unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
@ 2013-10-07 17:56 Teodor Zlatanov
  2013-10-07 23:41 ` Daiki Ueno
  0 siblings, 1 reply; 16+ messages in thread
From: Teodor Zlatanov @ 2013-10-07 17:56 UTC (permalink / raw)
  To: 15552


1. On the local system, install GnuPG 2.x and don't run the gpg-agent
2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
3. Open file.gpg: password dialog pops up
4. close file.gpg
5. Open file.gpg: password dialog pops up again

Step (5) should not prompt.  It works properly with GnuPG 1.x.



In GNU Emacs 24.3.50.2 (x86_64-unknown-linux-gnu, GTK+ Version 3.4.4)
 of 2013-09-20 on flea.lifelogs.com
Bzr revision: 114415 rgm@gnu.org-20130921005207-1eq49miu7feptu8i
Windowing system distributor `The X.Org Foundation', version 11.0.11304000
System Description:	Gentoo Base System release 2.2





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-07 17:56 bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x Teodor Zlatanov
@ 2013-10-07 23:41 ` Daiki Ueno
  2013-10-08  0:46   ` Ted Zlatanov
  2013-10-08  3:14   ` Stefan Monnier
  0 siblings, 2 replies; 16+ messages in thread
From: Daiki Ueno @ 2013-10-07 23:41 UTC (permalink / raw)
  To: Teodor Zlatanov; +Cc: 15552-done

tags 15552 notabug
thanks

Teodor Zlatanov <tzz@lifelogs.com> writes:

> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
> 3. Open file.gpg: password dialog pops up
> 4. close file.gpg
> 5. Open file.gpg: password dialog pops up again
>
> Step (5) should not prompt.  It works properly with GnuPG 1.x.

That's intended behavior.  It is documented and I stated a number of
times the reason and why I chose such a lengthy name of the variable and
the default is nil:

1. Emacs heap is not so secure
2. Using Emacs for password input degrades the security

You never hear or remember.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-07 23:41 ` Daiki Ueno
@ 2013-10-08  0:46   ` Ted Zlatanov
  2013-10-08  3:14   ` Stefan Monnier
  1 sibling, 0 replies; 16+ messages in thread
From: Ted Zlatanov @ 2013-10-08  0:46 UTC (permalink / raw)
  To: 15552; +Cc: ueno

On Tue, 08 Oct 2013 08:41:40 +0900 Daiki Ueno <ueno@gnu.org> wrote: 

DU> tags 15552 notabug
DU> thanks

DU> Teodor Zlatanov <tzz@lifelogs.com> writes:

>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>> 3. Open file.gpg: password dialog pops up
>> 4. close file.gpg
>> 5. Open file.gpg: password dialog pops up again
>> 
>> Step (5) should not prompt.  It works properly with GnuPG 1.x.

DU> That's intended behavior.  It is documented and I stated a number of
DU> times the reason and why I chose such a lengthy name of the variable and
DU> the default is nil:

DU> 1. Emacs heap is not so secure
DU> 2. Using Emacs for password input degrades the security

(please note I opened this at Stefan's request; I knew you wouldn't be
interested in resolving it)

I appreciate your concern for security, but the behavior is broken from
a user's perspective and you make no effort to help at the time the
issue occurs.  You could, for instance, check the GnuPG version and be
helpful.

At least fix the docstring and maybe emit a message to be helpful about
it.  There's no mention that it breaks with GnuPG 2.x:

epa-file-cache-passphrase-for-symmetric-encryption is a variable defined in `epa-file.el'.
Its value is t
Original value was nil

Documentation:
If non-nil, cache passphrase for symmetric encryption.

For security reasons, this option is turned off by default and
not recommended to use.  Instead, consider using public-key
encryption with gpg-agent which does the same job in a safer
way.

DU> You never hear or remember.

Right, thanks again.

