Mailing List Archive: GnuPG: users

gpg-agent automatically use passphrase for signing subkey?

Index | Next | Previous | View Threaded

lists at chrispoole

Jul 21, 2011, 6:51 AM

Post #1 of 10 (419 views)
Permalink

gpg-agent automatically use passphrase for signing subkey?

Hi

I have a program which encrypts and signs files; I supply the same key
ID for both operations, the 'primary ID'.

My key actually consists of the main key and two subkeys, for
encryption and signing.

I'm using gpg-agent to cache my passphrase.

I get asked for my passphrase (pinentry screen) once for the
encryption key, and then again, for the signing key.

Can I instruct the agent to give the passphrase for any subkey? Given
that they're both subkeys, the passphrases are the same.

Thanks

Chris Poole
[PGP BAD246F9]

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

shavital at mac

Jul 21, 2011, 7:42 AM

Post #2 of 10 (417 views)
Permalink

Re: gpg-agent automatically use passphrase for signing subkey? [In reply to]

Chris Poole
<CAF=P9QD+TpgrPnLKK9QR9eFHSLgCOo8T3DtjUzrBi+bVsiSS-Q [at] mail>
wrote on 7/21/11 2:51:42 PM:
> Hi
>
> I have a program

Which version of GnuPG are you running, and where did you download it
from, please? Just for information.

which encrypts and signs files; I supply the same key
> ID for both operations, the 'primary ID'.
>
> My key actually consists of the main key and two subkeys, for
> encryption and signing.

This is the information pertaining to the key whose key ID is mentioned
in your e-mail:

pub 1024D/BAD246F9 created: 2006-03-31 expires: never usage: SC
trust: unknown validity: unknown
sub 2048D/7ED39759 created: 2010-12-11 expires: never usage: S
sub 4096g/E71D7B3E created: 2006-03-31 expires: never usage: E
[ unknown] (1). Chris Poole <chris [at] chrispoole>
[ unknown] (2) Chris Poole <lists [at] chrispoole>

> I'm using gpg-agent to cache my passphrase.
>
> I get asked for my passphrase (pinentry screen) once for the
> encryption key, and then again, for the signing key.

You are asked for your passphrase once for *decrypting* an e-mail that
has been encrypted using your public key; and then once again to sign an
e-mail. In other words, when you need to use your secret key.

> Can I instruct the agent to give the passphrase for any subkey? Given
> that they're both subkeys, the passphrases are the same.

gpg-agent *caches* your passphrase (in encrypted form) for each of the
two operations described above.

The passphrase remains cached (you are not requested to type it again)
for the value in seconds set in ~/.gnupg/gpg-agent.conf - You can edit
that file (gpg-agent.conf) with a suitable text editor (like TextEdit
that is a part of MacOSX, or with BBEdit light (freeware).

Best regards,
Charly
OSX 10.7 (11A511) MacBook Intel C2Duo 2GHz-GnuPG 1.4.11-MacGPG2-2.0.17
Shredder 8.0a1 (2011-07-21) Enigmail 1.3a1pre (20110717-1422)

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

lists at chrispoole

Jul 21, 2011, 8:40 AM

Post #3 of 10 (416 views)
Permalink

Re: gpg-agent automatically use passphrase for signing subkey? [In reply to]

Perhaps I explained poorly.

I'm using gpg 1.4.11, gpg-agent 2.0.17.

Is it possible to enter a passphrase using gpg-agent, and have it cached such
that it's used whenever I want to use any subkeys from the same main key?

Scenario:

I sign a file with my signing subkey, and give gpg-agent my passphrase.

I then decrypt another file, which has been encrypted using my encryption key,
which is a sister subkey to the signing key (i.e., they both have the same
parent 'main key'). Is it possible to not be prompted for my passphrase again
for this operation?

I understand that they're separate keys, so I'm being prompted twice, but they
are both belonging to the same primary key: can that passphrase apply to all
subkeys when entered for any one?

I hope that clarifies what I want to do...

Cheers

Chris Poole
[PGP BAD246F9]

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

shavital at mac

Jul 21, 2011, 9:30 AM

Post #4 of 10 (425 views)
Permalink

Re: gpg-agent automatically use passphrase for signing subkey? [In reply to]

Chris Poole
<CAF=P9QDHabJhB6V6iCde12qvvT1XY7MTyLp0_-3+0EU0FUytiQ [at] mail>
wrote on 7/21/11 4:40:17 PM:
> Perhaps I explained poorly.

You explained very clearly.

> I'm using gpg 1.4.11, gpg-agent 2.0.17.

You can have, as I do, both 1.4.11 and 2.0.17 installed side by side in
the same system.
You can use either one, as set in the path of your e=mail application.
You are using a @gmail.com based user ID, and the raw source of your
e-mail does not display which MUA you are using.

I am using Shredder, which is a trunk release of Thunderbird, where the
path, as displayed in OpenPGP/Preferences, is
/usr/local/MacGPG2/bin/gpg2. Thus I am using gpg2, in this case
MacGPG2-2.0.17-9

If instead I had set /usr/local/MacGPG2/bin/gpg , I would be using gpg,
that would be gpg 1.4.11

If you are using Apple's Mail application (under 10.6.8), it will chose
gpg2 by default. Under Lion, the Mailbundle for Apple's Mail application
does not work, it is being rewritten by a group of developers.
>
> Is it possible to enter a passphrase using gpg-agent, and have it cached such
> that it's used whenever I want to use any subkeys from the same main key?
>
> Scenario:
>
> I sign a file with my signing subkey, and give gpg-agent my passphrase.
>
> I then decrypt another file, which has been encrypted using my encryption key,
> which is a sister subkey to the signing key (i.e., they both have the same
> parent 'main key'). Is it possible to not be prompted for my passphrase again
> for this operation?
>
> I understand that they're separate keys, so I'm being prompted twice, but they
> are both belonging to the same primary key: can that passphrase apply to all
> subkeys when entered for any one?
>
> I hope that clarifies what I want to do...

