symmetric passphrase with remote (extra, restricted) gpg-agent
Werner Koch
wk at gnupg.org
Mon Feb 26 16:18:24 CET 2024
On Fri, 23 Feb 2024 22:59, Marcin Wrochna said:
> However, I cannot make `gpg --symmetric` encryption work on the remote,
> as it tells me getting a passphrase is "Forbidden".
Right. It does not sund like a good idea to give the server access to
your local password store (in gpg-agent). This way the server might get
access to any password sored in the cache.
You need to look at the code in gnupg/agent/commands.c - search for the
function cmd_get_passphrase. The first statement there is
if (ctrl->restricted)
return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
The function (test with gpg-connect-agent and "help get_passphrase") has
an option --no-ask which only returns value from the cache or errors
out. What we might do is another option (e.g. --only-query) to only
popup the pinentry and return the value. Maybe this can be the default
for a restricted connection.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240226/846f0e17/attachment.sig>
More information about the Gnupg-users
mailing list