gnupg-agent stores pass phrases until power-off
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/04/2017 01:44 PM, grarpamp wrote:
On Tue, Apr 4, 2017 at 10:04 AM, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
* Has someone already done this for GPG Agent?
Probably.
gnupg-agent is in serious need of some bugfixes, at least the version that makes it into Mint. Once it sees a pass phrase, gnupg-agent retains it until the system is shut down; stored pass phrases persist through user logout/login. This behavior is supposed to be controlled by a config file where a timeout can be set, but none is present in the default installations I have seen on Mint, and creating a new gpg-agent.conf as directed in the man page for gnupg-agent does exactly nothing to alter its behavior. The Debian devs say this is a non-issue. Their excuse: "Physical access is game over." How's that for convenient? Never mind that broken gnupg-agent means physical access by any unskilled snooper gives that person the ability to read and copy encrypted documents and files, or apply your signature to anything, while your back is turned. Not an issue. The presence of your pass phrase in system memory, as/when a non-persistent exploit checks to see if pass phrases for the secring keys it just sent to its owner are available in memory is not a potential issue, either. My work-arounds for this BS: http://pilobilus.net/gnupg-agent_work_around_for_linux_mint.html :o) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJY4/dcAAoJEECU6c5XzmuqRZsH/j+n/25kHvoGh67IslBPrw1B 19Bkv4iSTTFf+t7dSNK10r91MzE4Li+m4p1jh2jYmz0Irle+le5gVmKFklDJXj4S UKVzmK89uhYTdUbWIuld+oAX3TIPfCNz88wwAqAl+YljTOrd1hS6hw8YKj62QElg dPRY/og3qsSTUU8mi5d57pae4yqaHQ5Gq9qZkxMIKByz5ZiOsxUoRslwhkWwaMp9 6Bcm2p7BAyKXOE9ZSWUp/0GjyB0BSwuMLgQtj2R4FJDcqIJ4/YLc5SI7OgFSwYjx u3Yy9+XAeF3+nQaVH8woFMPr7MiKHexDpdzQtsAZ1FcF+LF04vJcaFJF11gzvdo= =rTK8 -----END PGP SIGNATURE-----
participants (1)
-
Steve Kinney