gnome-keyring Gnome Keyring and gpg
Neal H. Walfield
neal at walfield.org
Thu Apr 9 11:24:42 CEST 2015
Hi Stef,
Thanks for the quick reply.
At Thu, 09 Apr 2015 08:56:09 +0200,
Stef Walter wrote:
>
> On 08.04.2015 22:37, Neal H. Walfield wrote:
> > Hi,
> >
> > I'd like to resume the discussion about GnuPG and Gnome Keyring. I
> > read the thread from last Auguest [1], but I couldn't find much more
> > information. Stef, could you please tell me exactly what Gnome
> > Keyring needs to do?
> >
> > As I understand the issue, Gnome Keyring wants to cache the password
> > for the secret key. It seems to me that the easiest solution is to
> > direct GnuPG to use a special pinentry program that is Gnome Keyring
> > aware. Basically, gnupg invokes this program when it needs a
> > password. But, instead of immediately showing a dialog, it first
> > checks whether Gnome Keyring has cached the password. If not, it uses
> > a Gnome-themed dialog to prompt the user for the password. If the
> > password is accepted, it can then save it in the Gnome Keyring. I
> > suspect that this is much simpler than implementing a gpg-agent proxy.
>
> Indeed. That seems like the best approach.
Just to confirm explicitly: if we use a PIN entry program that
supports saving passwords in GKR, then GKR has no reason to proxy gpg
agent.
> There's a GSoC proposal to do work on this over the Summer.
>
> https://wiki.gnome.org/Outreach/SummerOfCode/2015/Ideas#Confirmed_Ideas
> https://bugzilla.gnome.org/show_bug.cgi?id=742094
That's good news.
> One thing that seems to be missing is getting a full keyid in the
> pinentry for use when optionally storing the passphrase in
> gnome-keyring. In theory one can "screen scrape" a short keyid this out
> of the prompt message ... but that's pretty fragile.
>
> So a bit of additional work to have gpg2 pass an Assuan OPTION with the
> keyid or a unique identifier, if that's preferrable. The absence of
> which would indicate that the passphrase does not belong to a stable
> entity (like a key).
I think this should not be a problem. I've filed a bug requesting
this feature:
https://bugs.g10code.com/gnupg/issue1945
Neal
More information about the Gnupg-devel
mailing list