GNOME Bugzilla – Bug 742094
Support GnuPG-2.1.x
Last modified: 2015-10-07 11:59:26 UTC
According to the GnuPG-2.1 announcement [1], the GPG_AGENT_INFO variable isn't used anymore and the socket is hardcoded to ~/.gnupg/S.gpg-agent (aka $GNUPG_HOME/S.gpg-agent). I am not really sure what needs to be done for gnome-keyring gpg-agent to work with gnupg-2.1, but it would be nice to get this done in the near future since it doesn't currently work. https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart
Ideally a pinentry program would be written, that allows the following: * Prompting via gnome-shell * Optionally caching the password. One thing that seems to be missing is getting a full keyid in the pinentry for use when caching. In theory one can "screen scrape" a short keyid this out of the prompt message ... but that's pretty fragile. So a bit of additional work to have gpg2 pass an assuan OPTION with the keyid or a unique identifier, if that's preferrable. The absence of which would indicate that the passphrase does not belong to a stable entity (like a key). Links to stuff that would be used: * System prompt API: https://developer.gnome.org/gcr/unstable/GcrSystemPrompt.html * Caching passphrases with libsecret: https://developer.gnome.org/libsecret/unstable/c-examples.html * Assuan protocol: https://www.gnupg.org/documentation/manuals/assuan/
This is what assuan sorta looks like: OPTION grab OPTION ttyname=/dev/pts/1 OPTION ttytype=xterm-256color OPTION lc-ctype=en_US.UTF-8 OPTION lc-messages=en_US.UTF-8 OPTION default-ok=_OK OPTION default-cancel=_Cancel OPTION default-prompt=PIN: OPTION touch-file=/data/.gnupg/S.gpg-agent GETINFO pid SETDESC You need a passphrase to unlock the secret key for user:%0A"Stef Walter <stef@thewalter.net>"%0A1024-bit DSA key, ID D92765AF, created 2002-01-24%0A SETPROMPT Passphrase SETERROR Invalid passphrase; please try again GETPIN BYE
Once such a pinentry program exists, we would figure out a way to make it active while a GNOME session is running. The gpg-agent code in gnome-keyring would be removed.
Previous discussion: https://lists.gnupg.org/pipermail/gnupg-devel/2014-August/028689.html
A stable identifier is now provided with requests for the passphrase. The relevant command is SETKEYINFO. Please see the GnuPG bug report about this feature request for more details: https://bugs.g10code.com/gnupg/issue1945 .
Looks like gnupg upstream has implemented a gnome3 pinentry... maybe the "solution" would then be to remove the gnome-keyring gpg-agent... :/ http://git.gnupg.org/cgi-bin/gitweb.cgi?p=pinentry.git;a=commit;h=be87785005d256b7f3dacc607ba5ea0a14de8593
Blocker bug https://bugzilla.gnome.org/show_bug.cgi?id=750514 has been fixed.
This is solved in gnome-keyring 3.18.0. gnome-keyring no longer ships a gpg-agent.