gpg-agent "forgetting" keys when getting many parallel requests

Werner Koch wk at gnupg.org
Mon Mar 18 09:50:02 CET 2024


On Sun, 17 Mar 2024 13:09, Bence Ferdinandy said:

> running out of memory. Based on a discussion I found
> (https://dev.gnupg.org/T4255), I set `auto-expand-secmem 100M` in

Right.  The man page says:

     --auto-expand-secmem n
     
       Allow Libgcrypt to expand its secure memory area as required.
       The optional value n is a non-negative integer with a suggested
       size in bytes of each additionally allocated secure memory area.
       The value is rounded up to the next 32 KiB; usual C style
       prefixes are allowed.  For an heavy loaded gpg-agent with many
       concurrent connection this option avoids sign or decrypt errors
       due to out of secure memory error returns.

You should not append the 'M' - it is simply ignored.  That is a bug in
the option parser but we can't fix that because it would break too many
configs which falsely assume that a letter can be used for some kind of
unit.

The value is actually irrelevant becuase any value will enable the
auto-expand behaviour.  Larger chunks can make maneory allocation a biut
faster because every free() call needs to check the linked list of
secure memory pools.  I am not sure whetehr this is measurable, though.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240318/a5c8cc67/attachment.sig>


More information about the Gnupg-users mailing list