automatically add the passphrase for other (sub)keys of the same certificate

Hauke Laging mailinglisten at
Wed Aug 13 04:03:13 CEST 2014


I just got more familiar with gpg-agent and had the idea that it might 
be nice (i.e. in this case: I should be capable of doing that myself) to 
have a background process which notices that gpg-agent has a new 
passphrase in it's cache. This process could determine the certificate 
to which this passphrase belongs and check whether it has more keys. If 
so (and they are not blacklisted in the configuration of this helper 
program) then the passphrase could be added for these other keys. That 
should not be a problem at least as long as GnuPG does not allow to set 
different passphrases for different certificate components. Most users I 
see don't accept that they have to enter the passphrase twice for "the 
same" key.

My question:
Is this maybe a bad idea for reasons I don't see?

I noticed one problem: This process would have to take precautions so 
that the caching time is not affected (if the user gives the passphrase 
for key A and the process adds it for key B then it may not add it for 
key A, too, if it has expired but not yet expired for B).

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140813/2f9f53a7/attachment.sig>

More information about the Gnupg-users mailing list