gpg-agent automatically use passphrase for signing subkey?

Charly Avital shavital at mac.com
Thu Jul 21 18:30:27 CEST 2011


Chris Poole
<CAF=P9QDHabJhB6V6iCde12qvvT1XY7MTyLp0_-3+0EU0FUytiQ at mail.gmail.com>
wrote on 7/21/11 4:40:17 PM:
> Perhaps I explained poorly.

You explained very clearly.

> I'm using gpg 1.4.11, gpg-agent 2.0.17.

You can have, as I do, both 1.4.11 and 2.0.17 installed side by side in
the same system.
You can use either one, as set in the path of your e=mail application.
You are using a @gmail.com based user ID, and the raw source of your
e-mail does not display which MUA you are using.

I am using Shredder, which is a trunk release of Thunderbird, where the
path, as displayed in OpenPGP/Preferences, is
/usr/local/MacGPG2/bin/gpg2. Thus I am using gpg2, in this case
MacGPG2-2.0.17-9

If instead I had set /usr/local/MacGPG2/bin/gpg , I would be using gpg,
that would be gpg 1.4.11

If you are using Apple's Mail application (under 10.6.8), it will chose
gpg2 by default. Under Lion, the Mailbundle for Apple's Mail application
does not work, it is being rewritten by a group of developers.
> 
> Is it possible to enter a passphrase using gpg-agent, and have it cached such
> that it's used whenever I want to use any subkeys from the same main key?
> 
> Scenario:
> 
> I sign a file with my signing subkey, and give gpg-agent my passphrase.
> 
> I then decrypt another file, which has been encrypted using my encryption key,
> which is a sister subkey to the signing key (i.e., they both have the same
> parent 'main key'). Is it possible to not be prompted for my passphrase again
> for this operation?
> 
> I understand that they're separate keys, so I'm being prompted twice, but they
> are both belonging to the same primary key: can that passphrase apply to all
> subkeys when entered for any one?
> 
> I hope that clarifies what I want to do...

Maybe *I* wasn't clear enough.

gpg-agent "goes" by *actions*:  decrypt, or sign.

gpg-agent is invoked whenever you use your secret key, either for
decrypting or for signing.

As far as gpg-agent is concerned, those are two different *actions*.

When your passphrase has been cached for each of those *actions*, it
will remain in gpg-agent's "memory" for the duration of the cache set in
your home directory ~/.gnupg/gpg-agent.conf

Charly





More information about the Gnupg-users mailing list