Re: [Enigmail] Enigmail GNOME keyring handling
On Fri, 3 Jan 2020 09:21, Patrick Brunschwig said: > to deal with handling keys and passphrases. If GNOME decides to hijack > gpg-agent then that's entirely their decision, and you can't blame GPG > for working that. Just let me note that GNOME is not hijacking gpg-agent. They did so in the past but this has been fixed years ago. However, when using the pinentry-gnome (which should be the default on GNOME) that pinentry version is delegating request to the GNOME keyring daemon and only popping a window of its own if the GNOME keyring daemon does not know the passphrase yet. Running gpg with --verbose will print information about the used pinentry. To avoid confusion: The GNOME keyring has nothing to do with the GnuPG keyring, they only use the same name for very different things. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail GNOME keyring handling
enig_2020_...@posteo.de wrote on 02.01.2020 19:52: > Am 02.01.20 um 17:36 schrieb Patrick Brunschwig: >> Robert J. Hansen wrote on 02.01.2020 16:26: Using Enigmail for some time now - thanks for your work! >>> Patrick deserves all the credit; the rest of us just try to help him >>> with the load of questions. :) Which is hard, given that he usually >>> beats us to answering them! >>> As I understand, the GPG key for a specific email address is saved inside the keyring, in my case the GNOME keyring. To decrypt an encrypted email Enigmail needs to have access to that keyring. Which means, the GNOME keyring needs to be unlocked so that Enigmail can access it and read the according GPG key. >>> Nope. :) >>> >>> GnuPG is the one popping up those passphrase dialogs, not Enigmail. >>> We've got nothing to do with it. We never touch your keyring. Although >>> I think your feature request is pretty reasonable, it's also beyond >>> Enigmail's scope. Perhaps ask on GnuPG-Users, or on a GNOME mailing list? > Thanks for the clarification. >> The above said, I assume that what happens is this: if GNOME keyring is >> already running when gpg requires a password, it will connect to the >> running instance of GNOME keyring and get the password from there. If >> GNOME keyring is not already running, then gpg will need to start a >> "keyring" tool on its own. And the only tool known to gpg is gpg-agent. >> >> -Patrick > > Thanks for pointing that out. So, just for my understanding: Are you > happy - design-wise - with the fact that if the keyring is not unlocked > a user is asked for the GPG key even it is already available in the > keyring? What do you think would need to change on the GPG side if a > user would like to have the keyring unlocked by Enigmail instead of > requesting the GPG key? This is clearly the fault of GNOME, or the way your distribution is configured. GPG contains a component called gpg-agent that is designed to deal with handling keys and passphrases. If GNOME decides to hijack gpg-agent then that's entirely their decision, and you can't blame GPG for working that. -Patrick signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail GNOME keyring handling
Thanks for pointing that out. So, just for my understanding: Are you happy - design-wise - with the fact that if the keyring is not unlocked a user is asked for the GPG key even it is already available in the keyring? This is pretty far outside our responsibility. The better question is what do users think? And on that score, you're the authority. I suggest talking to the GNOME folks and expressing your dissatisfaction with their UX decisions. :) ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail GNOME keyring handling
Am 02.01.20 um 17:36 schrieb Patrick Brunschwig: > Robert J. Hansen wrote on 02.01.2020 16:26: >>> Using Enigmail for some time now - thanks for your work! >> Patrick deserves all the credit; the rest of us just try to help him >> with the load of questions. :) Which is hard, given that he usually >> beats us to answering them! >> >>> As I understand, the GPG key for a specific email address is saved >>> inside the keyring, in my case the GNOME keyring. To decrypt an >>> encrypted email Enigmail needs to have access to that keyring. Which >>> means, the GNOME keyring needs to be unlocked so that Enigmail can >>> access it and read the according GPG key. >> Nope. :) >> >> GnuPG is the one popping up those passphrase dialogs, not Enigmail. >> We've got nothing to do with it. We never touch your keyring. Although >> I think your feature request is pretty reasonable, it's also beyond >> Enigmail's scope. Perhaps ask on GnuPG-Users, or on a GNOME mailing list? Thanks for the clarification. > The above said, I assume that what happens is this: if GNOME keyring is > already running when gpg requires a password, it will connect to the > running instance of GNOME keyring and get the password from there. If > GNOME keyring is not already running, then gpg will need to start a > "keyring" tool on its own. And the only tool known to gpg is gpg-agent. > > -Patrick Thanks for pointing that out. So, just for my understanding: Are you happy - design-wise - with the fact that if the keyring is not unlocked a user is asked for the GPG key even it is already available in the keyring? What do you think would need to change on the GPG side if a user would like to have the keyring unlocked by Enigmail instead of requesting the GPG key? Malice > > > ___ > enigmail-users mailing list > enigmail-users@enigmail.net > To unsubscribe or make changes to your subscription click here: > https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail GNOME keyring handling
