gpgme_op_delete_ext flag GPGME_DELETE_FORCE not working?

Mike Inman mangocats at gmail.com
Tue Jun 19 23:43:32 CEST 2018


As a followup: I have done some tracing of the code, found that the
GPGME_DELETE_FORCE flag to gpgme_op_delete_ext causes a --yes option to be
added to the gpg command.  I confirmed on command line that the behavior is
the same there: --yes does not suppress the "are you sure" graphic dialog
boxes when deleting keys.  I was able to suppress the Terminal prompts by
going to --batch mode, but never the graphic dialogs when using gpg2, both
the 2.2.8 which I compiled from git, nor the 2.1.11 that apparently ships
with Ubuntu 16.04 by default.  gpg 1.4.20 seems to never request graphic
confirmation to delete keys from command line, though a --batch was
required to suppress the terminal prompt.

I dug a little deeper into the gpg code and found that the --yes command
line flag seems to be translated to a --force option on the DELETE_KEY
command passed to assuan_transact().  I found this hint in
gnupg/agent/command.c:

DELETE_KEY [--force|--stub-only] <hexstring_with_keygrip>

Delete a secret key from the key store.  If --force is used
and a loopback pinentry is allowed, the agent will not ask
the user for confirmation.

and a further breadcrumb in gpg-agent.texi

@opindex no-allow-loopback-pinentry
@opindex allow-loopback-pinentry
Disallow or allow clients to use the loopback pinentry features; see
the option @option{pinentry-mode} for details.  Allow is the default.

The @option{--force} option of the Assuan command @command{DELETE_KEY}
is also controlled by this option: The option is ignored if a loopback
pinentry is disallowed.

but, I'm struggling with how to get the allow-loopback-pinentry option to
the gpg-agent?  It is supposed to be the default, but something seems to be
defeating that in gpg2?

All of this raises a related system setup question: apparently, replacing
gpg 1.4.20 with gpg 2.x (as happens when building gpg from the git sources
into /usr/local/lib) breaks the apt-get package management system in
Ubuntu.  What is the commonly practiced method (installation folders,
paths, etc.) for an up-to-date build of gpg that keeps it from breaking
apt-get?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180619/dbda805c/attachment.html>


More information about the Gnupg-users mailing list