From bf2724880fe54d0dbf34bfa9fef2f31fa6809f55 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 20 May 2019 15:06:57 -0400 Subject: gpg-agent: add new CACHE_MODE_EXPORT * agent/agent.h: define CACHE_MODE_EXPORT * agent/call-pinentry.c (agent_askpin, agent_get_passphrase): use "e/" as the prefix for SETKEYINFO when in CACHE_MODE_EXPORT. (agent_clear_passphrase): allow clearing the export cache. * agent/command.c (cmd_clear_passphrase): add --mode=export. (cmd_export_key): use CACHE_MODE_EXPORT. * tests/openpgp/export.scm: no need to feed passphrases during export, already cached. ---- We don't want secret keys to be able to be exported automatically based on the same system passphrase cache used by standard decryption or signing operations. So we introduce a "export" cache mode which can be used by EXPORT_KEY. I confess i don't fully understand the changes made to tests/openpgp/export.scm -- i'm not sure why the passphrase is already supplied in this case. Gnupg-Bug-Id: 4522 Signed-off-by: Daniel Kahn Gillmor --- tests/openpgp/export.scm | 38 ++------------------------------------ 1 file changed, 2 insertions(+), 36 deletions(-) (limited to 'tests') diff --git a/tests/openpgp/export.scm b/tests/openpgp/export.scm index aa6fa7828..60cc2faea 100755 --- a/tests/openpgp/export.scm +++ b/tests/openpgp/export.scm @@ -49,32 +49,6 @@ "Secret key packet not found") (check-exported-key dump keyid))) -(lettmp - ;; Prepare two temporary files for communication with the fake - ;; pinentry program. - (logfile ppfile) - - (define (prepare-passphrases . passphrases) - (call-with-output-file ppfile - (lambda (port) - (for-each (lambda (passphrase) - (display passphrase port) - (display #\newline port)) passphrases)))) - - (define CONFIRM "fake-entry being started to CONFIRM the weak phrase") - - (define (assert-passphrases-consumed) - (call-with-input-file ppfile - (lambda (port) - (unless - (eof-object? (peek-char port)) - (fail (string-append - "Expected all passphrases to be consumed, but found: " - (read-all port))))))) - - (setenv "PINENTRY_USER_DATA" - (string-append "--logfile=" logfile " --passphrasefile=" ppfile) #t) - (for-each-p "Checking key export" (lambda (keyid) @@ -84,17 +58,9 @@ (pipe:gpg '(--list-packets))) (tr:call-with-content check-exported-public-key keyid)) - (if (string=? "D74C5F22" keyid) - ;; Key D74C5F22 is protected by a passphrase. Prepare this - ;; one. Currently, GnuPG does not ask for an export passphrase - ;; in this case. - (prepare-passphrases usrpass1)) - (tr:do (tr:pipe-do (pipe:gpg `(--export-secret-keys ,keyid)) (pipe:gpg '(--list-packets))) - (tr:call-with-content check-exported-private-key keyid)) - - (assert-passphrases-consumed)) - '("D74C5F22" "C40FDECF" "ECABF51D"))) + (tr:call-with-content check-exported-private-key keyid))) + '("D74C5F22" "C40FDECF" "ECABF51D")) -- cgit v1.2.3