gpg-agent features of loopback-pinentry mode, preset_passphrase
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri May 8 04:54:28 CEST 2015
On Thu 2015-05-07 22:33:56 -0400, NIIBE Yutaka wrote:
> With GnuPG 2.1, the secret keys are under control of gpg-agent.
> Invoking gpg with --passphrase (-file, -fd), the gpg frontend needs to
> supply passphrase to gpg-agent. I think that the feature of
> loopback-pinentry mode and/or preset_passphrase could be used for
> However, those features are disabled as defaults. Are there any
> reason those feature could be disabled?
> I think that loopback-pinentry mode should be always supported so that
> --passphrase option of gpg can work well.
I think this depends on what the main purpose of gpg-agent is.
Here's one proposed purpose for gpg-agent:
* prevent the use of secret key material without the user's knowledge,
even to a process with access to the gpg-agent's socket
(note that the --extra-socket section of gpg-agent(1) implies that
gpg-agent is aware of use cases where the agent's socket is extended to
machines that are not otherwise considered trustworthy).
If this is the goal, then loopback pinentry is a problem, because an
attacker with access to the gpg-agent socket can run a
passphrase-guessing attack without any visibility to the user.
More information about the Gnupg-devel