Semantics of WOT and Subkeys

2018-04-18 Thread Evan Klitzke 
I am trying to understand the semantics of how GnuPG's WOT model 
interacts with subkeys. This is a pretty basic question, so feel free to 
direct me to existing resources if there are any; there must be 
something written on this topic already, but I failed to find anything.


Suppose Alice and Bob want to start using PGP, so they both install GPG 
and create keypairs. At this point in time they both sign each other's 
keys, meaning that they sign each other's master/certification key.


Later Alice learns about subkeys, so she creates a new signing subkey 
for signing her mail/git commits/whatever. How does this work when Bob 
sees the new subkey? Does Bob/GPG treat the signing subkey to be just as 
trusted as Alice's master key? Or is it somehow treated as less trusted, 
since it's one step away from the master key?


Similarly, let's say Carol also starts using PGP, and Alice signs 
Carol's key. From Bob's point of view, is there a difference which key 
(the master key or the subkey) Alice used when signing Carol's key?


--
Evan Klitzke  pgp: 0x157EFCACBC648422
e: e...@eklitzke.org  w: https://eklitzke.org

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Using gpg-agent --supervised with systemd

2018-03-21 Thread Evan Klitzke 

Hi all,

I am using gpg 2.2.5 and stumbled across the --supervised option while 
reading the man page. I was able to get the ssh-agent functionality 
working perfectly, but I'm having problems with the gpg-agent 
functionality.


I created systemd user units for ssh-agent.socket, gpg-agent.socket, and 
gpg-agent.service. I was able to get this all set up correctly so the 
gpg-agent service knows where its sockets are:


$ sysu status gpg-agent.service
...
Mar 21 14:34:12 t460s systemd[1075]: Started GPG agent.
Mar 21 14:34:12 t460s gpg-agent[2835]: gpg-agent (GnuPG) 2.2.5 starting 
in supervised mode.
Mar 21 14:34:12 t460s gpg-agent[2835]: using fd 3 for std socket 
(/run/user/1000/gpg-agent.sock)
Mar 21 14:34:12 t460s gpg-agent[2835]: using fd 4 for ssh socket 
(/run/user/1000/ssh-agent.sock)
Mar 21 14:34:12 t460s gpg-agent[2835]: listening on: std=3 extra=-1 
browser=-1 ssh=4


That's exactly where I put the sockets, so all good on that front. I was 
also able to figure out how to get pinentry working correctly. I set 
SSH_AUTH_SOCK and indeed, ssh uses the right socket and talks to my 
gpg-agent service.


However, gpg2 is still getting confused and not finding the agent. The 
README file for gpg 2.2 has some hints on why this may be the case:



Note that gpg-agent now uses a fixed socket.  All tools will start
the gpg-agent as needed.  The formerly used environment variable
GPG_AGENT_INFO is ignored by 2.2.  The SSH_AUTH_SOCK environment
variable should be set to a fixed value.


This is indeed what I see: when I try to use gpg2, it starts its own 
gpg-agent, ignoring my systemd service. I tried different permutations 
of options but can't figure out why this isn't working. Whenever I try 
to decrypt a file, gpg2 thinks there isn't an agent process running, and 
tries to start its own in ~/.gnupg.


What is the trick to making this work correctly?

--
Evan KlitzkeSan Francisco, CA, USA
e...@eklitzke.org https://eklitzke.org
pgp: AF91 7318 B8C4 2D11 2721 625D 157E FCAC BC64 8422

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users