Re: gpg-agent automatically use passphrase for signing subkey?
On Sat, 23 Jul 2011 16:30, kloec...@kde.org said: > to use the cache for signing but not for decryption), so why not add > another option like --share-signing-and-decryption-cache? (I guess, if I > really wanted this I should provide a patch. :-) ) Actually an option is not even required. When importing a secret key in 2.1 we try to use the same passphrase before assuming they are different. However this requires that we add a bit of extra code - I think it can be done easily but there are more important tasks right now. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
2011/7/23 Ingo Klöcker : > There is already the option --ignore-cache-for-signing (curiously the > corresponding option for decryption is missing, i.e. it's not possible to use > the cache for signing but not for decryption), so why not add another option > like --share-signing-and-decryption-cache? (I guess, if I really wanted this I > should provide a patch. :-) ) That was precisely my point; if anything, entering the passphrase twice is more of a security risk than storing it for 2 subkeys at the same time (risk of being overlooked, etc.). Cheers Chris Poole [PGP BAD246F9] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
As far as I know every subkey holds its own passphrase (per default, they are all identical for a given primary key). This means that passphrase requests are actually not action-based, but key-based. Please correct me if I'm wrong. :) Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
On Friday 22 July 2011, Charly Avital wrote: > Chris Poole > > > wrote on 7/22/11 10:38:39 AM: > > On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital wrote: > >> When your passphrase has been cached for each of those *actions*, > >> it will remain in gpg-agent's "memory" for the duration of the > >> cache set in your home directory ~/.gnupg/gpg-agent.conf > > > > That's a shame, but thanks. > > Shame? > I find it very convenient. You think it's convenient that you have to enter the same passphrase twice, once when you want to sign something and then again when you want to decrypt something? There are surely use cases for this, but for someone like me who is using gpg on a computer (resp. account) nobody else has (physical) access to it's just an annoyance (albeit a minor one). There is already the option --ignore-cache-for-signing (curiously the corresponding option for decryption is missing, i.e. it's not possible to use the cache for signing but not for decryption), so why not add another option like --share-signing-and-decryption-cache? (I guess, if I really wanted this I should provide a patch. :-) ) Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
Chris Poole wrote on 7/22/11 10:38:39 AM: > On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital wrote: >> When your passphrase has been cached for each of those *actions*, it >> will remain in gpg-agent's "memory" for the duration of the cache set in >> your home directory ~/.gnupg/gpg-agent.conf > > That's a shame, but thanks. Shame? I find it very convenient. Take care and have a fine week end. Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital wrote: > gpg-agent "goes" by *actions*: decrypt, or sign. > > gpg-agent is invoked whenever you use your secret key, either for > decrypting or for signing. > > As far as gpg-agent is concerned, those are two different *actions*. > > When your passphrase has been cached for each of those *actions*, it > will remain in gpg-agent's "memory" for the duration of the cache set in > your home directory ~/.gnupg/gpg-agent.conf That's a shame, but thanks. Cheers Chris Poole [PGP BAD246F9] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
Chris Poole wrote on 7/21/11 4:40:17 PM: > Perhaps I explained poorly. You explained very clearly. > I'm using gpg 1.4.11, gpg-agent 2.0.17. You can have, as I do, both 1.4.11 and 2.0.17 installed side by side in the same system. You can use either one, as set in the path of your e=mail application. You are using a @gmail.com based user ID, and the raw source of your e-mail does not display which MUA you are using. I am using Shredder, which is a trunk release of Thunderbird, where the path, as displayed in OpenPGP/Preferences, is /usr/local/MacGPG2/bin/gpg2. Thus I am using gpg2, in this case MacGPG2-2.0.17-9 If instead I had set /usr/local/MacGPG2/bin/gpg , I would be using gpg, that would be gpg 1.4.11 If you are using Apple's Mail application (under 10.6.8), it will chose gpg2 by default. Under Lion, the Mailbundle for Apple's Mail application