gnupg-agent stores pass phrases until power-off

[Steve Kinney]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 04/04/2017 01:44 PM, grarpamp wrote:
> On Tue, Apr 4, 2017 at 10:04 AM, Phillip Hallam-Baker 
> <phill at hallambaker.com> wrote:

>> * Has someone already done this for GPG Agent?
> 
> Probably.

gnupg-agent is in serious need of some bugfixes, at least the version
that makes it into Mint.  Once it sees a pass phrase, gnupg-agent
retains it until the system is shut down; stored pass phrases persist
through user logout/login.

This behavior is supposed to be controlled by a config file where a
timeout can be set, but none is present in the default installations I
have seen on Mint, and creating a new gpg-agent.conf as directed in
the man page for gnupg-agent does exactly nothing to alter its behavior.

The Debian devs say this is a non-issue.  Their excuse:  "Physical
access is game over."  How's that for convenient?

Never mind that broken gnupg-agent means physical access by any
unskilled snooper gives that person the ability to read and copy
encrypted documents and files, or apply your signature to anything,
while your back is turned.  Not an issue.  The presence of your pass
phrase in system memory, as/when a non-persistent exploit checks to
see if pass phrases for the secring keys it just sent to its owner are
available in memory is not a potential issue, either.

My work-arounds for this BS:

http://pilobilus.net/gnupg-agent_work_around_for_linux_mint.html

:o)



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJY4/dcAAoJEECU6c5XzmuqRZsH/j+n/25kHvoGh67IslBPrw1B
19Bkv4iSTTFf+t7dSNK10r91MzE4Li+m4p1jh2jYmz0Irle+le5gVmKFklDJXj4S
UKVzmK89uhYTdUbWIuld+oAX3TIPfCNz88wwAqAl+YljTOrd1hS6hw8YKj62QElg
dPRY/og3qsSTUU8mi5d57pae4yqaHQ5Gq9qZkxMIKByz5ZiOsxUoRslwhkWwaMp9
6Bcm2p7BAyKXOE9ZSWUp/0GjyB0BSwuMLgQtj2R4FJDcqIJ4/YLc5SI7OgFSwYjx
u3Yy9+XAeF3+nQaVH8woFMPr7MiKHexDpdzQtsAZ1FcF+LF04vJcaFJF11gzvdo=
=rTK8
-----END PGP SIGNATURE-----