GNOME Bugzilla – Bug 733032
GCR has no man page and employs insecure defauts for GPG passphrase caching
Last modified: 2019-02-22 11:58:08 UTC
gnome-keyring has an inadequate man page and employs insecure defaults for GPG passphrase caching See https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1325833
Please elaborate here what "inadequate" exactly means, and what "insecure defaults" mean, and which version this refers to.
inadequate: gcr-prompter prompts me for my GPG passphrase. I never configured it to do so, so I start looking for its documentation and do not find any at all in the gcr package. insecure defaults: Caching a GPG passphrase for the whole session by default is not good security practice. version: gcr package 3.10.1-1 as shipped with Ubuntu 14.04
gcr-prompter is not in the $PATH anyway so I have doubts that creating a man page would be a useful effort. (I'm not a gnome-keyring dev though to judge.) > Caching a GPG passphrase for the whole session by default is not good > security practice. Who defines a "good security practice" here and with which arguments?
Well, even a README would help that explains what the package is about which could then reference further documentation to help users understand where the appropriate configuration can be found. I doubt you will find any security professional who would call caching a GPG passphrase for the entire session by default. Especially when it is not obvious where and how this behavior can be changed.
gnome-keyring no longer implements a gpg-agent. The gnupg agent and pinentry have been better integrated with GNOME. https://mail.gnome.org/archives/distributor-list/2015-August/msg00000.html