[pkg-gnupg-maint] Bug#1117777: gpg-agent: handling of max-cache-ttl values is broken since trixie upgrade
Steve McIntyre
steve at einval.com
Fri Oct 10 17:59:11 BST 2025
Package: gpg-agent
Version: 2.4.8-3
Severity: important
Hi!
I'm using gpg-agent to store passphrases for a software-signing server
at Pexip. We've been doing this for quite some time, and it has worked
well until now. With the upgrade to Trixie, things have broken. :-(
I've debugged and found the problem: something has changed in the
handling of the "max-cache-ttl" value for gpg-agent and it now breaks
on values which are > 2^31.
We've been using
max-cache-ttl 4294967295
(i.e. 2^32 - 1) in our config previously, so as to keep passphrases
cached for a very long time. This worked just fine. Since the upgrade,
testing showed that passphrases were being expired *immediately* after
being preset. I've debugged the problem, then experimented with a
range of values. With 7000000000, we see in gpg log output:
...
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- IMPORT_KEY --timestamp=20251010T163401 --unattended
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> [[Confidential data not shown]]
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [[Confidential data not shown]]
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [[Confidential data not shown]]
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [[Confidential data not shown]]
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [[Confidential data not shown]]
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- [eof]
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- OPTION allow-pinentry-notify
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- PRESET_PASSPHRASE D8DCC1D7BB6EEFC7BBBFF6171CA56B8BB531D043 -1 546572
587032764D506C31647A383565744576736E6F6D63794645696E647231434E456D6854326A6668587672446D4B5335666B7442316859494D4257526D4E
42647731634568674866394A6C685331
2025-10-10 16:35:42 gpg-agent[284612] DBG: agent_put_cache 'D8DCC1D7BB6EEFC7BBBFF6171CA56B8BB531D043'.0 (mode 1) requested ttl=-1
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 <- BYE
2025-10-10 16:35:42 gpg-agent[284612] DBG: chan_12 -> OK closing connection
2025-10-10 16:35:42 gpg-agent[284612] npth_pselect failed: Invalid argument - waiting 1s
2025-10-10 16:35:43 gpg-agent[284612] DBG: expired 'D8DCC1D7BB6EEFC7BBBFF6171CA56B8BB531D043'.0 (7000000000s after creation)
2025-10-10 16:35:43 gpg-agent[284612] DBG: chan_12 <- RESET
2025-10-10 16:35:43 gpg-agent[284612] DBG: chan_12 -> OK
...
Both the "npth_pselect" and the "expired" messages near the end here
are caused by bad handling of the max-cache-ttl timeout
value.
Switching to "2000000000", everything works fine. For now, that has
solved my problem so we can go ahead with the upgrade.
I haven't yet dug into the source code to find the cause here - let me
know if you'd like me to do that...
Cheers,
Steve
More information about the pkg-gnupg-maint
mailing list