On Sun, Dec 19, 2010 at 09:29:18PM -0700, Kyle Wheeler wrote:
> On Sunday, December 19 at 09:21 PM, quoth Will Fiveash:
> >On Sun, Dec 19, 2010 at 07:46:50PM -0700, Kyle Wheeler wrote:
> >> On Sunday, December 19 at 07:30 PM, quoth Will Fiveash:
> >> >Recently I started using gpg2 and the gpg-agent to reduce the number of
> >> >times I enter my gpg password. This is working in general but I can't
> >> >seem to get mutt to call gpg2 even though I've replaced all instances of
> >> >/usr/local/bin/gpg with /usr/local/bin/gpg2 in my ~/.muttrc_gpg-1.5
> >> >config file which is being sourced by ~/.muttrc. Any thoughts as to
> >> >what is going on?
> >>
> >> What error messages have you been getting?
> >
> >Sorry, I should have been more clear; mutt continues to run gpg instead
> >of gpg2 thus the gpg-agent isn't being used.
>
> Who said you had to use gpg2 in order to use gpg-agent? I've used
> gpg-agent with gpg 1.4.x for years; all you have to do is add
> 'use-agent' to your gpg.conf.
That was ignorance on my part. I've been using gpg for a long time and
I don't recall the gpg-agent being available way back when. When I
became aware of gpg2 I also became aware of gpg-agent which it will use
if GPG_AGENT_INFO is set (it does not require "use-agent" set in the
gpg.conf). But since you mentioned the "use-agent" config option I've
gone ahead and set that which now has gpg (v1.4.2.2) using it as well.
> I was going to ask how you know gpg2 isn't being used, but...
I used the truss utility on Solaris to trace mutt calling execve(). Of
course now that I truss again I am seeing mutt using /usr/local/bin/gpg2
as I configured it. I don't know what happened earlier but more than
likely it's user error on my part.
> Anyway, out of curiosity, why worry about it? As far as I know,
> there's no real benefit to using gpg2; the only difference is that it
> supports building against an external gnupglib library as opposed to
> being self-contained. All the encryption methods are the same, and gpg
> v1 has undergone more rigorous testing by the security community. Is
> there something you're trying to accomplish in particular? Maybe my
> information about gpg2 is outdated...
Aside from my confusion about gpgv1.4's support of gpg-agent, it turns
out that gpgv2 is available for Solaris prebuilt in standard package
form so its conveient to use that. Note that the reason I'm calling
/usr/local/bin/gpg2 instead of the native /usr/bin/gpg2 is that I'm
using Solaris privilege support to allow gpg2 to allow pinned/secure
memory which can not be paged out to the swap device. What's nice about
this is that I do not have to configure gpg2 to run as setuid root, but
instead I am able to give it only the proc_lock_memory privilege. Doing
this requires that I create a shell script wrapper /usr/local/bin/gpg2
which is this:
#!/bin/ksh -p
unset LD_PRELOAD LD_LIBRARY_PATH
/usr/bin/pfexec /usr/bin/gpg2 "$@"
and in /etc/security/exec_attr:
GPG:solaris:cmd:::/usr/bin/gpg2:privs=proc_lock_memory
$ grep GPG /etc/security/prof_attr
GPG:::Execute gpg as the user or role:help=RtAll.html
$ grep GPG /etc/user_attr
willf::::type=normal;roles=root;profiles=GPG
BTW, the last piece of the puzzle for me was finding the mutt
pgp_use_gpg_agent config option. Now things are working as I want.
Thanks again for your help with this.
--
Will Fiveash
Oracle
Austin, TX, USA
