symmetric passphrase with remote (extra, restricted) gpg-agent

Werner Koch wk at gnupg.org
Mon Feb 26 16:18:24 CET 2024


On Fri, 23 Feb 2024 22:59, Marcin Wrochna said:

> However, I cannot make `gpg --symmetric` encryption work on the remote,
> as it tells me getting a passphrase is "Forbidden".

Right.  It does not sund like a good idea to give the server access to
your local password store (in gpg-agent).  This way the server might get
access to any password sored in the cache.

You need to look at the code in gnupg/agent/commands.c - search for the
function cmd_get_passphrase.  The first statement there is

  if (ctrl->restricted)
    return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));

The function (test with gpg-connect-agent and "help get_passphrase") has
an option --no-ask which only returns value from the cache or errors
out. What we might do is another option (e.g. --only-query) to only
popup the pinentry and return the value.  Maybe this can be the default
for a restricted connection.


Salam-Shalom,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240226/846f0e17/attachment.sig>


More information about the Gnupg-users mailing list