Is gpg-agent passphrase status query possible?
Peter Lebbing
peter at digitalbrains.com
Sun Nov 2 12:38:58 CET 2014
On 02/11/14 09:42, Cpp wrote:
> I see that command will print out the passphrase in clear text. Is
> this secure to use just like that?
This is the same channel as where session keys are exchanged. With a
session key, you can decrypt an encrypted message: very sensitive
information. So the channel in itself is secure; it all depends on the
application that uses it. I don't know if there are any other
applications than GnuPG itself that use the agent[1], but in your
scenario it would seem to be GnuPG itself and hence be secure.
IIUC, your question is whether it's principally possible for Enigmail to
decrypt only when you will not be prompted for the passphrase or PIN.
The GET_PASSPHRASE --no-ask seems ill equipped to do that. Even apart
from the raciness, Enigmail is quite far away from the agent interface.
I /think/ Enigmail simply executes the gnupg binary, defaulting to
v1.4.x which doesn't even necessarily use the agent! What seems to be
needed is a --no-ask command line option to GnuPG 1.4.x or 2.0.x. This
would, in the case of an agent, most likely translate into an agent
command PKDECRYPT --no-ask (which also doesn't exist yet).
So I think the answer is: without ugly hacks which also involve races,
no, Enigmail cannot currently decrypt only when it would not lead to a
prompt.
But perhaps things will completely change with the new GnuPG v2.1.x?
By the way:
$ gpg-connect-agent "help pkdecrypt" /bye
# PKDECRYPT <options>
#
# Perform the actual decrypt operation. Input is not
# sensitive to eavesdropping.
OK
I've looked at the source (2.0.26), and there are no options. Is this
<options> still a relic from something that was once there, or planned
to be there? Why is it <options> instead of [options] anyway? :) Surely
that's a typo.
HTH,
Peter.
[1] I'm excluding gnome-keyring-daemon on purpose, since it's not using
but rather abusing.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list