Notes from the first OpenPGP Summit

Daniel Kahn Gillmor dkg at
Tue Apr 28 17:12:32 CEST 2015

On Tue 2015-04-28 10:26:05 -0400, Robert J. Hansen wrote:
> This doesn't seem like a good reason.  It never has.  If I configure
> gpg-agent to cache for 20 minutes, but forget to configure
> gnome-keyring-daemon, then it's possible that 25 minutes later I'll do
> something requiring a passphrase, gpg-agent will ask me for my
> passphrase, but gnome-keyring-daemon will silently intercept it and use
> the cached value, etc., etc., leaving me wondering why gpg-agent isn't
> respecting the timeout I've given it.

agreed, this does seem suboptimal, but it's better than the current
case, where things simply don't work at all.

> I don't understand GKD's choices here.  I never have.  They've always
> seemed foolish.  If GKD wants to implement gpg-agent's protocol and run
> as a replacement gpg-agent, that's one thing... but the current setup
> just does not strike me as wise.

GKD's goal is to provide a smooth user experience, where all the user's
passwords are handled as silently as possible, behind the scenes.

However, they do not appear to have the resources to track the full
functionality of gpg-agent, so they're falling down on that front.

tracking the functionality of pinentry should be a simpler task.

>> The solution is to enhance pinentry so that if GKR is available it 
>> caches the password with GKR.
> I'm sorry, but I don't think this is a good solution.  GNOME is asking
> for privileges other desktop environments haven't asked for and don't
> get. KDE doesn't get KDE-specific functionality added to pinentry.  Nor
> does XFCE, nor does Enlightenment.  If GNOME gets to have GNOME-specific
> enhancements folded into GnuPG, then what's to prevent KDE, XFCE,
> Enlightenment, Windows, OS X, and all other desktop environments from
> demanding the same?

Every environment is free to implement its own pinentry, and we've never
discouraged that (indeed, gnupg upstream ships several pinentry
variants).  If a pinentry variant chooses to implement its own
passphrase cache, that is up to that pinentry variant, no?


More information about the Gnupg-users mailing list