[pkg-gnupg-maint] Bug#847552: Bug#847552: gnupg: decrypting after X pinentry is sometimes slow: around 10 seconds on a small file

Werner Koch wk at gnupg.org
Sun Dec 18 17:14:27 UTC 2016


On Sun, 18 Dec 2016 17:00, jspricke at debian.org said:

> which led me to this patch:

This is

    agent: Kludge to mitigate blocking calls in Libgcrypt.
    
    * agent/gpg-agent.c (agent_libgcrypt_progress_cb): Sleep for 100ms on
    "need_entropy".
    --
    
    During key generation Libgrypt will read from /dev/random which may
    block.  Libgcrypt is not nPth aware and thus the entire process will
    block.  Fortunately there is also a select with a short timeout to run
    the progress callback.  We detect this in gpg-agent and introduce a
    short delay to give other threads (i.e. connections) an opportunity to
    run.
    
    This alone is not sufficient, an updated Libgpg-error is also required
    to make the lock functions nPth aware.

Are you also using libgpg_error 1.25?  If there is not enough entropy
available it should not harm to wait a bit and relinquish control to
other threads.  Unless other processes content about entropy fom the
kernel this sleep call can't be the reasons for your delays.  Well, we
could reduce it to 20ms or so.

> needs entropy when doing gpg -d.

gpg needs to initialize its own RNG in almost all cases.  This is
required for the generation of an internal cookie to verify
--clearsigned messages and also for the RSA blinding (to mitigate side
channel attacks).

Do you have a ~/.gnupg/random_seed ?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20161218/b27f2f40/attachment.sig>


More information about the pkg-gnupg-maint mailing list