Importing secret keys via gpgme-json

Werner Koch wk at
Thu May 13 18:56:38 CEST 2021

On Thu, 13 May 2021 15:58, Patrick Brunschwig said:

> 2021-05-13 15:53:58 gpg[2481] error getting the KEK: Forbidden

Ooops, I forgot about this.  gpgme-json tells gpg that the origin of the
request is the browser:

  gpgme_set_ctx_flag (ctx, "request-origin", "browser");

which enables this gpg option

  --request-origin origin
    Tell gpg to assume that the operation ultimately originated at
    origin.  Depending on the origin certain restrictions are applied
    and the Pinentry may include an extra note on the origin.  Supported
    values for origin are: local which is the default, remote to
    indicate a remote origin or browser for an operation requested by a
    web browser.

this leads to

   OPTION pretend-request-origin=browser

send to gpg-agent which the assumes the requests are coming from its
browser socket which is restricted similar to the remote socket.

So, you can't do certain operations.  In case you are not running from a
browser, we could add a command line option to gpgme-json to change
this restriction.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list