From: "Ludovic Courtès" <ludo@gnu.org>
To: Konrad Hinsen <konrad.hinsen@fastmail.net>
Cc: guix-science@gnu.org
Subject: Re: Help! I messed up guix-past
Date: Mon, 12 Sep 2022 17:26:14 +0200 [thread overview]
Message-ID: <871qsgfwbt.fsf@gnu.org> (raw)
In-Reply-To: <m14jxd6rsv.fsf@fastmail.net> (Konrad Hinsen's message of "Mon, 12 Sep 2022 08:16:32 +0200")
Hi,
Konrad Hinsen <konrad.hinsen@fastmail.net> skribis:
> In my case, $PATH has my Guix profile first, and I always run the gpg
> from my Guix profile. But it picks up the gpg-agent from Ubuntu, which
> lives at /usr/bin/gpg-agent.
OK.
> It may well be possible to fix this issue (for example, patch gnupg such
> that it launches the agent via the full path to the store), but for me
> there is also a loss-of-confidence issue. If a messed-up software
> installation grants password-less access to my keys, then my keys
> effectively have no password protection any more. Attackers only need to
> install two different gpg versions to have access to my keys. That's why
> I want to get rid of gpg, rather than fix it superficially.
Maybe there’s a misunderstanding because AFAIK, what you describe is not
possible. Passphrase-protected keys are effectively encrypted, using
symmetric encryption:
https://github.com/gpg/gnupg/blob/master/agent/keyformat.txt#protected-private-key-format
You can see them in ~/.gnupg/private-keys-v1.d/.
Such keys cannot be accessed without knowing the passphrase, no matter
what software you use.
Thanks,
Ludo’.
next prev parent reply other threads:[~2022-09-12 15:26 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-09 15:16 Help! I messed up guix-past Konrad Hinsen
2022-09-09 15:36 ` Ricardo Wurmus
2022-09-09 15:46 ` zimoun
2022-09-09 16:10 ` Konrad Hinsen
2022-09-09 17:39 ` zimoun
2022-09-10 7:39 ` Konrad Hinsen
2022-09-10 9:47 ` zimoun
2022-09-10 16:20 ` Konrad Hinsen
2022-09-11 14:07 ` Ludovic Courtès
2022-09-11 15:19 ` Efraim Flashner
2022-09-12 6:16 ` Konrad Hinsen
2022-09-12 15:26 ` Ludovic Courtès [this message]
2022-09-13 8:58 ` Konrad Hinsen
2022-09-13 9:23 ` Ricardo Wurmus
2022-09-14 9:31 ` Konrad Hinsen
2022-09-10 10:27 ` Ludovic Courtès
2022-09-10 10:40 ` zimoun
2022-09-10 14:39 ` Ricardo Wurmus
2022-09-12 16:00 ` zimoun
2022-09-09 16:16 ` Julien Lepiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871qsgfwbt.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-science@gnu.org \
--cc=konrad.hinsen@fastmail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).