gpg-preset-passphrase and extra agent socket

Werner Koch wk at
Fri Mar 24 10:18:30 CET 2023

On Wed, 22 Mar 2023 16:16, xeyrion--- said:

> Forwarding normal socket (instead of extra socket) makes the prompt go
> away. Is there a way to preset passphrase for extra socket as well?

The caching behavior does not depend on the connection type.  Thus this
should not be an issue.  I assume you are using 2.4.0 which has a couple
of fixes for remote use.

I am almost always using the extra-socket with cards and thus I unloch
the card before I start working (using "gpg-card" and its "verify"

I would suggest to add

  debug ipc,cache
  log-file /foo/somefile

to your local gpg-agent.conf (or use watchgnupg and "socket://" as file
for live watching) to see what's going on.  You should see some error
message "Forbidden" when the remote site issues certain commands.

> If not, what are the implications of forwarding the normal socket? The wiki
> page just says "extra socket is more restricted" without going into any

For example the remote site can't list the keys on the local site.  This
is sometimes required and thus you can allow this on per private key
base by adding

  Remote-list: true

to the private key file (which you figure out using gpg -K
--with-keygrip).  But that might not be your problem.



The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list