That blog post, factual error or not?
Damien Goutte-Gattat
dgouttegattat at incenp.org
Wed Jul 6 21:03:11 CEST 2016
Hi Peter,
On 07/06/2016 08:33 PM, Peter Lebbing wrote:
>> GnuPG Agent only caches the passphrase protecting the key, never the
>> key itself—it reads the key from file everytime the key is required,
>> which means that as soon as the key file is removed from the agent’s
>> directory, the key is no longer available;
>
> Is this actually the case though? Have you checked the source
Yes I did. That's how I found out this behavior actually.
If you want to check by yourself, have a look for example at the
function agent_pkdecrypt (in the agent/pkdecrypt.c file), which
implements the agent's PKDECRYPT command. One of the first thing this
function does is to call agent_key_from_file (defined in
agent/findkey.c), which *inconditionnally* reads the key from its file
storage. The key is freed at the end of the agent_pkdecrypt function,
without having been cached anywhere (only the passphrase is cached, in
the function unprotect.c in agent/findkey.c).
The agent_pksign function, which implements the PKSIGN command and needs
the signing (sub)key, behaves similarly.
Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160706/5b3c1797/attachment.sig>
More information about the Gnupg-users
mailing list