gnome keyring & gpg agent

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jun 5 04:14:25 CEST 2015


On Thu 2015-06-04 22:09:28 -0400, Neal H. Walfield wrote:
> The main change in 2.0.28: dde8ddffd37c9ef96cae2e2b1317d1dee607fc0b
> (plus the minor fix in ef0741ac54c63b9b744de9dec86e82c530f9543a).

Thanks, that's good to keep track of.

>> >   - An update to Gnome-Keyring that disables it GPG Agent proxy.
>> 
>> Maybe we need to offer them a patch.  the goal here is just to disable
>> gnome-keyring's gpg-agent proxy implementation by default, right?
>
> That's correct.  It should be sufficient to configure gnome keyring
> with --disable-gpg-agent (but I haven't tested this).

that would make it so that users who wanted to use gnome-keyring as the
gpg-agent (e.g. those who don't have smartcards, don't use gpgsm, and
who otherwise ignore the concerns Werner has raised about
gnome-keyring's incomplete gpg-agent support) would be unable to do so.

It's a more invasive change than just disabling the functionality as per
runtime defaults.

Then again, that might keep us from dealing with a lot of extra bug
reports :)

>> >   - Make Gnome Keyring depend on pinentry-gnome3.
>> 
>> I've opened https://bugs.debian.org/787786 for this.
>
> In that report, you note:
>
>   This is part of a larger project to reduce superfluous dependencies
>   on headless servers that use GnuPG while improving the user
>   experience for desktop users of GnuPG
>
> That's a worth effort, but it might be worth mentioning that it is
> also about fixing the gnome keyring hijack problem.

The bug reports referenced in #787786 each point to the hijacking
problem as well, but i welcome any followup at 787786 at bugs.debian.org
that you think would be relevant there too.

Thanks,

        --dkg



More information about the Gnupg-devel mailing list