Detecting and flushing cached pin in gpg-agent from gpgme

Werner Koch wk at
Mon Jul 4 12:37:00 CEST 2016

On Mon,  4 Jul 2016 12:02, joakim.lundborg at said:

> Now I would like to improve my app by giving the user an indication of
> whether or not the password for the gpg key used for encrypting the
> passwords is currently cached in gpg-agent. I also would like to flush

That can only be an estimation but it is possible:

  gpg-connect-agent 'help keyinfo' /bye

which outputs a line

  #  KEYINFO <keygrip> <type> <serialno> <idstr> <cached> <protection> <fpr>
  # CACHED is 1 if the passphrase for the key was found in the key cache.
  #        If not, a '-' is used instead.

> I couldn't find APIs for this in gpgme or in gpg, unless I'm missing

You can directly connect to gpg-agent.  Use gpa/src/cardman.c as an

  err = gpgme_new (&cardman->gpgagent);
  if (err)
    gpa_gpgme_error (err);

  err = gpgme_set_protocol (cardman->gpgagent, GPGME_PROTOCOL_ASSUAN);
  if (err)
      if (gpg_err_code (err) == GPG_ERR_INV_VALUE)
        gpa_window_error (_("The GPGME library is too old to "
                            "support smartcards."), NULL);
        gpa_gpgme_warning (err);
      gpgme_release (cardman->gpgagent);
      cardman->gpgagent = NULL;

You run commands this way:

  if (!gpgme_op_assuan_transact_ext (cardman->gpgagent,
                                     "SCD RESTART",
                                     NULL, NULL, NULL, NULL,
                                     NULL, NULL, &operr)

In this example the gpg-agent is asked to send scdaemon a restart
command.  Unfortunately we do not have documentation for this API, thus
I can for now only refer to gpa as an example and looking into the code
of gpgme (gpgme/src/opassuan.c).  

> something. For flushing, it seems to be possible to use send HUP
> signals to the gpg-agent process, but this seems a bit brutal, and is
> also reported to not work [4]

I use it all the time.  Either pkill -1 gpg-agent or the platform
independet "gpgconf --reload gpg-agent".  The latter does a

  gpg-connect-agent --no-autostart REALODAGENT </dev/null

> echo RELOADAGENT | gpg-connect-agent

Better use

  gpg-connect-agent RELOADAGENT /bye

or use it interactive.  The normal mode is to run the commands given on
the command line and then fall into interactive mode; the /bye avoids
the fallback to interactive mode.

You may also use

  gpg-connect-agent --dirmngr

to directly connect to the dirmngr in the same way gpg does it.  To
access scdameon you should go via gpg-agent by prefixing scsaemon
command with "SCD " (you may also use lowercase command names).

All Assuan servers support "HELP" to list all comamnds and for most
commands you can do "HELP commandname".



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <> */

More information about the Gnupg-devel mailing list