On Fri, 23 Feb 2024 22:59, Marcin Wrochna said: > However, I cannot make `gpg --symmetric` encryption work on the remote, > as it tells me getting a passphrase is "Forbidden".
Right. It does not sund like a good idea to give the server access to
your local password store (in gpg-agent). This way the server might get
access to any password sored in the cache.
You need to look at the code in gnupg/agent/commands.c - search for the
function cmd_get_passphrase. The first statement there is
if (ctrl->restricted)
return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
The function (test with gpg-connect-agent and "help get_passphrase") has
an option --no-ask which only returns value from the cache or errors
out. What we might do is another option (e.g. --only-query) to only
popup the pinentry and return the value. Maybe this can be the default
for a restricted connection.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
