gnome keyring & gpg agent

Neal H. Walfield neal at
Fri Jun 5 04:09:28 CEST 2015

Hi Daniel,

At Thu, 04 Jun 2015 21:39:21 -0400,
Daniel Kahn Gillmor wrote:
> On Thu 2015-05-14 14:34:40 -0400, Neal H. Walfield wrote:
> > Is it possible to fix this issue in Debian Stable (e.g., in the next
> > point release)?
> This is a lot of change to push into a stable point release, so i'm not
> sure that it'll happen.  The first step would be to make sure that it's
> all resolved in unstable, and then we can look into what parts are
> possible for stable.


> > So far, I've identified these requirements:
> >
> >   - Adding a new pinentry-gnome3 package with the yet-to-be-released
> >     pinentry with Gnome3 support.
> This is done in debian unstable, with pinentry 0.9.3.  yay!

great :).

> >   - An update to GPG with the relatively small change.
> I'm not sure exactly which change to gpg this is intended to be.  do you
> have a suggestion?

The main change in 2.0.28: dde8ddffd37c9ef96cae2e2b1317d1dee607fc0b
(plus the minor fix in ef0741ac54c63b9b744de9dec86e82c530f9543a).

commit dde8ddffd37c9ef96cae2e2b1317d1dee607fc0b
Author: Neal H. Walfield <neal at>
Date:   Tue May 19 13:53:43 2015 +0200

    agent: Backport changes from 2.1 to support an external password manager.
    * agent/agent.h (agent_askpin): Add arguments keyinfo and cache_mode.
    Update callers.
    (agent_get_passphrase): Likewise.
    (agent_clear_passphrase): New function.
    (opt): Add field allow_external_cache.
    * agent/call-pinentry.c (start_pinentry): Send "OPTION
    allow-external-password-cache" to the pinentry.
    (pinentry_status_cb): New function.
    (agent_askpin): Add arguments keyinfo and cache_mode.  If KEYINFO and
    CACHE_MODE describe a cachable key, then send SETKEYINFO to the
    pinentry.  Pass PINENTRY_STATUS_CB to the "GETPIN" invocation.  If the
    passphrase was incorrect and PINENTRY_STATUS_PASSWORD_FROM_CACHE is
    set, decrement PININFO->FAILED_TRIES.
    (agent_get_passphrase): Add arguments keyinfo and cache_mode.  If
    KEYINFO and CACHE_MODE describe a cachable key, then send SETKEYINFO
    to the pinentry.
    (agent_clear_passphrase): New function.
    * agent/call-pinentry.c (start_pinentry): Act upon new var,
    * agent/command.c (cmd_clear_passphrase): Call agent_clear_passphrase.
    * agent/gpg-agent.c (oNoAllowExternalCache): New.
    (opts): Add option --no-allow-external-cache.
    (parse_rereadable_options): Set this option.

> >   - An update to Gnome-Keyring that disables it GPG Agent proxy.
> Maybe we need to offer them a patch.  the goal here is just to disable
> gnome-keyring's gpg-agent proxy implementation by default, right?

That's correct.  It should be sufficient to configure gnome keyring
with --disable-gpg-agent (but I haven't tested this).

> >   - Make Gnome Keyring depend on pinentry-gnome3.
> I've opened for this.

In that report, you note:

  This is part of a larger project to reduce superfluous dependencies
  on headless servers that use GnuPG while improving the user
  experience for desktop users of GnuPG

That's a worth effort, but it might be worth mentioning that it is
also about fixing the gnome keyring hijack problem.

Thanks for working on this!

:) Neal

More information about the Gnupg-devel mailing list