[pkg-gnupg-maint] Bug#951025: Bug#951025: gnupg: GPG tries to get passphrase from wrong place

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Feb 27 22:47:14 GMT 2020 

Control: severity 951025 normal

On Sun 2020-02-09 23:27:39 +0000, Matthew Wakeling wrote:
> I am justifying the severity marking of this bug report, because it
> does prevent gnupg working correctly in the majority of its use
> cases. If there is a nice simple on/off switch that makes it behave
> sanely that I have missed, then please downgrade the severity and
> document it.

Hi, i don't mean to play severity ping-pong, but "the majority of its
use cases" is not the same as "My machine currently has a desktop open,
but is locked, and i'm ssh'ed in from another computer" :)

I agree that this situation is frustrating, but it has been extensively
documented, for example in https://bugs.debian.org/842015 and
https://dev.gnupg.org/T2818

> The problem is that passphrase prompts now are centrally controlled,
> which fundamentally breaks the way that computers are used - you log
> in from various different places. The passphrase prompt must go to the
> session that caused the passphrase to be needed. Any other action is
> completely insane.

You may want to reconsider your strong language here.  having an agent
that always prompts where it was launched is a sensible approach,
especially if you want to provide tentative access to the agent to other
services, but control the prompting from the original location, in order
to retain control over the secrets stored in the agent.  While this
situation might not be what you personally care about, it's a far
stretch from "completely insane".

At any rate, please report what version of pinentry you are using on
this host, as the choice of pinentry might make a difference.  I believe
that pinentry-gnome3 is best equipped to deal with the circumstance
you're running into.

I also recommend upgrading to debian stable (buster) where some of the
use cases that you care about might have been better addressed.

Thanks for taking the time to report the problem!

Regards,

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20200227/d44ff925/attachment.sig>

More information about the pkg-gnupg-maint mailing list