gnome-keyring Gnome Keyring and gpg

Neal H. Walfield neal at
Thu Apr 9 11:24:42 CEST 2015

Hi Stef,

Thanks for the quick reply.

At Thu, 09 Apr 2015 08:56:09 +0200,
Stef Walter wrote:
> On 08.04.2015 22:37, Neal H. Walfield wrote:
> > Hi,
> > 
> > I'd like to resume the discussion about GnuPG and Gnome Keyring.  I
> > read the thread from last Auguest [1], but I couldn't find much more
> > information.  Stef, could you please tell me exactly what Gnome
> > Keyring needs to do?
> > 
> > As I understand the issue, Gnome Keyring wants to cache the password
> > for the secret key.  It seems to me that the easiest solution is to
> > direct GnuPG to use a special pinentry program that is Gnome Keyring
> > aware.  Basically, gnupg invokes this program when it needs a
> > password.  But, instead of immediately showing a dialog, it first
> > checks whether Gnome Keyring has cached the password.  If not, it uses
> > a Gnome-themed dialog to prompt the user for the password.  If the
> > password is accepted, it can then save it in the Gnome Keyring.  I
> > suspect that this is much simpler than implementing a gpg-agent proxy.
> Indeed. That seems like the best approach.

Just to confirm explicitly: if we use a PIN entry program that
supports saving passwords in GKR, then GKR has no reason to proxy gpg

> There's a GSoC proposal to do work on this over the Summer.

That's good news.

> One thing that seems to be missing is getting a full keyid in the
> pinentry for use when optionally storing the passphrase in
> gnome-keyring. In theory one can "screen scrape" a short keyid this out
> of the prompt message ... but that's pretty fragile.
> So a bit of additional work to have gpg2 pass an Assuan OPTION with the
> keyid or a unique identifier, if that's preferrable. The absence of
> which would indicate that the passphrase does not belong to a stable
> entity (like a key).

I think this should not be a problem.  I've filed a bug requesting
this feature:


More information about the Gnupg-devel mailing list