gpg-agent cache keygrip

Werner Koch wk at
Wed Jul 26 08:52:12 CEST 2017

On Tue, 25 Jul 2017 22:30, marfig at said:

> I've been trying to understand gpg-agent cache behavior in the presence
> of two distinct keys with the same passphrase. Namely, why is that it
> only asks for the passphrase once, regardless of the key being used?

There is a kludge in gpg and gpg-agent described in this comment:

  /* The standard use of GPG keys is to have a signing and an
     encryption subkey.  Commonly both use the same
     passphrase.  We try to help the user to enter the
     passphrase only once by silently trying the last
     correctly entered passphrase.  Checking one additional
     passphrase should be acceptable; despite the S2K
     introduced delays. The assumed workflow is:

       1. Read encrypted message in a MUA and thus enter a
          passphrase for the encryption subkey.

       2. Reply to that mail with an encrypted and signed
          mail, thus entering the passphrase for the signing

     We can often avoid the passphrase entry in the second
     step.  We do this only in normal mode, so not to
     interfere with unrelated cache entries.  */

"normal modes" is one of the cache classes we have in gpg-agent.  This
one is for unprotecting gpg or gpgsm keys.

If you want to follow what is going on, you may add

  debug ipc,cache
  log-file socket://

into gpg-agent.conf, restart the agent and run 

  watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log

on another tty.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170726/8ff7d6ce/attachment.sig>

More information about the Gnupg-users mailing list