On 6/2/14, 6:59 PM, Ben Reser wrote: > The failure to cache on the first connection to the realm issue is a little > bit > harder to solve. There is actually a PRESET_PASSPHARSE call in gpg-agent's > API. But it only works when gpg-agent is started with > --allow-preset-passphrase. I think we should make the save function of the > gpg-agent provider implement the PRESET_PASSPHRASE call. We can document to > users they will have a better experience if they provide the > --allow-preset-passphrase option to gpg-agent when they start it. We can > ignore errors if it doesn't. > > There is another option and that is to use gpg-agent as a dumb store like we > do > other caches by combining PRESET_PASSPHRASE in the save function and > GET_PASSPHARSE --no-ask in the first function. This would allow us to retain > the behavior that the svn client asks for the password and thus not have to > jump through hoops to support the cache system being responsible for the UI to > request the password. Doing this of course would rquire that > --allow-preset-passphrase be passed. So I think it'd probably be best to have > a setting in our Subversion config that enables this mode but that then fails > if --allow-preset-passphrase is not enabled on gpg-agent. This behavior would > give the best experience to our users, but since it's intrusive on gpg-agent's > configuration I don't think it should be default.
Neither of these two ideas can actually be done. Or at least I don't think it's a good idea to implement them. When I wrote this email I'd seen this in the help output from gpg-connect-agent: # PRESET_PASSPHRASE <string_or_keygrip> <timeout> <hexstring> So I went looking to find out what value to set the timeout to to say use whatever the configured timeout is. Turns out that there is a much longer help output for the specific commands and it returns: # Set the cached passphrase/PIN for the key identified by the keygrip # to passwd for the given time, where -1 means infinite and 0 means # the default (currently only a timeout of -1 is allowed, which means # to never expire it). If passwd is not provided, ask for it via the # pinentry module. As you can see only an infinite timeout is supported, which is not what I believe people want with this support. So I believe what I committed in r1600781 will be the final improvement we can make. Without some additional improvements on the gpg-agent side.
