caching of keys (passwords) during signing v.s. during --quick-add-subkey.

Sun Jul 30 15:26:33 CEST 2017

When I pre-cache a password of a fresh key:

	# Generate key
	gpg2 --batch --passphrase foo --quick-generate-key test at test.com rsa4096 sign 5

	.. extract keygrip of just regenated keys...

	# Precache password for next operations:
	gpg-preset-passphrase  --preset -P foo 6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7 

		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 <- PRESET_PASSPHRASE 6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7 -1 666F6F
		2017-07-30 09:12:51 gpg-agent[10565] DBG: agent_put_cache '6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7' (mode 1) requested ttl=-1
		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 -> OK

I find that this works spendidly on a normal sign operations

	echo foo | gpg2  --sign --armour

		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 <- HAVEKEY 6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7
		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 -> OK
		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 <- KEYINFO 6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7
		2017-07-30 09:12:51 gpg-agent[10565] DBG: agent_get_cache '6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7' (mode 2) ...
		2017-07-30 09:12:51 gpg-agent[10565] DBG: ... hit
		….
		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 <- SETKEYDESC Please+enter….
		…
		2017-07-30 09:12:51 gpg-agent[10565] DBG: agent_get_cache '6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7' (mode 2) ... 

but fails on a quick-key-add:

	gpg2  --batch --quick-add-key B447C69E35DF57D7691AA4B6B98648C42890DF09 rsa4096 sign 2 

		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 <- KEYINFO 6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7
		2017-07-30 09:12:51 gpg-agent[10565] DBG: agent_get_cache '6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7' (mode 2) ...
		2017-07-30 09:12:51 gpg-agent[10565] DBG: ... hit
		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 -> S KEYINFO 6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7 D - - 1 P - - -
		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 -> OK
		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 <- SETKEYDESC Please+enter+…..
		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 -> OK
		2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 <- PASSWD  --verify 6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7
		2017-07-30 09:12:51 gpg-agent[10565] starting a new PIN Entry 

Which then goes into the usual pinentry sequence (which completes fine when given the password).

The gpg-agent.conf has longish TTLs and lax settings:

	allow-preset-passphrase
	default-cache-ttl 300
	max-cache-ttl 300

Is there any setting that needs to be added to allow the ‘special’ sort of sign case ?

With kind regards.

Dw.

#!/bin/sh
set -e
set -x

TMPDIR=${TMPDIR:-/tmp}
VOLNAME=${VOLNAME:-gnupg.tmp.$$}
TMPSTORE=${TMPDIR}/${VOLNAME}
GNUPGHOME=/Volumes/${VOLNAME}
PASSWD='foo'

PGP=/usr/local/bin/gpg2
SM=/usr/local/bin/gpgsm
PRESET=/usr/local/libexec/gpg-preset-passphrase

SIZE=5M

export DAYS=5
export SUBDAYS=2

# Use an emphemeral disk if we can.
#
if test -f /usr/bin/hdiutil; then
	export RANDFILE=~/.openssl.rand.state
	openssl rand -base64 128 |\
       		/usr/bin/hdiutil hdiutil create -attach -stdinpass -quiet \
       		-encryption -size $SIZE -fs HFS+ \
       		-volname ${VOLNAME} ${TMPSTORE} 
	rm -f ${TMPSTORE}.dmg
else
	GNUPGHOME=${TMPSTORE}
	mkdir -p ${GNUPGHOME}
	chmod 700 ${GNUPGHOME}
fi

(
export GNUPGHOME 

cat > ${GNUPGHOME}/gpg-agent.conf <<EOM

# Bit annoying we need this - despite no user interaction.
pinentry-program /usr/bin/pinentry-curses

debug-quick-random
allow-preset-passphrase
default-cache-ttl 300
max-cache-ttl 300
# batch

debug-level guru
log-file /tmp/sc.log
EOM

${PGP} --verbose --homedir ${GNUPGHOME} \
	--batch --passphrase "${PASSWD}" \
	--quick-generate-key \
	test at test.com rsa4096 sign ${DAYS}

IFS=:
set $( ${PGP} --homedir ${GNUPGHOME} --list-secret-keys --with-colons | grep ^fpr: )

FPR=${10}
LEN=$(/bin/echo -n $FPR | wc -c)
if [ $LEN -ne 40 ]; then
	echo Generation failed, FPR not 40 bytes.
	exit 1
fi

# gpg-preset-passphrase
# set $(${SM} --homedir ${GNUPGHOME} --dump-secret-key | grep keygrip:)
# KEYGRIP=${2}

# set $( gpg-connect-agent --homedir ${GNUPGHOME} 'keyinfo --list' /bye | head -1 )
# KEYGRIP=${3}

set $( ${PGP} --homedir ${GNUPGHOME} --with-keygrip --list-secret-keys --with-colons | grep ^grp: )
KEYGRIP=${10}
${PRESET} --homedir ${GNUPGHOME} --preset -P "${PASSWD}" ${KEYGRIP} 

# Chehck that siging forks.
i#
echo foo | ${PGP} --homedir ${GNUPGHOME} --sign --armour 

${PGP} --homedir ${GNUPGHOME} \
       --batch  \
       --quick-add-key \
	$FPR rsa4096 sign $SUBDAYS

${PGP} --homedir ${GNUPGHOME} \
       --batch \
       --quick-add-key \
	$FPR rsa4096 encr $SUBDAYS

${PGP} --homedir ${GNUPGHOME} \
       --batch \
       --quick-add-key \
	$FPR rsa4096 auth $SUBDAYS

${PGP} --homedir ${GNUPGHOME} \
	--verbose --list-secret-keys --with-fingerprint --with-fingerprint

… lots of validation stuff snipped ….

)
E=$?

gpgconf --kill gpg-agent
gpgconf --kill scdaemon
gpgconf --kill dirmngr

if test -f /usr/bin/hdiutil; then
	hdiutil unmount -force ${GNUPGHOME}
else
	rm -rf ${GNUPGHOME}
fi

exit $E