Package: gnupg-agent Version: 2.0.14-2 Severity: normal gpg-agent's ssh-agent capabilities are reporting success while ignoring the user's command to remove a secret key from its key store.
you can see it this way: # create an ssh secret key for testing purposes: ssh-keygen -q -t rsa -b 1024 -f testkey -N abc123 # launch a new shell wrapped by the gpg-agent's ssh-agent capabilities: gpg-agent --enable-ssh-support --daemon sh within the new shell, do: ssh-add -l ## should be no identities listed ssh-add testkey ssh-add -l ## should be one identity listed (testkey) ssh-add -d testkey ssh-add -l ## should be no identities listed, but testkey remains At the very least, if gpg-agent's ssh-agent support is incapable of removing cached identities, it should return a failure, the way it does for ssh-add -D. Otherwise, users of ssh-add -d are being decieved into thinking that they have safely disposed of the cached copy of their secret key material. Between this and the fact that the undeletable cached secret keys are actually stored on disk (in $GNUPGHOME/private-keys-v1.d/), i consider this to be fairly irresponsible treatment of sensitive material by a tool that users expect to know better. :( --dkg -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.36-rc6-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages gnupg-agent depends on: ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr ii libgpg-error0 1.6-1 library for common error values an ii libpth20 2.0.7-16 The GNU Portable Threads ii libreadline6 6.1-3 GNU readline and history libraries ii pinentry-gtk2 [pinentry] 0.8.0-1 GTK+-2-based PIN or pass-phrase en Versions of packages gnupg-agent recommends: ii gnupg 1.4.10-4.1 GNU privacy guard - a free PGP rep ii gnupg2 2.0.14-2 GNU privacy guard - a free PGP rep gnupg-agent suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org