Bug#623539: GnuPG 2.0 and gnome-keyring

Werner Koch wk at gnupg.org
Tue Apr 14 08:55:29 UTC 2015


I know that it is quite late for the Jessie release but while chatting
with Neal on Sunday he remarked that he recently installed Jessie with
XFCE and had to patch GKR to make GnuPG work.  Thus the meanwhile well
known problems with 2.1 and GKR do not only affect GNOME but also XFCE.
This is quite bad for future GnuPG 2.1 adaption.  But it gets worse:

The common believe is that for GnuPG 2.0 the effect of GKR hijacking the
gpg/gpg-agent IPC is that only gpgsm and smartcards won't work.  I
looked closer at possible problems and figured that if your run GKR it
will also weaken all passphrases used by gpg.  Since GnuPG 2.0.14, which
was release in 2009, we have this feature:

 * New and changed passphrases are now created with an iteration count
   requiring about 100ms of CPU work.

With GKR faking gpg-agent that does not work and the old default
iteration count is used.  For example on my X220 this leads to a 300
times lower iteration count (work factor) for OpenPGP passphrases.  I
have seen CVEs issued for less problematic security degrades.

Sure it is possible to manually configure a different S2K count but
gpg-agent allows to do that automatically because gpg-agent is a long
running process and can calibrate that value.

It seems the GKR author is willing to remove that hijacking only if we
provide a new Pinentry to support gnome-keyring.  Well, that can of
course be done but to me adding a new feature to GNOME has not top
priority.  Adding necessary features to GnuPG itself will of course be
done so to help writing a Gnome-Pinentry.

Even without a new Gnome-Pinentry it is important to stop the hijacking
of the gpg-agent IPC now.  GKR being able to store passphrases for
OpenPGP keys is merely a feature while inhibiting the use of gpgsm,
smartcards, and iteration count calibration are bugs.

Any chance to disable the gpg-agent component in GKR?

See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=623539
(Takes over GPG and SSH agents from gnupg-agent and ssh-agent)



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the pkg-gnome-maintainers mailing list