Hello. I had a similar issue with ssh passphrase caching when I switched from using plain GNOME to the i3 window manager in Ubuntu. The problem was that the GNOME Keyring Daemon is automatically started when GNOME starts but that does not happen when i3 starts. The solution, in my case, was to manually start the daemon whenever I need it, but you may wish to do it differently (e.g. start it at session startup). The command to start the daemon is: export $(gnome-keyring-daemon --start) Hope this helps. -- António Manuel Dias signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail GNOME keyring handling
Robert J. Hansen wrote on 02.01.2020 16:26: >> Using Enigmail for some time now - thanks for your work! > > Patrick deserves all the credit; the rest of us just try to help him > with the load of questions. :) Which is hard, given that he usually > beats us to answering them! > >> As I understand, the GPG key for a specific email address is saved >> inside the keyring, in my case the GNOME keyring. To decrypt an >> encrypted email Enigmail needs to have access to that keyring. Which >> means, the GNOME keyring needs to be unlocked so that Enigmail can >> access it and read the according GPG key. > > Nope. :) > > GnuPG is the one popping up those passphrase dialogs, not Enigmail. > We've got nothing to do with it. We never touch your keyring. Although > I think your feature request is pretty reasonable, it's also beyond > Enigmail's scope. Perhaps ask on GnuPG-Users, or on a GNOME mailing list? The above said, I assume that what happens is this: if GNOME keyring is already running when gpg requires a password, it will connect to the running instance of GNOME keyring and get the password from there. If GNOME keyring is not already running, then gpg will need to start a "keyring" tool on its own. And the only tool known to gpg is gpg-agent. -Patrick signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail GNOME keyring handling
Using Enigmail for some time now - thanks for your work! Patrick deserves all the credit; the rest of us just try to help him with the load of questions. :) Which is hard, given that he usually beats us to answering them! As I understand, the GPG key for a specific email address is saved inside the keyring, in my case the GNOME keyring. To decrypt an encrypted email Enigmail needs to have access to that keyring. Which means, the GNOME keyring needs to be unlocked so that Enigmail can access it and read the according GPG key. Nope. :) GnuPG is the one popping up those passphrase dialogs, not Enigmail. We've got nothing to do with it. We never touch your keyring. Although I think your feature request is pretty reasonable, it's also beyond Enigmail's scope. Perhaps ask on GnuPG-Users, or on a GNOME mailing list? ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] Enigmail GNOME keyring handling
Hello, Using Enigmail for some time now - thanks for your work! As I understand, the GPG key for a specific email address is saved inside the keyring, in my case the GNOME keyring. To decrypt an encrypted email Enigmail needs to have access to that keyring. Which means, the GNOME keyring needs to be unlocked so that Enigmail can access it and read the according GPG key. Here's the odd thing: If the keyring is locked, Enigmail asks for the PGP-key instead for the keyring password. Why is Enigmail not doing it the other way around? Asking for the GNOME keyring password, checking if the GPG key is already available and using that if possible? And only if no key is there it would be asking for the GPG key. The reason behind this question is simple: I do know my GNOME keyring password (which is the login password), however I have not memorized my GPG key passphrase. But the way Enigmail is handling the keyring access / GPG keys make some extra work for me (i.e. unlocking the keyring beforehand). Would it be possible to integrate an option that makes Enigmail asking for the keyring password first (and therefore unlocking it) if I open an encrypted mail? Maybe a simple solution like it is handled by secret-tool (secret-tool lookup type unlock-keyring)? Thanks Malice ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
