https://bugs.kde.org/show_bug.cgi?id=458085
--- Comment #59 from Thiago Macieira <thi...@kde.org> --- > @Thiago, the issue is bigger than just synchronous vs asynchronous. The > issue is that if you use a GPG wallet, with Secret Service provided by > KWallet, and while allowing pinentry to read the key passphrase from Secret > Service, what ends up happening is that KWallet asks for the key passphrase > from itself instead of the user. It's like trying to unlock a safe with the > key that's locked inside that same safe. Not going to work. Even if you > make this asynchronous, you'll just end up with an infinite recursion. I understand that we ended up with KWallet asking itself for the password. But the fact is that if the query was asynchronous, then pinentry would have got its answer instead of timing out, and then would have prompted the use for the password. Or maybe not, maybe KWallet is storing the cached answer in memory and would have provided it to pinentry. But do note I talked about KWallet ensuring it doesn't recurse infinitely, which is why we'd need to figure out if where this particular password could be saved if it is provided to KWallet; refusing to store it is a way to break the chain. I'm not saying it's easy to implement this. Your idea from comment 40 -- to tell gpg-agent that we want a password with no-external-cache -- is a solution too. Probably the Right Solution (with capital R and S). But not the way you described it. Modifying ~/.gnupg/gpg-agent.conf is not acceptable, because it's not atomic. Other passwords may be getting requested at the same time as KWallet is trying to open. In fact, if we are trying to open the wallet now because something wants a stored password, then it stands to reason another program could be trying to do the same. Moreover, because we're waiting for user interaction, the time during which the gpg-agent.conf file is modified is measured in human time. Therefore, this solution requires that we inform gpg-agent that we want a no-external-auth-cache answer for THIS query only and that it inform the pinentry tool that it shouldn't query the external auth cache. That requires those two tools to be updated and their updates deployed; plus probably libgpgme too. It's probably the right thing to do, so we should interact with upstream to get them to implement this. But if there is a KWallet-only solution, we should investigate it. -- You are receiving this mail because: You are watching all bug changes.
