want you to change the default configuration - I told you that
over lunch during last years FOSDEM.  This mess is going on for many
years now and a lot of people are annoyed.  Fortunately most users of
GnuPG's S/MIME feature are using KDE and not GNOME and thus are not
affected by that hijacking.  With 2.1 OpenPGP users will also be
affected and thus I escalated this issue using the new warning.

> Should I go ahead and announce that gpg2 (version 2.0.23+) is
> incompatible with GNOME and people should USE gnupg 1.4.x with GNOME 3.x

The warning message says it all: GKR is hijacking the IPC between
components of GnuPG - you don't have to mess with that!  Shall I start
to encrypt and authenticate the IPC just to make it harder for GKR to
mess with it - that would be a silly game.

> I know Werner and I discussed solutions to this issue a more than a year
> ago, but obviously neither of us has had enough time to make the changes

I tried to implement what we discussed but came to the conclusion that
this won't work.  You simply can't have two daemons competing about
cached items.  The caching is an integral part of GnuPG and any hacks
around it would only trigger other bugs.

> a. gnupg needs to integrate with GNOME 3 (prompt via gnome-shell, and
>    give the option to save passwords in the keyring) and gnome-keyring

There are no passwords to save.  You do not want to do that by default.
If users figure out a way to do that anyway, they may do that but we
should not make it too easy for them.  Recall that we are talking about
passphrases to protect a private key and not about passphrases used in
any authentication or encryption protocol.

>    implement its features. This would still be "hijacking" ...
>    whatever that means :/

      n 1: robbery of a traveller or vehicle in transit or seizing
           control of a vehicle by the use of force [syn:
           {highjacking}, {hijacking}]

> I'd far prefer option (a) above. Any takers for implementing either one
> of the above?

There is also a

 c) Write a Pinentry using the documented interface between gpg-agent
    and Pinentry and make use of it.  If you don't want any caching,
    well, you may disable caching in gpg-agent.conf.  The Guardian
    Project actually used this custom Pinnetry approach to have a better
    integration with the rest of the Java based Android GUI.  It is
    easy: You already have a running daemon, you only need to write a
    Pinentry connecting to that daemon.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list