From: Ricardo Wurmus <rekado@elephly.net>
To: Konrad Hinsen <konrad.hinsen@fastmail.net>
Cc: "Ludovic Courtès" <ludo@gnu.org>, guix-science@gnu.org
Subject: Re: Help! I messed up guix-past
Date: Tue, 13 Sep 2022 11:23:05 +0200 [thread overview]
Message-ID: <871qsfmxoj.fsf@elephly.net> (raw)
In-Reply-To: <m1leqn647h.fsf@fastmail.net>
Hi Konrad,
>> Such keys cannot be accessed without knowing the passphrase, no matter
>> what software you use.
>
> I agree in theory, but practice disagree. The only other explanation I
> can see is that GnuPG has stored my password somewhere in the file
> system without me knowing about it. That isn't a reassuring explanation
> either.
>
> Demo:
>
> $ gpg --list-keys konrad.hinsen@cnrs.fr
> pub rsa4096 2018-06-11 [SC]
> 076A1D7B1EF77E068D2AC07CEC17F85277D7932C
> uid [ultimate] Konrad Hinsen (http://khinsen.net/) <konrad.hinsen@cnrs.fr>
> sub rsa4096 2018-06-11 [E]
>
> The "protection mode" of this key is openpgp-s2k3-sha1-aes-cbc (I looked
> it up in the key file, following the documentation you pointed to).
>
> $ echo 1 2 3 | gpg -r konrad.hinsen@cnrs.fr --encrypt --armor > counting.gpg
> $ gpg --decrypt counting.gpg
> gpg: WARNING: server 'gpg-agent' is older than us (2.2.19 < 2.2.32)
> gpg: Note: Outdated servers may lack important security fixes.
> gpg: Note: Use the command "gpgconf --kill all" to restart them.
> gpg: encrypted with 4096-bit RSA key, ID 8A9433D79D772795, created 2018-06-11
> "Konrad Hinsen (http://khinsen.net/) <konrad.hinsen@cnrs.fr>"
> 1 2 3
This is the gpg-agent unlocking the key.
> I haven't typed in the key's password for a few months. The last time I
> did was before the update of GnuPG that broke everything for me. I have
> rebooted the machine many times since then.
Many graphical user environments come with a key manager that unlocks
all secrets on login. One example is Seahorse, which is used by Gnome
to unlock the Gnome keyring on login.
My guess is that GPG is blissfully unaware of your passphrase until
Seahorse unlocks the key on login and provides it to gpg agent.
So this would really not be about GPG doing something silly or unsafe,
but rather about Seahorse and the Gnome keyring doing what they were
designed to do: quietly unlocking secrets on login.
--
Ricardo
next prev parent reply other threads:[~2022-09-13 9:28 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-09 15:16 Help! I messed up guix-past Konrad Hinsen
2022-09-09 15:36 ` Ricardo Wurmus
2022-09-09 15:46 ` zimoun
2022-09-09 16:10 ` Konrad Hinsen
2022-09-09 17:39 ` zimoun
2022-09-10 7:39 ` Konrad Hinsen
2022-09-10 9:47 ` zimoun
2022-09-10 16:20 ` Konrad Hinsen
2022-09-11 14:07 ` Ludovic Courtès
2022-09-11 15:19 ` Efraim Flashner
2022-09-12 6:16 ` Konrad Hinsen
2022-09-12 15:26 ` Ludovic Courtès
2022-09-13 8:58 ` Konrad Hinsen
2022-09-13 9:23 ` Ricardo Wurmus [this message]
2022-09-14 9:31 ` Konrad Hinsen
2022-09-10 10:27 ` Ludovic Courtès
2022-09-10 10:40 ` zimoun
2022-09-10 14:39 ` Ricardo Wurmus
2022-09-12 16:00 ` zimoun
2022-09-09 16:16 ` Julien Lepiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871qsfmxoj.fsf@elephly.net \
--to=rekado@elephly.net \
--cc=guix-science@gnu.org \
--cc=konrad.hinsen@fastmail.net \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).