--export-options export-reset-subkey-passwd in gpg 2.1.x (compat. with ssh-agent)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Oct 9 01:31:10 CEST 2014 

Hi GnuPG folks--

doc/gpg.texi contains:

  @c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
  @c export-reset-subkey-passwd hack is not anymore justified.  Such use
  @c cases need to be implemented using a specialized secret key export
  @c tool.
@ifclear gpgtwoone
  @item export-reset-subkey-passwd
  When using the @option{--export-secret-subkeys} command, this option resets
  the passphrases for all exported subkeys to empty. This is useful
  when the exported subkey is to be used on an unattended machine where
  a passphrase doesn't necessarily make sense. Defaults to no.
@end ifclear


It's not clear to me what the "specialized secret key export tool" is --
does this tool exist or is it hypothetical at the moment?

The Monkeysphere project has been using export-reset-subkey-passwd to
hand off the specific subkey to OpenSSH's ssh-agent during "monkeysphere
subkey-to-ssh-agent" Switching to gpg 2.1 means breaking that current
behavior.

I know that gpg-agent offers some a roughly similar functionality to
ssh-agent, but the semantics of ssh-add between talking to gpg-agent and
talking to OpenSSH's ssh-agent are quite different, enough that some
people (myself included) currently prefer the ssh-agent semantics.

For example, OpenSSH's ssh-agent supports several options to ssh-add
that GnuPG's agent implementation does not:

  -c (require confirmation -- gpg-agent accepts but does not honor this flag)
  -d (delete key -- gpg-agent accepts but does not honor this flag)
  -D (delete all keys -- gpg-agent rejects this flag with an error)
  -t N (limit key lifetime to N seconds -- gpg-agent accepts but does not honor this flag)
  -x (lock agent with password -- gpg-agent accepts but does not honor this flag)

So, are there pointers for the secret subkey export tool?  or is there
another way that i can get this key material into another ssh-agent
implementation cleanly with GnuPG 2.1 ?  I'd really like to switch to
2.1.x for all my gpg-specific workflows, but this part is blocking me.

Regards,

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20141008/c77e7bc6/attachment.sig>

More information about the Gnupg-devel mailing list