Ted





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-07 23:41 ` Daiki Ueno
  2013-10-08  0:46   ` Ted Zlatanov
@ 2013-10-08  3:14   ` Stefan Monnier
  2013-10-08  7:03     ` Daiki Ueno
  1 sibling, 1 reply; 16+ messages in thread
From: Stefan Monnier @ 2013-10-08  3:14 UTC (permalink / raw)
  To: 15552; +Cc: tzz, ueno

>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>> 3. Open file.gpg: password dialog pops up
>> 4. close file.gpg
>> 5. Open file.gpg: password dialog pops up again
>> Step (5) should not prompt.  It works properly with GnuPG 1.x.
> That's intended behavior.

Could you give the rationale for it?

> It is documented and I stated a number of times the reason and why
> I chose such a lengthy name of the variable and the default is nil:

I understand why it is nil by default, but if the user sets it to t,
presumably he doesn't care about the fact that storing the password in
Emacs heap is insecure.  So why does 5 prompt the user, even tho he
specifically asked for Emacs to cache the password?


        Stefan





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-08  3:14   ` Stefan Monnier
@ 2013-10-08  7:03     ` Daiki Ueno
  2013-10-08 10:47       ` Ted Zlatanov
  2013-10-08 17:17       ` Stefan Monnier
  0 siblings, 2 replies; 16+ messages in thread
From: Daiki Ueno @ 2013-10-08  7:03 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: tzz, 15552

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>>> 3. Open file.gpg: password dialog pops up
>>> 4. close file.gpg
>>> 5. Open file.gpg: password dialog pops up again
>>> Step (5) should not prompt.  It works properly with GnuPG 1.x.
>> That's intended behavior.
>
> Could you give the rationale for it?

When gpg-agent is not properly set up as a daemon, gpg2 invokes
gpg-agent internally for each session.  In the above case, there are two
gpg2 sessions (two "Open") and thus there are two gpg-agent processes,
which don't share the passphrase.

>> It is documented and I stated a number of times the reason and why
>> I chose such a lengthy name of the variable and the default is nil:
>
> I understand why it is nil by default, but if the user sets it to t,
> presumably he doesn't care about the fact that storing the password in
> Emacs heap is insecure.

When epg.el was written, the intention of the option was the last resort
for those who only have gpg1 and can't use gpg-agent.  Since then, I've
recommended to migrate to more secure way (i.e. using gpg-agent).

Given that gpg-agent (gpg2) is now available everywhere, I think there's
no reason to advertise the use of this variable, although at some point
a few people (afaik, only Ted) started exploiting this option to provide
degraded security for usability.

So the question is, would we really like to proactively support such a
degraded security in Emacs?





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-08  7:03     ` Daiki Ueno
@ 2013-10-08 10:47       ` Ted Zlatanov
  2013-10-08 17:17       ` Stefan Monnier
  1 sibling, 0 replies; 16+ messages in thread
From: Ted Zlatanov @ 2013-10-08 10:47 UTC (permalink / raw)
  To: Daiki Ueno; +Cc: 15552

On Tue, 08 Oct 2013 16:03:22 +0900 Daiki Ueno <ueno@gnu.org> wrote: 

DU> Stefan Monnier <monnier@iro.umontreal.ca> writes:

>>> It is documented and I stated a number of times the reason and why
>>> I chose such a lengthy name of the variable and the default is nil:
>> 
>> I understand why it is nil by default, but if the user sets it to t,
>> presumably he doesn't care about the fact that storing the password in
>> Emacs heap is insecure.

DU> When epg.el was written, the intention of the option was the last resort
DU> for those who only have gpg1 and can't use gpg-agent.  Since then, I've
DU> recommended to migrate to more secure way (i.e. using gpg-agent).

OK, so at least note it in the variable docstring.

DU> Given that gpg-agent (gpg2) is now available everywhere, I think there's
DU> no reason to advertise the use of this variable, although at some point
DU> a few people (afaik, only Ted) started exploiting this option to provide
DU> degraded security for usability.

