Should I mark/announce GNOME as incompatible with gpg2 for now?

Stef Walter stef at thewalter.net
Fri Aug 29 09:40:05 CEST 2014


On 28.08.2014 18:26, Werner Koch wrote:
> On Thu, 28 Aug 2014 17:22, stef at thewalter.net said:
> 
>> Sorry I don't have time to work on this myself in the near future. The
>> gnome-keyring GPG agent stuff was written for GPG 1.4.x ... and the GPG
>> 2 came around which changed (and is still changing) things
>> significantly. Fair enough, bit this is hardly as one sided as it might
>> seem.
> 
> Release date 1.9.0: 2003-08-05  the first GnuPG-2 release
>              1.4.0: 2004-12-16
>              1.4.2: 2005-07-26  adds support for the GnuPG-2 agent
>              2.0.0: 2006-11-11  
> 
> Fast forward to 2010:
> 
>   commit 302db3f520c944176be75cb7f491573038d48b6e
>   Author: Stef Walter [...]
>   Date:   Sat May 8 15:49:43 2010 +0000
>   
>       Start work on gpg-agent, incomplete.
>       
>   [...]

Nope. This code was moved from the seahorse repo and implemented here:

commit b7ec4a856758bb74a72161b62e25dce1dc1f8d85
Author: Stefan Walter <stefw at src.gnome.org>
Date:   Thu Oct 14 22:37:12 2004 +0000

    Added seahorse agent (bug# 154201)

>> It seems nobody cares enough about using those GPG 2.x features (which
>> depend on the real gpg-agent) to actually contribute a fix for this. I'd
> 
> I can count the number of mails I answered regarding this problem or
> the hours I spend analyzing bug reports which turned out to be a
> GKR problem.

Yes, perhaps. But when people actually care they contribute. I would
welcome such a contribution from anyone who wants to fix this, and work
with them to get it merged.

As I said, the gnome-keyring gpg-agent does two things:

 * Prompts via gnome-shell prompts.

 * Optionally saves the private key unlock passphrase in the
   gnome-keyring login keyring so it can be used whenever the user
   is logged in.

A replacement would need to have at least those two features.

Some APIs that may be of use:
https://developer.gnome.org/gcr/unstable/GcrSystemPrompt.html
https://developer.gnome.org/libsecret/0.18/

I think doing these things via the pinentry interface like you
suggested, is a decent approach.

The pinentry interface may need a slight modification to tell the
pinentry program how many times its been called for a given password
... so that the first time it could return a password from the
gnome-keyring login keyring, if present, and then on later invocations
actually do the prompting.

In addition when prompting for a passphrase for a private key, the
pinentry program needs to be told a keyid that can be used as a way to
store/look up the passphrase in the gnome-keyring login keyring.

Does the pinentry interface already accomodate the above? From my basic
understanding of the "Developer" section of 'info pinentry', it seeems
that the interface doesn't yet have these capabilities. But I guess
these could be added.

>> This is not about a power trip or outsmarting each other or anything
>> like that. I'm looking for someone to help contribute a fix.
> 
> The fix is on your site:  Remove that gpg-agent thingy.
> 
>> gnome-keyring's gpg agent is only meant for gpg 1.4.x .... and we should
>> probably hard code that in during the build process.
> 
> You shall not mess around with the 1.4 IPC either.  As gniibe
> noted, thre is much more to it than just passphrase caching.
> 
>> Fair enough. But why didn't you say something about this conclusion? Did
>> I miss an email or mailing list post about this? If so, could you link
>> to it?
> 
> Well there is a solution now:  That annoying warning dialog.

I understand if that course of action we discussed in Brussels didn't
work out. Fair enough.

But instead of writing a simple email to me or a mailing list ... you've
chosen to spam everyone's screens and log files. If everyone did that as
a first order means of communication we'd have a mess.

:/

Cheers,

Stef



More information about the Gnupg-devel mailing list