On 21/07/16 08:00, Thomas Glanzmann wrote:
> From my point of view gpg-agent should ignore any DISPLAY
> settings coming over the unix socket, because it already knows the
> DISPLAY location.
GnuPG doesn't expect that you forward the normal gpg-agent socket. For
forwarding to a remote machine, there is the gpg-agent.conf option
extra-socket [socket file]
which creates an extra socket for forwarding. You can then forward this
socket the way you do now.
One gpg-agent can serve multiple local DISPLAYs. It is exactly intended
behaviour that gpg-agent listens to changes of DISPLAY; it tries to
adapt to the client inquiring the agent.
From the gpg-agent man page:
> --extra-socket name
> Also listen on native gpg-agent connections on the given socket.
> The intended use for this extra socket is to setup a Unix domain
> socket forwarding from a remote machine to this socket on the
> local machine. A gpg running on the remote machine may then con‐
> nect to the local gpg-agent and use its private keys. This
> allows to decrypt or sign data on a remote machine without expos‐
> ing the private keys to the remote machine.
I'm a bit surprised you still get a graphical pinentry on your original
display when you unset DISPLAY on the remote side. I would expect it to
try a textual pinentry on the TTY indicated by the remote side, which
probably should fail as well since it is the name of a TTY on the remote
side. I'm probably missing a detail somewhere. The keep-{display,tty}
sounds like it indeed should work correctly, but it is quite restrictive.
HTH,
Peter.
PS: Wow, what an extensive and detailed answer from NIIBE! Cool :-)
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
