[pkg-gnupg-maint] Bug#836772: Bug#836772: Working solution
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 7 20:21:51 UTC 2016
On Fri 2016-10-07 14:07:14 -0400, Matthew Orlando wrote:
> This works fine for me:
>
> # export GNUPGHOME=/home/soandso/.gnupg
> # gpg-agent --allow-loopback-pinentry --daemon
> # gpg --clearsign --pinentry-mode=loopback
I think you're saying that you're doing these commands as a different
user than user "soandso" -- is that right? if so, it seems like you'll
be creating sockets in /home/soandso/.gnupg/ (which most users shouldn't
have write access to) when you launch gpg-agent here, which might cause
trouble in the future.
Also, current versions of gpg-agent in testing and unstable (2.1.15)
default to --allow-loopback-pinentry, so that flag isn't needed.
if the goal is protection of secret key material by a separate
(non-privileged) user account, this seems like a troublesome way to do
it. it appears to assume:
(a) that you're willing to run gpg-agent and gpg both as the superuser
(b) that the soandso account will still have access to the secret
keyring anyway
can you explain what your goal is here? what's the security benefit to
this approach?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20161007/e9017152/attachment.sig>
More information about the pkg-gnupg-maint
mailing list