I believe several use it, based on auth-source.el related issues.  But I
haven't kept a list.

DU> So the question is, would we really like to proactively support such a
DU> degraded security in Emacs?

Since you've moved beyond the issue at hand, I think we should start
with considering whether one security model fits all users.  Surely you
agree that this is not as clear as your question makes it sound, and
that at least some of the risk assessment should be up to the user?

Ted





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-08  7:03     ` Daiki Ueno
  2013-10-08 10:47       ` Ted Zlatanov
@ 2013-10-08 17:17       ` Stefan Monnier
  2013-10-08 21:51         ` Daiki Ueno
  1 sibling, 1 reply; 16+ messages in thread
From: Stefan Monnier @ 2013-10-08 17:17 UTC (permalink / raw)
  To: Daiki Ueno; +Cc: tzz, 15552

>>>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>>>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>>>> 3. Open file.gpg: password dialog pops up
>>>> 4. close file.gpg
>>>> 5. Open file.gpg: password dialog pops up again
>>>> Step (5) should not prompt.  It works properly with GnuPG 1.x.
>>> That's intended behavior.
>> Could you give the rationale for it?
> When gpg-agent is not properly set up as a daemon, gpg2 invokes
> gpg-agent internally for each session.  In the above case, there are two
> gpg2 sessions (two "Open") and thus there are two gpg-agent processes,
> which don't share the passphrase.

That explains technically why gpg prompts twice, but it doesn't indicate
that this implementation was designed specifically so that step
5 prompts again.  I.e. it's not "intended behavior", but rather
"expected behavior" due to implementation choices.

Still I'm confused: what kind of caching does
epa-file-cache-passphrase-for-symmetric-encryption offer, then?
From the docstring I got the impression that it would cache the
passphrase in Emacs's heap, so gpg's own caching should be largely
irrelevant (in the second session it will prompt for a password, which
Emacs should provide from its own cache without prompting the user).


        Stefan "Also confused about what "symmetric" has to do with it"





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-08 17:17       ` Stefan Monnier
@ 2013-10-08 21:51         ` Daiki Ueno
  2013-10-09  3:01           ` Stefan Monnier
  0 siblings, 1 reply; 16+ messages in thread
From: Daiki Ueno @ 2013-10-08 21:51 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: tzz, 15552

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>>>>> 1. On the local system, install GnuPG 2.x and don't run the gpg-agent
>>>>> 2. Set epa-file-cache-passphrase-for-symmetric-encryption to t
>>>>> 3. Open file.gpg: password dialog pops up
>>>>> 4. close file.gpg
>>>>> 5. Open file.gpg: password dialog pops up again
>>>>> Step (5) should not prompt.  It works properly with GnuPG 1.x.

> Still I'm confused: what kind of caching does
> epa-file-cache-passphrase-for-symmetric-encryption offer, then?
> From the docstring I got the impression that it would cache the
> passphrase in Emacs's heap, so gpg's own caching should be largely
> irrelevant (in the second session it will prompt for a password, which
> Emacs should provide from its own cache without prompting the user).

It used to work like that with gpg1.  However, gpg2's implementation
choice is that it does not leak the indication that gpg2 (actually
gpg-agent) requires passphrase and it does not allow other tools than
pinentry to inject passphrase.

IMO that's a good idea for security (as pinentry uses secmem).

>         Stefan "Also confused about what "symmetric" has to do with it"

Perhaps you could try the above recipe under gpg-agent is properly set up:

$ echo abc > file
$ gpg --symmetric file
$ eval `gpg-agent --daemon`
$ gpg2 < file.gpg
$ gpg2 < file.gpg

You won't be asked for the passphrase at the second time, because
gpg-agent remembers passphrase based on the file content.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-08 21:51         ` Daiki Ueno
@ 2013-10-09  3:01           ` Stefan Monnier
  2013-10-09  3:53             ` Daiki Ueno
  0 siblings, 1 reply; 16+ messages in thread
From: Stefan Monnier @ 2013-10-09  3:01 UTC (permalink / raw)
  To: Daiki Ueno; +Cc: tzz, 15552

> It used to work like that with gpg1.  However, gpg2's implementation
> choice is that it does not leak the indication that gpg2 (actually
> gpg-agent) requires passphrase and it does not allow other tools than
> pinentry to inject passphrase.

