How to sign a remote repository, i.e. forward agent

Werner Koch wk at
Wed Jun 30 16:15:29 CEST 2010

Carsten Aulbert <carsten.aulbert at> writes:

> Now the notorious question: Does anyone know how to forward the agent's socket 
> to the remote machine? I've briefly tried socat (remote unix socket to tcp 

It does not help you.  gpg currently uses the agent only for passphrase
caching and not for secret key processing.  2.1 changes this but import
and export of secret keys is not yet implemented - thus it works only
for new keys.

The problem with forwarding the socket is a different one.  In theory
you could modify the PG-agent code to listen on a local TCP server and
use an implemented hack in libassuan to connect via TCP.  The use ssh to
tunnel the connection.  The security problem here is that anyone may
connect to a local socket.  Under Windows we use such a system but send
and except a magic cookie to authenticate the connection.

Using a smartcard may make things easier - tunneling a smartcard is
possible and there is still some cruft in the code for remote smartcard
access.  I even have a project to do this all via an ssh connection -
but I am sure that these bits are pretty rotten.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list