[Enigmail] GPG-AGENT preferences

Patrick Brunschwig patrick at mozilla-enigmail.org
Fri Oct 26 06:50:18 PDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dirk Wetter wrote:
> On 26.10.2007 12:14, Patrick Brunschwig wrote:
>> Dirk Wetter wrote:
>>> Hi all,
>>> the logic -- if I understand everything correctly --
>>> behind when to use gpg-agent and when not doesn't
>>> make sense to me. This seems to be one of the cases
>>> where a program wants to be smarter than me, a human. :-)
>>> A real world case: I have a Suse 10.3 system here
>>> where through some magic I do not understand -- and
>>> I do not care -- the GPG_AGENT_INFO environment variable is set.
>>> However there's no gpg-agent started/it died/whatsoever. Besides:
>>> Also if there would be one: heck, I don't want to use
>>> it. Also the config in TB/EM say "please don't use it, I
>>> don't want it". Why is that overridden?
>>> My suggestion is to give the power of decision whether to use
>>> the agent or not the switch "use gpg-agent for passphrase
>>> handling" --- as people would expect -- and not the existence
>>> of an environment variable.
>> The problem is not so easy than you think. It's true, it currently looks
>> like Enigmail refuses to accept what the user wants (which is basically
>> true). The reason for to implement it this way is because with GnuPG v2,
>> the use of gpg-agent is mandatory, i.e. GnuPG v2 does not work properly
>> if the gpg-agent doesn't work. 
> 
> Specifically the version 2 command line interface doesn't hiccup if
> GPG_AGENT_INFO exists && there's no agent as opposed to EM/TB:
> 
> % set | grep -a GPG
> GPG_AGENT_INFO=/tmp/gpg-5UBfpf/S.gpg-agent:11502:1
> % dd if=/dev/zero of=test count=42
> 42+0 records in
> 42+0 records out
> 21504 bytes (22 kB) copied, 0.000182177 s, 118 MB/s
> % gpg -e test
> % rm -f test
> % gpg -d test.gpg >test
> 
> You need a passphrase to unlock the secret key for user: "Dirk Wetter <XXXXXX>
> 2048-bit ELG key, ID XXXXX created 2003-11-26 (main key ID XXXXX)
> 
> can't connect to `/tmp/gpg-5UBfpf/S.gpg-agent': No such file or directory
> gpg: can't connect to the agent - trying fall back
> can?t lock memory: Cannot allocate memory
> Warning: using insecure memory!
> gpg: encrypted with 2048-bit ELG key, ID XXXXX, created 2003-11-26
>       "Dirk Wetter <XXXXX>"
> % ls -l test
> -rw-r----- 1 me mygroup 21504 2007-10-26 14:15 test
> 
>> Given this, I have decided to start to
>> adopt to GnuPG v2, and make use of gpg-agent whenever either
>> GPG_AGENT_INFO is set, or if GnuPG v2 is detected.
> 
> What about the fallback solution above?

Yes, I know that some operations currently still work, but if you try
e.g. to edit a key, then you will fail. In addition Werner Koch has
clearly stated that even the basic operations will in the future require
gpg-agent.

> 
>> In addition to the above, the use of gpg-agent has another advantage: it
>> solves the problem of having several keys with different passwords.
> 
> [Yes, I read about that here (albeit forgot the point), but personally I
> never had a problem with that before. ]
> 
>> If you don't want to use gpg-agent, then you must unset GPG_AGENT_INFO.
> 
> Ok, I certainly can do that with a wrapper (or within xsession) as a
> workaround.
> 
> But what is the point of the button in the preferences then?

It will go away in the future. It is still there to activate gpg-agent
for gpg v1.4 if you didn't start gpg-agent outside Thunderbird

> Why not look for the env variable, try to connect to the agent, if it fails
> fall back to standard behavior. That must be somehow possible (the manpage
> let assume that this is not, but since one can do that on the command
> line...)?!

It is possible, and I'm doing it actually to report failures with gpg2.
But the existence of a valid GPG_AGENT_INFO environment variable
indicates that some gpg-agent must be around, otherwise your environment
is not set up properly(!).

- -Patrick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRyHwmncOpHodsOiwAQJzcAf/SM8VNDX7Yk4dU6WzZMEe74v7qTfXAZ5z
nsoaXmttbXT7NBOq36jbQoouTnD6QLWEVMc0Np7DoJMAEe+M5XKwZCo/zLhk9/U1
l5RkCDItRXpx+cJg5w/qnckdAvgKh/eF8LOnt6lR3TxxTSFPDh+sQzFwUAcrqWRW
rG8X0WrpcMVe4FhcwwFM72lWVdjiV7fSULvxh16WYiMmwsxTTT3f4c2dtTET4bIc
OPPSO957aL/XM5Nkqd586olAWoT2/o43zfcXzOI017U3xH6izihDtL5shIeW2iaj
vuv8zpAW/k4ihh9KhJq1Q0lkYa1lv0p0EvDxTal/teW3MxQJtQaacw==
=IbUZ
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list