On Fri 2016-10-07 14:07:14 -0400, Matthew Orlando wrote: > This works fine for me: > > # export GNUPGHOME=/home/soandso/.gnupg > # gpg-agent --allow-loopback-pinentry --daemon > # gpg --clearsign --pinentry-mode=loopback
I think you're saying that you're doing these commands as a different user than user "soandso" -- is that right? if so, it seems like you'll be creating sockets in /home/soandso/.gnupg/ (which most users shouldn't have write access to) when you launch gpg-agent here, which might cause trouble in the future. Also, current versions of gpg-agent in testing and unstable (2.1.15) default to --allow-loopback-pinentry, so that flag isn't needed. if the goal is protection of secret key material by a separate (non-privileged) user account, this seems like a troublesome way to do it. it appears to assume: (a) that you're willing to run gpg-agent and gpg both as the superuser (b) that the soandso account will still have access to the secret keyring anyway can you explain what your goal is here? what's the security benefit to this approach? --dkg
signature.asc
Description: PGP signature