Detecting and flushing cached pin in gpg-agent from gpgme

Werner Koch wk at gnupg.org
Mon Jul 4 12:37:00 CEST 2016


On Mon,  4 Jul 2016 12:02, joakim.lundborg at gmail.com said:

> Now I would like to improve my app by giving the user an indication of
> whether or not the password for the gpg key used for encrypting the
> passwords is currently cached in gpg-agent. I also would like to flush

That can only be an estimation but it is possible:

  gpg-connect-agent 'help keyinfo' /bye

which outputs a line

  #  KEYINFO <keygrip> <type> <serialno> <idstr> <cached> <protection> <fpr>
  [...]
  # CACHED is 1 if the passphrase for the key was found in the key cache.
  #        If not, a '-' is used instead.

> I couldn't find APIs for this in gpgme or in gpg, unless I'm missing

You can directly connect to gpg-agent.  Use gpa/src/cardman.c as an
example:

  err = gpgme_new (&cardman->gpgagent);
  if (err)
    gpa_gpgme_error (err);

  err = gpgme_set_protocol (cardman->gpgagent, GPGME_PROTOCOL_ASSUAN);
  if (err)
    {
      if (gpg_err_code (err) == GPG_ERR_INV_VALUE)
        gpa_window_error (_("The GPGME library is too old to "
                            "support smartcards."), NULL);
      else
        gpa_gpgme_warning (err);
      gpgme_release (cardman->gpgagent);
      cardman->gpgagent = NULL;
    }

You run commands this way:

  if (!gpgme_op_assuan_transact_ext (cardman->gpgagent,
                                     "SCD RESTART",
                                     NULL, NULL, NULL, NULL,
                                     NULL, NULL, &operr)

In this example the gpg-agent is asked to send scdaemon a restart
command.  Unfortunately we do not have documentation for this API, thus
I can for now only refer to gpa as an example and looking into the code
of gpgme (gpgme/src/opassuan.c).  

> something. For flushing, it seems to be possible to use send HUP
> signals to the gpg-agent process, but this seems a bit brutal, and is
> also reported to not work [4]

I use it all the time.  Either pkill -1 gpg-agent or the platform
independet "gpgconf --reload gpg-agent".  The latter does a

  gpg-connect-agent --no-autostart REALODAGENT </dev/null

> echo RELOADAGENT | gpg-connect-agent

Better use

  gpg-connect-agent RELOADAGENT /bye

or use it interactive.  The normal mode is to run the commands given on
the command line and then fall into interactive mode; the /bye avoids
the fallback to interactive mode.

You may also use

  gpg-connect-agent --dirmngr

to directly connect to the dirmngr in the same way gpg does it.  To
access scdameon you should go via gpg-agent by prefixing scsaemon
command with "SCD " (you may also use lowercase command names).

All Assuan servers support "HELP" to list all comamnds and for most
commands you can do "HELP commandname".


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */




More information about the Gnupg-devel mailing list