IOW epa-file-cache-passphrase-for-symmetric-encryption only works for
gpg1 and not for gpg2?

> IMO that's a good idea for security (as pinentry uses secmem).

There are many situations where local security is not nearly as
important as convenience.  But IIUC with gpg2 the general answer is "use
gpg-agent to do the caching", and it's supposed to work fine (i.e. it's
just as convenient as caching the password in Emacs).

>> Stefan "Also confused about what "symmetric" has to do with it"
> Perhaps you could try the above recipe under gpg-agent is properly set up:
> $ echo abc > file
> $ gpg --symmetric file
> $ eval `gpg-agent --daemon`
> $ gpg2 < file.gpg
> $ gpg2 < file.gpg
> You won't be asked for the passphrase at the second time, because
> gpg-agent remembers passphrase based on the file content.

That doesn't really explain to me why
epa-file-cache-passphrase-for-symmetric-encryption has "symmetric" in
its name and more specifically why caching of passphrases would be
different for symmetric than for public key cryptography.


        Stefan





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-09  3:01           ` Stefan Monnier
@ 2013-10-09  3:53             ` Daiki Ueno
  2013-10-09  9:32               ` Ted Zlatanov
  2013-10-09 12:40               ` Stefan Monnier
  0 siblings, 2 replies; 16+ messages in thread
From: Daiki Ueno @ 2013-10-09  3:53 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: tzz, 15552

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> It used to work like that with gpg1.  However, gpg2's implementation
>> choice is that it does not leak the indication that gpg2 (actually
>> gpg-agent) requires passphrase and it does not allow other tools than
>> pinentry to inject passphrase.
>
> IOW epa-file-cache-passphrase-for-symmetric-encryption only works for
> gpg1 and not for gpg2?

s/works/has no effect/

>> IMO that's a good idea for security (as pinentry uses secmem).
>
> There are many situations where local security is not nearly as
> important as convenience.  But IIUC with gpg2 the general answer is "use
> gpg-agent to do the caching", and it's supposed to work fine (i.e. it's
> just as convenient as caching the password in Emacs).

In this bug report, the reporter intentionally does not set up gpg-agent
for his login session.  Even the GnuPG 2.x manual spends one chapter on
setting up gpg-agent before the chapter on gpg command itself.

>>> Stefan "Also confused about what "symmetric" has to do with it"
>> Perhaps you could try the above recipe under gpg-agent is properly set up:
>> $ echo abc > file
>> $ gpg --symmetric file
>> $ eval `gpg-agent --daemon`
>> $ gpg2 < file.gpg
>> $ gpg2 < file.gpg
>> You won't be asked for the passphrase at the second time, because
>> gpg-agent remembers passphrase based on the file content.
>
> That doesn't really explain to me why
> epa-file-cache-passphrase-for-symmetric-encryption has "symmetric" in
> its name and more specifically why caching of passphrases would be
> different for symmetric than for public key cryptography.

I didn't get the question correctly, then.

Look at the matrix of (info "(epa) Caching Passphrases"), check when a
user is suggested to "set up elisp passphrase cache".

Anyway, the name is not so important to me, as long as it discourages
the use of the variable, so it could be
e.g. epg-file-yo-mama-wears-fancy-glasses-detection-enabled.

https://news.ycombinator.com/item?id=6372466





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-09  3:53             ` Daiki Ueno
@ 2013-10-09  9:32               ` Ted Zlatanov
  2013-10-09 12:40               ` Stefan Monnier
  1 sibling, 0 replies; 16+ messages in thread
From: Ted Zlatanov @ 2013-10-09  9:32 UTC (permalink / raw)
  To: Daiki Ueno; +Cc: 15552

On Wed, 09 Oct 2013 12:53:14 +0900 Daiki Ueno <ueno@gnu.org> wrote: 

DU> I didn't get the question correctly, then.

DU> Look at the matrix of (info "(epa) Caching Passphrases"), check when a
DU> user is suggested to "set up elisp passphrase cache".

DU> Anyway, the name is not so important to me, as long as it discourages
DU> the use of the variable, so it could be
DU> e.g. epg-file-yo-mama-wears-fancy-glasses-detection-enabled.

DU> https://news.ycombinator.com/item?id=6372466

Since it still works as described for GnuPG 1.x, please fix the
variable's docstring to mention that it doesn't work with 2.x.  You
could also add a reference to the manual page as shown above, and in the
manual you could synchronize the variable description with the
docstring, also adding the xref:

@defvar epa-file-cache-passphrase-for-symmetric-encryption
If non-@code{nil}, cache passphrase for symmetric encryption.  The
default value is @code{nil}.
@end defvar

Right now, you have to read the whole manual or search for the variable
name specifically to find that table.  It's not a big manual but it's
still nice to the user.

Thanks
Ted





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-09  3:53             ` Daiki Ueno
  2013-10-09  9:32               ` Ted Zlatanov
@ 2013-10-09 12:40               ` Stefan Monnier
  2013-10-10  3:08                 ` Daiki Ueno
  1 sibling, 1 reply; 16+ messages in thread
From: Stefan Monnier @ 2013-10-09 12:40 UTC (permalink / raw)
  To: Daiki Ueno; +Cc: tzz, 15552

>>> It used to work like that with gpg1.  However, gpg2's implementation
>>> choice is that it does not leak the indication that gpg2 (actually
>>> gpg-agent) requires passphrase and it does not allow other tools than
>>> pinentry to inject passphrase.
>> IOW epa-file-cache-passphrase-for-symmetric-encryption only works for
>> gpg1 and not for gpg2?
> s/works/has no effect/

Same difference.  The docstring should prominently say that this var
doesn't work with gpg2 because gpg2 does not let Emacs cache the
passphrase (IIUC we can't make this var effective without changes in
gpg2).

> I didn't get the question correctly, then.
> Look at the matrix of (info "(epa) Caching Passphrases"), check when a
> user is suggested to "set up elisp passphrase cache".

That repeats the fact that symmetric encryption is handled differently
but still doesn't help me understand why.


        Stefan





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-09 12:40               ` Stefan Monnier
@ 2013-10-10  3:08                 ` Daiki Ueno
  2013-10-10 13:25                   ` Ted Zlatanov
  2013-10-10 14:32                   ` Stefan Monnier
  0 siblings, 2 replies; 16+ messages in thread
From: Daiki Ueno @ 2013-10-10  3:08 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: tzz, 15552

Stefan Monnier <monnier@iro.umontreal.ca> writes:

> The docstring should prominently say that this var doesn't work with
> gpg2 because gpg2 does not let Emacs cache the passphrase (IIUC we
> can't make this var effective without changes in gpg2).

OK, I'll add it, though I'd also like to add a note saying that setting
this variable for gpg2 is kind of nonsense.

>> I didn't get the question correctly, then.  Look at the matrix of
>> (info "(epa) Caching Passphrases"), check when a user is suggested to
>> "set up elisp passphrase cache".
>
> That repeats the fact that symmetric encryption is handled differently
> but still doesn't help me understand why.

Because passphrase caching feature for symmetric encryption is rather
new and not supported by gpg1 (yet).





