gpgme's override-session-key property leaks into the process table

Werner Koch wk at
Wed Nov 16 07:54:53 CET 2016

On Wed, 16 Nov 2016 07:22, dkg at said:

> I just noticed that setting the session key via gpgme will leak the
> session key to the process table. :(

Ah yes.  With the use case you described this is not good.  The original
reason for --override-session-key was a different one: When the first UK
RIP act was set in power Caspar Bowden asked me to for a way to mitigate
the effect.  According to him the act did not require that the private
key needs to be given to the police but just the key and that could very
well be the session key.

> Fixing this would probably require fixing gpg itself
> (e.g. --override-session-key-fd or --override-session-key-envvar) and

Yet another fd to pass:-(.  On Unix we could use an envvar by setting it
after the fork, but that does not work on Windows (leaked to the
process' memory and problems with threads).  A better solution would be
to wait until we have changed gpg to be an Assuan server.  But that will
not happen soon.

> this could be a bad outcome.  Should we add a warning to the
> documentation at the moment in lieu of a fix?  or should we just fix it

I'll add a warning to gpg and gpgme for now.  After the release we can
add the --override-session-key-fd session id thing - maybe even for



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161116/792ffff9/attachment.sig>

More information about the Gnupg-devel mailing list