caching of keys (passwords) during signing v.s. during --quick-add-subkey.

Sun, 30 Jul 2017 06:30:50 -0700 

When I pre-cache a password of a fresh key:
         

        # Generate key
        gpg2 --batch --passphrase foo --quick-generate-key t...@test.com 
rsa4096 sign 5

        .. extract keygrip of just regenated keys...

        # Precache password for next operations:
        gpg-preset-passphrase  --preset -P foo 
6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7 
        
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 <- 
PRESET_PASSPHRASE 6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7 -1 666F6F
                2017-07-30 09:12:51 gpg-agent[10565] DBG: agent_put_cache 
'6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7' (mode 1) requested ttl=-1
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 -> OK

I find that this works spendidly on a normal sign operations
        
        echo foo | gpg2  --sign --armour

                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 <- HAVEKEY 
6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 -> OK
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 <- KEYINFO 
6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7
                2017-07-30 09:12:51 gpg-agent[10565] DBG: agent_get_cache 
'6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7' (mode 2) ...
                2017-07-30 09:12:51 gpg-agent[10565] DBG: ... hit
                ….
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_10 <- SETKEYDESC 
Please+enter….
                …
                2017-07-30 09:12:51 gpg-agent[10565] DBG: agent_get_cache 
'6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7' (mode 2) ... 

but fails on a quick-key-add:

        gpg2  --batch --quick-add-key B447C69E35DF57D7691AA4B6B98648C42890DF09 
rsa4096 sign 2 

        
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 <- KEYINFO 
6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7
                2017-07-30 09:12:51 gpg-agent[10565] DBG: agent_get_cache 
'6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7' (mode 2) ...
                2017-07-30 09:12:51 gpg-agent[10565] DBG: ... hit
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 -> S KEYINFO 
6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7 D - - 1 P - - -
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 -> OK
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 <- SETKEYDESC 
Please+enter+…..
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 -> OK
                2017-07-30 09:12:51 gpg-agent[10565] DBG: chan_14 <- PASSWD  
--verify 6E81A32570329F1FB5A24106B2E0F3C0CC4B3FD7
                2017-07-30 09:12:51 gpg-agent[10565] starting a new PIN Entry 

Which then goes into the usual pinentry sequence (which completes fine when 
given the password).

The gpg-agent.conf has longish TTLs and lax settings:

        allow-preset-passphrase
        default-cache-ttl 300
        max-cache-ttl 300

Is there any setting that needs to be added to allow the ‘special’ sort of sign 
case ?

With kind regards.

Dw.

#!/bin/sh
set -e
set -x

TMPDIR=${TMPDIR:-/tmp}
VOLNAME=${VOLNAME:-gnupg.tmp.$$}
TMPSTORE=${TMPDIR}/${VOLNAME}
GNUPGHOME=/Volumes/${VOLNAME}
PASSWD='foo'

PGP=/usr/local/bin/gpg2
SM=/usr/local/bin/gpgsm
PRESET=/usr/local/libexec/gpg-preset-passphrase

SIZE=5M


export DAYS=5
export SUBDAYS=2

# Use an emphemeral disk if we can.
#
if test -f /usr/bin/hdiutil; then
        export RANDFILE=~/.openssl.rand.state
        openssl rand -base64 128 |\
                /usr/bin/hdiutil hdiutil create -attach -stdinpass -quiet \
                -encryption -size $SIZE -fs HFS+ \
                -volname ${VOLNAME} ${TMPSTORE} 
        rm -f ${TMPSTORE}.dmg
else
        GNUPGHOME=${TMPSTORE}
        mkdir -p ${GNUPGHOME}
        chmod 700 ${GNUPGHOME}
fi


(
export GNUPGHOME 

cat > ${GNUPGHOME}/gpg-agent.conf <<EOM

# Bit annoying we need this - despite no user interaction.
pinentry-program /usr/bin/pinentry-curses

debug-quick-random
allow-preset-passphrase
default-cache-ttl 300
max-cache-ttl 300
# batch

debug-level guru
log-file /tmp/sc.log
EOM

${PGP} --verbose --homedir ${GNUPGHOME} \
        --batch --passphrase "${PASSWD}" \
        --quick-generate-key \
        t...@test.com rsa4096 sign ${DAYS}

IFS=:
set $( ${PGP} --homedir ${GNUPGHOME} --list-secret-keys --with-colons | grep 
^fpr: )

FPR=${10}
LEN=$(/bin/echo -n $FPR | wc -c)
if [ $LEN -ne 40 ]; then
        echo Generation failed, FPR not 40 bytes.
        exit 1
fi

# gpg-preset-passphrase
# set $(${SM} --homedir ${GNUPGHOME} --dump-secret-key | grep keygrip:)
# KEYGRIP=${2}

# set $( gpg-connect-agent --homedir ${GNUPGHOME} 'keyinfo --list' /bye | head 
-1 )
# KEYGRIP=${3}

set $( ${PGP} --homedir ${GNUPGHOME} --with-keygrip --list-secret-keys 
--with-colons | grep ^grp: )
KEYGRIP=${10}
${PRESET} --homedir ${GNUPGHOME} --preset -P "${PASSWD}" ${KEYGRIP} 

# Chehck that siging forks.
i#
echo foo | ${PGP} --homedir ${GNUPGHOME} --sign --armour 

${PGP} --homedir ${GNUPGHOME} \
       --batch  \
       --quick-add-key \
        $FPR rsa4096 sign $SUBDAYS

${PGP} --homedir ${GNUPGHOME} \
       --batch \
       --quick-add-key \
        $FPR rsa4096 encr $SUBDAYS

${PGP} --homedir ${GNUPGHOME} \
       --batch \
       --quick-add-key \
        $FPR rsa4096 auth $SUBDAYS

${PGP} --homedir ${GNUPGHOME} \
        --verbose --list-secret-keys --with-fingerprint --with-fingerprint

… lots of validation stuff snipped ….

)
E=$?

gpgconf --kill gpg-agent
gpgconf --kill scdaemon
gpgconf --kill dirmngr

if test -f /usr/bin/hdiutil; then
        hdiutil unmount -force ${GNUPGHOME}
else
        rm -rf ${GNUPGHOME}
fi

exit $E


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to