Bug#933516: gnome-keyring: should expose whether it is using an unencrypted keyring

Helmut Grohne helmut at subdivi.de
Wed Jul 31 07:25:18 BST 2019 

Package: gnome-keyring
Version: 3.28.2-5
Severity: important
Tags: security

I've come accross a bad interaction between gnupg2 and gnome-keyring.
With the help of Daniel Kahn Gillmor, I could sort out some of the
causes. In essence, pinentry-gnome3 focus-steals a check box that
effectively stores your gpg pass phrase unencrypted on disk forever.

gnome-keyring is a dependency of other packages (such as evolution) and
as such not conciously installed. Once installed, it automatically
starts and provides its services to client applications. It somehow
decides how to store its keyring and the default seems to be encrypted,
but in some situations it degrades to an unencrypted keyring without any
user interaction. You cannot rely on your gnome-keyring to be encrypted.
Now pinentry-gnome3 offers a checkbox to store your gpg pass phrase in
this (possibly unencrypted) keyring. pinentry-gnome3 has the habit of
stealing focus, which is prone to unintended actions such as checking
exactly that box.

It is difficult to blame any single one of these aspects for the whole
interaction. Each aspect makes sense of its own, but the combination is
bad.

To alleviate that, Daniel proposes that gnome-keyring (or maybe it is
libsecret, please reassign if necessary) communicates how the keyring is
stored. Then, client applications such as pinentry-gnome3 can base
policy decisions on the results. It would make sense for pinentry-gnome3
to only offer the "save in password manager" checkbox if the keyring is
actually protected in some way. The first step to getting there is
providing the information (== this bug report).

Daniel also provided a way to prevent this interaction in general:
echo no-allow-external-cache >> ~/.gnupg/gpg-agent.conf
Doing so prevents any pinentry to ever share its passphrase with other
applications such as gnome-keyring. Depending on how you use gpg (e.g.
when password-store is your primary password manager), this may be your
intended policy. It seems though that --no-allow-external-cache is not a
sane default standard gnome installations.

Helmut

More information about the pkg-gnome-maintainers mailing list