Detecting and flushing cached pin in gpg-agent from gpgme
Werner Koch
wk at gnupg.org
Mon Jul 4 12:37:00 CEST 2016
On Mon, 4 Jul 2016 12:02, joakim.lundborg at gmail.com said:
> Now I would like to improve my app by giving the user an indication of
> whether or not the password for the gpg key used for encrypting the
> passwords is currently cached in gpg-agent. I also would like to flush
That can only be an estimation but it is possible:
gpg-connect-agent 'help keyinfo' /bye
which outputs a line
# KEYINFO <keygrip> <type> <serialno> <idstr> <cached> <protection> <fpr>
[...]
# CACHED is 1 if the passphrase for the key was found in the key cache.
# If not, a '-' is used instead.
> I couldn't find APIs for this in gpgme or in gpg, unless I'm missing
You can directly connect to gpg-agent. Use gpa/src/cardman.c as an
example:
err = gpgme_new (&cardman->gpgagent);
if (err)
gpa_gpgme_error (err);
err = gpgme_set_protocol (cardman->gpgagent, GPGME_PROTOCOL_ASSUAN);
if (err)
{
if (gpg_err_code (err) == GPG_ERR_INV_VALUE)
gpa_window_error (_("The GPGME library is too old to "
"support smartcards."), NULL);
else
gpa_gpgme_warning (err);
gpgme_release (cardman->gpgagent);
cardman->gpgagent = NULL;
}
You run commands this way:
if (!gpgme_op_assuan_transact_ext (cardman->gpgagent,
"SCD RESTART",
NULL, NULL, NULL, NULL,
NULL, NULL, &operr)
In this example the gpg-agent is asked to send scdaemon a restart
command. Unfortunately we do not have documentation for this API, thus
I can for now only refer to gpa as an example and looking into the code
of gpgme (gpgme/src/opassuan.c).
> something. For flushing, it seems to be possible to use send HUP
> signals to the gpg-agent process, but this seems a bit brutal, and is
> also reported to not work [4]
I use it all the time. Either pkill -1 gpg-agent or the platform
independet "gpgconf --reload gpg-agent". The latter does a
gpg-connect-agent --no-autostart REALODAGENT </dev/null
> echo RELOADAGENT | gpg-connect-agent
Better use
gpg-connect-agent RELOADAGENT /bye
or use it interactive. The normal mode is to run the commands given on
the command line and then fall into interactive mode; the /bye avoids
the fallback to interactive mode.
You may also use
gpg-connect-agent --dirmngr
to directly connect to the dirmngr in the same way gpg does it. To
access scdameon you should go via gpg-agent by prefixing scsaemon
command with "SCD " (you may also use lowercase command names).
All Assuan servers support "HELP" to list all comamnds and for most
commands you can do "HELP commandname".
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
/* Join us at OpenPGP.conf <https://openpgp-conf.org> */
More information about the Gnupg-devel
mailing list