Maybe *I* wasn't clear enough.

gpg-agent "goes" by *actions*: decrypt, or sign.

gpg-agent is invoked whenever you use your secret key, either for
decrypting or for signing.

As far as gpg-agent is concerned, those are two different *actions*.

When your passphrase has been cached for each of those *actions*, it
will remain in gpg-agent's "memory" for the duration of the cache set in
your home directory ~/.gnupg/gpg-agent.conf

Charly

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

lists at chrispoole

Jul 22, 2011, 2:38 AM

Post #5 of 10 (410 views)
Permalink

Re: gpg-agent automatically use passphrase for signing subkey? [In reply to]

On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital <shavital [at] mac> wrote:

> gpg-agent "goes" by *actions*: �decrypt, or sign.
>
> gpg-agent is invoked whenever you use your secret key, either for
> decrypting or for signing.
>
> As far as gpg-agent is concerned, those are two different *actions*.
>
> When your passphrase has been cached for each of those *actions*, it
> will remain in gpg-agent's "memory" for the duration of the cache set in
> your home directory ~/.gnupg/gpg-agent.conf

That's a shame, but thanks.

Cheers

Chris Poole
[PGP BAD246F9]

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

shavital at mac

Jul 22, 2011, 3:57 AM

Post #6 of 10 (403 views)
Permalink

Re: gpg-agent automatically use passphrase for signing subkey? [In reply to]

Chris Poole
<CAF=P9QBCMFqKvv_49a5NySoSWZkh2Ka_Kjo5WJY2onM6Yhs04w [at] mail>
wrote on 7/22/11 10:38:39 AM:
> On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital <shavital [at] mac> wrote:
>> When your passphrase has been cached for each of those *actions*, it
>> will remain in gpg-agent's "memory" for the duration of the cache set in
>> your home directory ~/.gnupg/gpg-agent.conf
>
> That's a shame, but thanks.

Shame?
I find it very convenient.

Take care and have a fine week end.
Charly

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

kloecker at kde

Jul 23, 2011, 7:30 AM

Post #7 of 10 (397 views)
Permalink

Re: gpg-agent automatically use passphrase for signing subkey? [In reply to]

On Friday 22 July 2011, Charly Avital wrote:
> Chris Poole
> <CAF=P9QBCMFqKvv_49a5NySoSWZkh2Ka_Kjo5WJY2onM6Yhs04w [at] mail>
>
> wrote on 7/22/11 10:38:39 AM:
> > On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital <shavital [at] mac>
wrote:
> >> When your passphrase has been cached for each of those *actions*,
> >> it will remain in gpg-agent's "memory" for the duration of the
> >> cache set in your home directory ~/.gnupg/gpg-agent.conf
> >
> > That's a shame, but thanks.
>
> Shame?
> I find it very convenient.

You think it's convenient that you have to enter the same passphrase
twice, once when you want to sign something and then again when you want
to decrypt something?

There are surely use cases for this, but for someone like me who is
using gpg on a computer (resp. account) nobody else has (physical)
access to it's just an annoyance (albeit a minor one).

There is already the option --ignore-cache-for-signing (curiously the
corresponding option for decryption is missing, i.e. it's not possible
to use the cache for signing but not for decryption), so why not add
another option like --share-signing-and-decryption-cache? (I guess, if I
really wanted this I should provide a patch. :-) )

Regards,
Ingo

Attachments:

signature.asc (0.19 KB)

richard at r-selected

Jul 23, 2011, 7:48 AM

Post #8 of 10 (396 views)
Permalink

Re: gpg-agent automatically use passphrase for signing subkey? [In reply to]

As far as I know every subkey holds its own passphrase (per default,
they are all identical for a given primary key). This means that
passphrase requests are actually not action-based, but key-based.

Please correct me if I'm wrong. :)

Richard

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

lists at chrispoole

Jul 23, 2011, 9:32 AM

Post #9 of 10 (391 views)
Permalink

Re: gpg-agent automatically use passphrase for signing subkey? [In reply to]

2011/7/23 Ingo Kl�cker <kloecker [at] kde>:

> There is already the option --ignore-cache-for-signing (curiously the
> corresponding option for decryption is missing, i.e. it's not possible to use
> the cache for signing but not for decryption), so why not add another option
> like --share-signing-and-decryption-cache? (I guess, if I really wanted this I
> should provide a patch. :-) )

That was precisely my point; if anything, entering the passphrase twice is more
of a security risk than storing it for 2 subkeys at the same time (risk of being
overlooked, etc.).

Cheers

Chris Poole
[PGP BAD246F9]

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Jul 24, 2011, 11:00 AM

Post #10 of 10 (388 views)
Permalink

Re: gpg-agent automatically use passphrase for signing subkey? [In reply to]

On Sat, 23 Jul 2011 16:30, kloecker [at] kde said:

> to use the cache for signing but not for decryption), so why not add
> another option like --share-signing-and-decryption-cache? (I guess, if I
> really wanted this I should provide a patch. :-) )

Actually an option is not even required. When importing a secret key in
2.1 we try to use the same passphrase before assuming they are
different. However this requires that we add a bit of extra code - I
think it can be done easily but there are more important tasks right
now.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads