Package: gpg-agent Version: 2.4.8-3 Severity: important Hi!
I'm using gpg-agent to store passphrases for a software-signing server at Pexip. We've been doing this for quite some time, and it has worked well until now. With the upgrade to Trixie, things have broken. :-( I've debugged and found the problem: something has changed in the handling of the "max-cache-ttl" value for gpg-agent and it now breaks on values which are > 2^31. We've been using max-cache-ttl 4294967295 (i.e. 2^32 - 1) in our config previously, so as to keep passphrases cached for a very long time. This worked just fine. Since the upgrade, testing showed that passphrases were being expired *immediately* after being preset. I've debugged the problem, then experimented with a range of values. With 7000000000, we see in gpg log output: ... 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- IMPORT_KEY --timestamp=20251010T163401 --unattended 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> [[Confidential data not shown]] 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [[Confidential data not shown]] 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [[Confidential data not shown]] 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [[Confidential data not shown]] 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [[Confidential data not shown]] 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [eof] 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- OPTION allow-pinentry-notify 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- PRESET_PASSPHRASE D8DCC1D7BB6EEFC7BBBFF6171CA56B8BB531D043 -1 546572 587032764D506C31647A383565744576736E6F6D63794645696E647231434E456D6854326A6668587672446D4B5335666B7442316859494D4257526D4E 42647731634568674866394A6C685331 2025-10-10 16:35:42 gpg-agent[284612] DBG: agent_put_cache 'D8DCC1D7BB6EEFC7BBBFF6171CA56B8BB531D043'.0 (mode 1) requested ttl=-1 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- BYE 2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK closing connection 2025-10-10 16:35:42 gpg-agent[284612] npth_pselect failed: Invalid argument - waiting 1s 2025-10-10 16:35:43 gpg-agent[284612] DBG: expired 'D8DCC1D7BB6EEFC7BBBFF6171CA56B8BB531D043'.0 (7000000000s after creation) 2025-10-10 16:35:43 gpg-agent[284612] DBG: chan_12 <- RESET 2025-10-10 16:35:43 gpg-agent[284612] DBG: chan_12 -> OK ... Both the "npth_pselect" and the "expired" messages near the end here are caused by bad handling of the max-cache-ttl timeout value. Switching to "2000000000", everything works fine. For now, that has solved my problem so we can go ahead with the upgrade. I haven't yet dug into the source code to find the cause here - let me know if you'd like me to do that... Cheers, Steve
