Hi again! you may want to try the attached patch. It is against the current 2.4 head but should apply also to somewhat older versions. If this solves your problem, it can go into 2.4.5 soon.
Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
From 4025da324903093736f238329274f5e234f5339e Mon Sep 17 00:00:00 2001 From: Werner Koch <w...@gnupg.org> Date: Sun, 25 Feb 2024 15:55:14 +0100 Subject: [PATCH GnuPG] agent: Allow GET_PASSPHRASE in restricted mode. * agent/command.c (cmd_get_passphrase): Allow use in restricted mode but ignore the cacheid. -- The use case is symmetric encryption via the extra-socket. To avoid that the gpg running on the server has access to the cache we set the cache id to NULL so that the cache is not used at all. --- agent/command.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/agent/command.c b/agent/command.c index 20ae08e9f..100b97f57 100644 --- a/agent/command.c +++ b/agent/command.c @@ -1988,9 +1988,6 @@ cmd_get_passphrase (assuan_context_t ctx, char *line) struct pin_entry_info_s *pi2 = NULL; int is_generated; - if (ctrl->restricted) - return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); - opt_data = has_option (line, "--data"); opt_check = has_option (line, "--check"); opt_no_ask = has_option (line, "--no-ask"); @@ -2039,7 +2036,9 @@ cmd_get_passphrase (assuan_context_t ctx, char *line) if (!desc) return set_error (GPG_ERR_ASS_PARAMETER, "no description given"); - if (!strcmp (cacheid, "X")) + /* The only limitation in restricted mode is that we don't considere + * the cache. */ + if (ctrl->restricted || !strcmp (cacheid, "X")) cacheid = NULL; if (!strcmp (errtext, "X")) errtext = NULL; @@ -2121,7 +2120,7 @@ cmd_get_passphrase (assuan_context_t ctx, char *line) entry_errtext = NULL; is_generated = !!(pi->status & PINENTRY_STATUS_PASSWORD_GENERATED); - /* We don't allow an empty passpharse in this mode. */ + /* We don't allow an empty passphrase in this mode. */ if (!is_generated && check_passphrase_constraints (ctrl, pi->pin, pi->constraints_flags, -- 2.39.2
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users