does not work, it is being rewritten by a group of developers. > > Is it possible to enter a passphrase using gpg-agent, and have it cached such > that it's used whenever I want to use any subkeys from the same main key? > > Scenario: > > I sign a file with my signing subkey, and give gpg-agent my passphrase. > > I then decrypt another file, which has been encrypted using my encryption key, > which is a sister subkey to the signing key (i.e., they both have the same > parent 'main key'). Is it possible to not be prompted for my passphrase again > for this operation? > > I understand that they're separate keys, so I'm being prompted twice, but they > are both belonging to the same primary key: can that passphrase apply to all > subkeys when entered for any one? > > I hope that clarifies what I want to do... Maybe *I* wasn't clear enough. gpg-agent "goes" by *actions*: decrypt, or sign. gpg-agent is invoked whenever you use your secret key, either for decrypting or for signing. As far as gpg-agent is concerned, those are two different *actions*. When your passphrase has been cached for each of those *actions*, it will remain in gpg-agent's "memory" for the duration of the cache set in your home directory ~/.gnupg/gpg-agent.conf Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
Perhaps I explained poorly. I'm using gpg 1.4.11, gpg-agent 2.0.17. Is it possible to enter a passphrase using gpg-agent, and have it cached such that it's used whenever I want to use any subkeys from the same main key? Scenario: I sign a file with my signing subkey, and give gpg-agent my passphrase. I then decrypt another file, which has been encrypted using my encryption key, which is a sister subkey to the signing key (i.e., they both have the same parent 'main key'). Is it possible to not be prompted for my passphrase again for this operation? I understand that they're separate keys, so I'm being prompted twice, but they are both belonging to the same primary key: can that passphrase apply to all subkeys when entered for any one? I hope that clarifies what I want to do... Cheers Chris Poole [PGP BAD246F9] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
Chris Poole wrote on 7/21/11 2:51:42 PM: > Hi > > I have a program Which version of GnuPG are you running, and where did you download it from, please? Just for information. which encrypts and signs files; I supply the same key > ID for both operations, the 'primary ID'. > > My key actually consists of the main key and two subkeys, for > encryption and signing. This is the information pertaining to the key whose key ID is mentioned in your e-mail: pub 1024D/BAD246F9 created: 2006-03-31 expires: never usage: SC trust: unknown validity: unknown sub 2048D/7ED39759 created: 2010-12-11 expires: never usage: S sub 4096g/E71D7B3E created: 2006-03-31 expires: never usage: E [ unknown] (1). Chris Poole [ unknown] (2) Chris Poole > I'm using gpg-agent to cache my passphrase. > > I get asked for my passphrase (pinentry screen) once for the > encryption key, and then again, for the signing key. You are asked for your passphrase once for *decrypting* an e-mail that has been encrypted using your public key; and then once again to sign an e-mail. In other words, when you need to use your secret key. > Can I instruct the agent to give the passphrase for any subkey? Given > that they're both subkeys, the passphrases are the same. gpg-agent *caches* your passphrase (in encrypted form) for each of the two operations described above. The passphrase remains cached (you are not requested to type it again) for the value in seconds set in ~/.gnupg/gpg-agent.conf - You can edit that file (gpg-agent.conf) with a suitable text editor (like TextEdit that is a part of MacOSX, or with BBEdit light (freeware). Best regards, Charly OSX 10.7 (11A511) MacBook Intel C2Duo 2GHz-GnuPG 1.4.11-MacGPG2-2.0.17 Shredder 8.0a1 (2011-07-21) Enigmail 1.3a1pre (20110717-1422) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent automatically use passphrase for signing subkey?
Hi I have a program which encrypts and signs files; I supply the same key ID for both operations, the 'primary ID'. My key actually consists of the main key and two subkeys, for encryption and signing. I'm using gpg-agent to cache my passphrase. I get asked for my passphrase (pinentry screen) once for the encryption key, and then again, for the signing key. Can I instruct the agent to give the passphrase for any subkey? Given that they're both subkeys, the passphrases are the same. Thanks Chris Poole [PGP BAD246F9] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users