From d7293cb317acc40cc9e5189cef33fe9d8b47e62a Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 11 May 2015 18:08:44 +0200 Subject: agent: Add option --no-allow-external-cache. * agent/agent.h (opt): Add field allow_external_cache. * agent/call-pinentry.c (start_pinentry): Act upon new var. * agent/gpg-agent.c (oNoAllowExternalCache): New. (opts): Add option --no-allow-external-cache. (parse_rereadable_options): Set this option. -- Pinentry 0.9.2 may be build with libsecret support and thus an extra checkbox is displayed to allow the user to get passwords out of an libsecret maintained cache. Security aware user may want to avoid this feature and may do this at runtime by enabling this option. Signed-off-by: Werner Koch --- doc/gpg-agent.texi | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'doc/gpg-agent.texi') diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 469c76203..dea462e0d 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -377,6 +377,19 @@ Allow clients to use the loopback pinentry features; see the option @option{pinentry-mode} for details. @end ifset +@ifset gpgtwoone +@item --no-allow-external-cache +@opindex no-allow-external-cache +Tell Pinentry not to enable features which use an external cache for +passphrases. + +Some desktop environments prefer to unlock all +credentials with one master password and may have installed a Pinentry +which employs an additional external cache to implement such a policy. +By using this option the Pinentry is advised not to make use of such a +cache and instead always ask the user for the requested passphrase. +@end ifset + @item --ignore-cache-for-signing @opindex ignore-cache-for-signing This option will let @command{gpg-agent} bypass the passphrase cache for all @@ -762,6 +775,7 @@ again. Only certain options are honored: @code{quiet}, @code{debug-pinentry}, @code{no-grab}, @code{pinentry-program}, @code{default-cache-ttl}, @code{max-cache-ttl}, @code{ignore-cache-for-signing}, +@code{no-allow-external-cache}, @code{no-allow-mark-trusted}, @code{disable-scdaemon}, and @code{disable-check-own-socket}. @code{scdaemon-program} is also supported but due to the current implementation, which calls the -- cgit v1.2.3