Re: GPG Agent discarding cache before ttl/max ttl

2019-10-16 Thread Daniel Kahn Gillmor via Gnupg-users
On Tue 2019-10-15 22:57:16 +0200, Werner Koch via Gnupg-users wrote:
> If your system has a method to run a script
> on suspend or lid closing it may already do just that.  I consider this
> a good idea but we can't do that by default in GnuPG because systems
> differ to much on how to detect a lid closing event or similar.  Thus
> there is also no way to avoid it using a GnuPG option.

It would be great to learn what the most common lid-closing events on
popular platforms are, so that gpg-agent can do this cache-flushing
behavior automagically at least for users on those platforms.

On systems with D-Bus, following the freedesktop.org IPC standards, it
looks like the following signal appears on the system bus when the
machine goes to sleep:

destination=(null destination) path=/org/freedesktop/login1; 
interface=org.freedesktop.login1.Manager; member=PrepareForSleep
   boolean true

Debian systems these days typically use the dbus standard -- and i'd be
happy to try to integrate detection of this signal into the debian
gpg-agent packaging, if anyone wants to propose a way to do it. i'm not
a D-Bus guru by any stretch of the imagination, so i'm not sure what the
right next step is, guidance is definitely welcome.

> On Tue, 15 Oct 2019 09:14, Chip Senkbeil said:
>> enable-ssh-support
>
> Its the default anyway

This is the default, but its presence in gpg-agent's configuration file
is also used as a signal in some OSes (debian at least) as for whether
to export an SSH_AUTH_SOCK that points to gpg-agent's ssh-agent
emulation socket.  See /etc/X11/Xsession.d/90gpg-agent for more details.

Regards,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: GPG Agent discarding cache before ttl/max ttl

2019-10-15 Thread Werner Koch via Gnupg-users
On Tue, 15 Oct 2019 09:14, Chip Senkbeil said:

> Is there some separate setting for GPG agent to discard its cache
> earlier than the ttl/max ttl settings? I've checked the GPG agent

You can follow the cache operations by adding

  log-file /some/log/file
  debug cache

to gpg-agent.conf and reload it (gpgconf --reload gpg-agent).  This will
give you some insights on what is going on.

The stadard way to flush the cache is bei sending a HUP to gpg-agent (or
the above reload command).  If your system has a method to run a script
on suspend or lid closing it may already do just that.  I consider this
a good idea but we can't do that by default in GnuPG because systems
differ to much on how to detect a lid closing event or similar.  Thus
there is also no way to avoid it using a GnuPG option.

> enable-ssh-support

Its the default anyway

> fixed-list-mode

You can remove that too it has no effect anymore.

> # When making an OpenPGP certification, use a stronger digest than
> the default
> # SHA1:
> cert-digest-algo SHA256

It is the default for a long time now.  Only gpg 1.4 still defaults to
SHA-1 but you are not using that.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


GPG Agent discarding cache before ttl/max ttl

2019-10-15 Thread Chip Senkbeil via Gnupg-users
Hey folks!

Been using GPG for a couple of months to encrypt, sign, and authenticate and 
it's been great!

I'm trying to understand the scenarios in which the GPG agent will remove an 
entry from its cache.

I've got my default and max cache (both cache-ttl and cache-ttl-ssh) set to one 
day such that I don't need to enter my password upon accessing my mail on a 
timer, etc.

This works great until my laptop goes to sleep, I close the lid, etc. At that 
point, it appears to me that the agent tosses out the cache regardless of the 
length of time. This was not the case when I had GPG configured on a Mac, but 
when I switched to Fedora 30, I began having this problem.

It's a little frustrating because I frequently enter and exit a dock for work, 
closing and re-opening my laptop, as I dart between meetings, resulting in me 
needing to re-enter passwords through pinentry more frequently than I'd desire.

Is there some separate setting for GPG agent to discard its cache earlier than 
the ttl/max ttl settings? I've checked the GPG agent process and its still the 
same instance that had been running since I booted the laptop, so I don't 
believe it's the case where the agent is getting killed and restarted.

For reference, here's my gpg-agent.conf file:

pinentry-program /usr/local/bin/my-pinentry-gui
default-cache-ttl 604800
max-cache-ttl 604800
default-cache-ttl-ssh 604800
max-cache-ttl-ssh 604800
enable-ssh-support

I've got a custom bash script for the pinentry program that selects an 
appropriate pinentry process based on OS and capabilities (GUI/terminal).

And my gpg.conf file:

# NOTE: Apparently does nothing with gpg2
use-agent
# When outputting certificates, view user IDs distinctly from keys:
# NOTE: Since 2.0.10, seems to be obsolete as always used, but no harm in
#   keeping it here
fixed-list-mode

# Long keyids are more collision-resistant than short keyids (it's trivial 
to
# make a key with any desired short keyid)
keyid-format 0xlong

# When multiple digests are supported by all recipients, choose the 
strongest
# one:
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

# Preferences chosen for new keys should prioritize stronger algorithms:
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 
BZIP2 ZLIB ZIP Uncompressed

# You should always know at a glance which User IDs gpg thinks are 
legitimately
# bound to the keys in your keyring:
verify-options show-uid-validity
list-options show-uid-validity

# When making an OpenPGP certification, use a stronger digest than the 
default
# SHA1:
cert-digest-algo SHA256

# Prevent version string from appearing in your signatures/public keys
no-emit-version

# Never ask to insert smartcard if it wasn't already inserted to begin with
# NOTE: Currently broken as the functionality appears to have been removed 
by
#   commit 8c219602515ae1dba5bc0da31077852dab61809e when g10/gluecard.c
#   was removed. From the latest commit, it seems like appropriate logic
#   could be added back in agent/divert-scd.c in the main loop of
#   ask_for_card function
limit-card-insert-tries 1
expert

~ Chip Senkbeil


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users