Bug 792442 – gnome-keyring ignores gpg-cache-method and gpg-cache-ttl

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 792442 - gnome-keyring ignores gpg-cache-method and gpg-cache-ttl


Summary:	gnome-keyring ignores gpg-cache-method and gpg-cache-ttl


Status:	RESOLVED OBSOLETE

Product:	gnome-keyring
Classification:	Core
Component:	gpg-agent
Version:	3.20.x
Hardware:	Other Windows

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME keyring maintainer(s)
QA Contact:	GNOME keyring maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2018-01-11 22:02 UTC by Yury Bulka
Modified:	2021-06-18 10:40 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Yury Bulka 2018-01-11 22:02:06 UTC

Gnome-keyring seems to ignore the settings for gpg passphrase caching duration. Steps to reproduce:

1) In dconf-editor edit the following settings:
- set '/desktop/gnome/crypto/cache/gpg-cache-method' to 'timeout' or 'idle';
- set '/desktop/gnome/crypto/cache/gpg-cache-ttl' to 5 (or some other value for easy testing)

2) Restart gnome-keyring-daemon (not sure if this is needed): 
$ gnome-keyring-daemon -r

2) invoke gpg2 or other program using gnome-keyring's gpg agent to get the private key, for instance:
$ echo "test" | gpg --clearsign

3) If the passphrase hasn't yet been cached, gnome-keyring asks for passphrase. If it has, it won't ask for the passphrase even if last time the key was used more than 'gpg-cache-ttl' seconds ago.

I would regard this as a security issue, because having these settings set, the user expects the pgp key to be protected with a passphrase in 5 minutes since last use (the default 'gpg-cache-ttl'), when in fact it isn't, and the user is unaware.

Comment 1 Yury Bulka 2018-01-11 22:14:31 UTC

Correction: I was using "gpg2 --clearsign", because gpg couldn't access the agent for some reason: "gpg: gpg-agent is not available in this session".

Comment 2 Yury Bulka 2018-01-18 00:27:45 UTC

Okay, so it appears that these settings are irrelevant, since gnome-keyring is not even involved with gpg anymore, since the gpg-agent component has been removed from gnome-keyring (which is a good thing):
https://github.com/GNOME/gnome-keyring/commit/a8862f74aaed5ac7ea7b3d72984ddd9c40febd34

Maybe these settings should be removed then?

Comment 3 André Klapper 2021-06-18 10:40:12 UTC

GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new ticket at
  https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/

Thank you for your understanding and your help.