Hi, I know that it is quite late for the Jessie release but while chatting with Neal on Sunday he remarked that he recently installed Jessie with XFCE and had to patch GKR to make GnuPG work. Thus the meanwhile well known problems with 2.1 and GKR do not only affect GNOME but also XFCE. This is quite bad for future GnuPG 2.1 adaption. But it gets worse:
The common believe is that for GnuPG 2.0 the effect of GKR hijacking the gpg/gpg-agent IPC is that only gpgsm and smartcards won't work. I looked closer at possible problems and figured that if your run GKR it will also weaken all passphrases used by gpg. Since GnuPG 2.0.14, which was release in 2009, we have this feature: * New and changed passphrases are now created with an iteration count requiring about 100ms of CPU work. With GKR faking gpg-agent that does not work and the old default iteration count is used. For example on my X220 this leads to a 300 times lower iteration count (work factor) for OpenPGP passphrases. I have seen CVEs issued for less problematic security degrades. Sure it is possible to manually configure a different S2K count but gpg-agent allows to do that automatically because gpg-agent is a long running process and can calibrate that value. It seems the GKR author is willing to remove that hijacking only if we provide a new Pinentry to support gnome-keyring. Well, that can of course be done but to me adding a new feature to GNOME has not top priority. Adding necessary features to GnuPG itself will of course be done so to help writing a Gnome-Pinentry. Even without a new Gnome-Pinentry it is important to stop the hijacking of the gpg-agent IPC now. GKR being able to store passphrases for OpenPGP keys is merely a feature while inhibiting the use of gpgsm, smartcards, and iteration count calibration are bugs. Any chance to disable the gpg-agent component in GKR? See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=623539 (Takes over GPG and SSH agents from gnupg-agent and ssh-agent) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org