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-10  3:08                 ` Daiki Ueno
@ 2013-10-10 13:25                   ` Ted Zlatanov
  2013-10-10 14:31                     ` Stefan Monnier
  2013-10-10 14:32                   ` Stefan Monnier
  1 sibling, 1 reply; 16+ messages in thread
From: Ted Zlatanov @ 2013-10-10 13:25 UTC (permalink / raw)
  To: 15552

On Thu, 10 Oct 2013 12:08:39 +0900 Daiki Ueno <ueno@gnu.org> wrote: 

DU> Stefan Monnier <monnier@iro.umontreal.ca> writes:
>> The docstring should prominently say that this var doesn't work with
>> gpg2 because gpg2 does not let Emacs cache the passphrase (IIUC we
>> can't make this var effective without changes in gpg2).

DU> OK, I'll add it, though I'd also like to add a note saying that setting
DU> this variable for gpg2 is kind of nonsense.

As the user, I want a single setting across all my systems, so I don't
know in advance if gpg1, gpg2, or both will be installed.  I could add
an explicit version check in my init file, but maybe epg.el could issue
a warning if it detects that situation, just to be helpful?

Ted






^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-10 13:25                   ` Ted Zlatanov
@ 2013-10-10 14:31                     ` Stefan Monnier
  0 siblings, 0 replies; 16+ messages in thread
From: Stefan Monnier @ 2013-10-10 14:31 UTC (permalink / raw)
  To: 15552

>>> The docstring should prominently say that this var doesn't work with
>>> gpg2 because gpg2 does not let Emacs cache the passphrase (IIUC we
>>> can't make this var effective without changes in gpg2).
DU> OK, I'll add it, though I'd also like to add a note saying that setting
DU> this variable for gpg2 is kind of nonsense.
> As the user, I want a single setting across all my systems, so I don't
> know in advance if gpg1, gpg2, or both will be installed.  I could add
> an explicit version check in my init file, but maybe epg.el could issue
> a warning if it detects that situation, just to be helpful?

IIUC, for gpg2 this var has no effect whatsoever, so if you want
password caching you need to setup gpg-agent: nothing Emacs can do
about it.

So the "single setting" is: set this var (for those systems that use
gpg1) and setup gpg-agent (on those systems that have gpg2).


        Stefan





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x
  2013-10-10  3:08                 ` Daiki Ueno
  2013-10-10 13:25                   ` Ted Zlatanov
@ 2013-10-10 14:32                   ` Stefan Monnier
  1 sibling, 0 replies; 16+ messages in thread
From: Stefan Monnier @ 2013-10-10 14:32 UTC (permalink / raw)
  To: Daiki Ueno; +Cc: tzz, 15552

>> That repeats the fact that symmetric encryption is handled differently
>> but still doesn't help me understand why.
> Because passphrase caching feature for symmetric encryption is rather
> new and not supported by gpg1 (yet).

Ah?  I wonder why, but at least that does explain why epg handles
it specially.


        Stefan





^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2013-10-10 14:32 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-07 17:56 bug#15552: 24.3.50; epa-file-cache-passphrase-for-symmetric-encryption not respected with GnuPG 2.x Teodor Zlatanov
2013-10-07 23:41 ` Daiki Ueno
2013-10-08  0:46   ` Ted Zlatanov
2013-10-08  3:14   ` Stefan Monnier
2013-10-08  7:03     ` Daiki Ueno
2013-10-08 10:47       ` Ted Zlatanov
2013-10-08 17:17       ` Stefan Monnier
2013-10-08 21:51         ` Daiki Ueno
2013-10-09  3:01           ` Stefan Monnier
2013-10-09  3:53             ` Daiki Ueno
2013-10-09  9:32               ` Ted Zlatanov
2013-10-09 12:40               ` Stefan Monnier
2013-10-10  3:08                 ` Daiki Ueno
2013-10-10 13:25                   ` Ted Zlatanov
2013-10-10 14:31                     ` Stefan Monnier
2013-10-10 14:32                   ` Stefan Monnier

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).