Hi,Is there any documentation on the correct agent sockets to expose for different levels of trust?
All I could find are these two: * https://wiki.gnupg.org/AgentForwarding > The extra socket is more restricted then the normal socket and Pinentry messages will differ when gpg-agent is accessed over this socket * https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html > The intended use for this extra socket is to setup a Unix domain socket forwarding from a remote machine to this socket on the local machine. A gpg running on the remote machine may then connect to the local gpg-agent and use its private keys. This enables decrypting or signing data on a remote machine without exposing the private keys to the remote machine.It might be good to have some documentation on this front, so that people who want to share their GPG agent sockets in new ways can do this safely. For example it is non-obvious that code execution can be triggered on some systems via S.gpg-agent but not via S.gpg-agent.extra.
Unfortunately I'm not well enough acquainted with GPG to write comprehensive documentation myself, but I'd probably start with a description of how much trust and power is assigned to each socket, perhaps with some examples.
Cheers, Penn -- Penn Mackintosh (he/him)
OpenPGP_0x7319A9305193F906.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
