gpg-agent cache keygrip
Werner Koch
wk at gnupg.org
Wed Jul 26 08:52:12 CEST 2017
On Tue, 25 Jul 2017 22:30, marfig at gmx.com said:
> I've been trying to understand gpg-agent cache behavior in the presence
> of two distinct keys with the same passphrase. Namely, why is that it
> only asks for the passphrase once, regardless of the key being used?
There is a kludge in gpg and gpg-agent described in this comment:
/* The standard use of GPG keys is to have a signing and an
encryption subkey. Commonly both use the same
passphrase. We try to help the user to enter the
passphrase only once by silently trying the last
correctly entered passphrase. Checking one additional
passphrase should be acceptable; despite the S2K
introduced delays. The assumed workflow is:
1. Read encrypted message in a MUA and thus enter a
passphrase for the encryption subkey.
2. Reply to that mail with an encrypted and signed
mail, thus entering the passphrase for the signing
subkey.
We can often avoid the passphrase entry in the second
step. We do this only in normal mode, so not to
interfere with unrelated cache entries. */
"normal modes" is one of the cache classes we have in gpg-agent. This
one is for unprotecting gpg or gpgsm keys.
If you want to follow what is going on, you may add
verbose
debug ipc,cache
log-file socket://
into gpg-agent.conf, restart the agent and run
watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log
on another tty.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170726/8ff7d6ce/attachment.sig>
More information about the Gnupg-users
mailing list