gpg-agent features of loopback-pinentry mode, preset_passphrase

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri May 8 04:54:28 CEST 2015


On Thu 2015-05-07 22:33:56 -0400, NIIBE Yutaka wrote:
> With GnuPG 2.1, the secret keys are under control of gpg-agent.
>
> Invoking gpg with --passphrase (-file, -fd), the gpg frontend needs to
> supply passphrase to gpg-agent.  I think that the feature of
> loopback-pinentry mode and/or preset_passphrase could be used for
> that.
>
> However, those features are disabled as defaults.  Are there any
> reason those feature could be disabled?
>
> I think that loopback-pinentry mode should be always supported so that
> --passphrase option of gpg can work well.

I think this depends on what the main purpose of gpg-agent is.

Here's one proposed purpose for gpg-agent:

 * prevent the use of secret key material without the user's knowledge,
   even to a process with access to the gpg-agent's socket

(note that the  --extra-socket section of gpg-agent(1) implies that
gpg-agent is aware of use cases where the agent's socket is extended to
machines that are not otherwise considered trustworthy).

If this is the goal, then loopback pinentry is a problem, because an
attacker with access to the gpg-agent socket can run a
passphrase-guessing attack without any visibility to the user.

      --dkg



More information about the Gnupg-devel mailing list