gpg: Allow unattended deletion of secret keys.

* agent/command.c (cmd_delete_key): Make the --force option depend on --disallow-loopback-passphrase. * g10/call-agent.c (agent_delete_key): Add arg FORCE. * g10/delkey.c (do_delete_key): Pass opt.answer_yes to agent_delete_key. -- Unless the agent has been configured with --disallow-loopback-passpharse an unattended deletion of a secret key is now possible with gpg by using --batch _and_ --yes. Signed-off-by: Werner Koch <[email protected]>
author: Werner Koch <[email protected]> 2016-05-10 09:01:42 +0000
committer: Werner Koch <[email protected]> 2016-05-10 09:01:42 +0000
commit: ac9ff644b12c4dfa55d466af8ae6af54d1646893 (patch)
tree: 53c7e2f423de931b5f87bedc9850de115fa5bc8e
parent: gpg: Fix buglet in the check_all_keysigs function. (diff)
download: gnupg-ac9ff644b12c4dfa55d466af8ae6af54d1646893.tar.gz
gnupg-ac9ff644b12c4dfa55d466af8ae6af54d1646893.zip
6 files changed, 45 insertions, 10 deletions
diff --git a/agent/command.c b/agent/command.c
index c94fdd37a..dfbb83194 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -2333,8 +2333,9 @@ cmd_export_key (assuan_context_t ctx, char *line)
 static const char hlp_delete_key[] =
   "DELETE_KEY [--force] <hexstring_with_keygrip>\n"
   "\n"
-  "Delete a secret key from the key store.\n"
-  "Unless --force is used the agent asks the user for confirmation.\n";
+  "Delete a secret key from the key store.  If --force is used\n"
+  "and a loopback pinentry is allowed, the agent will not ask\n"
+  "the user for confirmation.";
 static gpg_error_t
 cmd_delete_key (assuan_context_t ctx, char *line)
 {
@@ -2349,6 +2350,11 @@ cmd_delete_key (assuan_context_t ctx, char *line)
   force = has_option (line, "--force");
   line = skip_options (line);
 
+  /* If the use of a loopback pinentry has been disabled, we assume
+   * that a silent deletion of keys shall also not be allowed.  */
+  if (!opt.allow_loopback_pinentry)
+    force = 0;
+
   err = parse_keygrip (ctx, line, grip);
   if (err)
     goto leave;
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 2989d3b52..b45874d52 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -337,6 +337,10 @@ internal cache of @command{gpg-agent} with passphrases.
 Disallow or allow clients to use the loopback pinentry features; see
 the option @option{pinentry-mode} for details.  Allow is the default.
 
+The @option{--force} option of the Assuan command @command{DELETE_KEY}
+is also controlled by this option: The option is ignored if a loopback
+pinentry is disallowed.
+
 @item --no-allow-external-cache
 @opindex no-allow-external-cache
 Tell Pinentry not to enable features which use an external cache for
@@ -820,8 +824,17 @@ fi
 @section Agent's Assuan Protocol
 
 Note: this section does only document the protocol, which is used by
-GnuPG components; it does not deal with the ssh-agent protocol.
+GnuPG components; it does not deal with the ssh-agent protocol.  To
+see the full specification of each command, use
+
+@example
+  gpg-connect-agent 'help COMMAND' /bye
+@end example
 
+@noindent
+or just 'help' to list all available commands.
+
+@noindent
 The @command{gpg-agent} daemon is started on demand by the GnuPG
 components.
 
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 3cad36179..a09e610c2 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -376,13 +376,20 @@ safeguard against accidental deletion of multiple keys.
 
 @item --delete-secret-keys @code{name}
 @opindex delete-secret-keys
-Remove key from the secret keyring. In batch mode the key
-must be specified by fingerprint.
+gRemove key from the secret keyring. In batch mode the key must be
+specified by fingerprint.  The option @option{--yes} can be used to
+advice gpg-agent not to request a confirmation.  This extra
+pre-caution is done because @command{gpg} can't be sure that the
+secret key (as controlled by gpg-agent) is only used for the given
+OpenPGP public key.
+
 
 @item --delete-secret-and-public-key @code{name}
 @opindex delete-secret-and-public-key
 Same as @option{--delete-key}, but if a secret key exists, it will be
 removed first. In batch mode the key must be specified by fingerprint.
+The option @option{--yes} can be used to advice gpg-agent not to
+request a confirmation.
 
 @item --export
 @opindex export
diff --git a/g10/call-agent.c b/g10/call-agent.c
index c5bd694f0..d8c6dede3 100644
--- a/g10/call-agent.c
+++ b/g10/call-agent.c
@@ -2349,9 +2349,11 @@ agent_export_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
 
 /* Ask the agent to delete the key identified by HEXKEYGRIP.  If DESC
    is not NULL, display DESC instead of the default description
-   message.  */
+   message.  If FORCE is true the agent is advised not to ask for
+   confirmation. */
 gpg_error_t
-agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc)
+agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
+                  int force)
 {
   gpg_error_t err;
   char line[ASSUAN_LINELENGTH];
@@ -2376,7 +2378,8 @@ agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc)
         return err;
     }
 
-  snprintf (line, DIM(line)-1, "DELETE_KEY %s", hexkeygrip);
+  snprintf (line, DIM(line)-1, "DELETE_KEY%s %s",
+            force? " --force":"", hexkeygrip);
   err = assuan_transact (agent_ctx, line, NULL, NULL,
                          default_inq_cb, &dfltparm,
                          NULL, NULL);
diff --git a/g10/call-agent.h b/g10/call-agent.h
index 208b75b2d..06a19d47b 100644
--- a/g10/call-agent.h
+++ b/g10/call-agent.h
@@ -196,7 +196,7 @@ gpg_error_t agent_export_key (ctrl_t ctrl, const char *keygrip,
 
 /* Delete a key from the agent.  */
 gpg_error_t agent_delete_key (ctrl_t ctrl, const char *hexkeygrip,
-                              const char *desc);
+                              const char *desc, int force);
 
 /* Change the passphrase of a key.  */
 gpg_error_t agent_passwd (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
diff --git a/g10/delkey.c b/g10/delkey.c
index f76277c5a..966c5712f 100644
--- a/g10/delkey.c
+++ b/g10/delkey.c
@@ -184,8 +184,14 @@ do_delete_key( const char *username, int secret, int force, int *r_sec_avail )
               prompt = gpg_format_keydesc (node->pkt->pkt.public_key,
                                            FORMAT_KEYDESC_DELKEY, 1);
               err = hexkeygrip_from_pk (node->pkt->pkt.public_key, &hexgrip);
+              /* NB: We require --yes to advise the agent not to
+               * request a confirmation.  The rationale for this extra
+               * pre-caution is that since 2.1 the secret key may also
+               * be used for other protocols and thus deleting it from
+               * the gpg would also delete the key for other tools. */
               if (!err)
-                err = agent_delete_key (NULL, hexgrip, prompt);
+                err = agent_delete_key (NULL, hexgrip, prompt,
+                                        opt.answer_yes);
               xfree (prompt);
               xfree (hexgrip);
               if (err)
author	Werner Koch <[email protected]>	2016-05-10 09:01:42 +0000
committer	Werner Koch <[email protected]>	2016-05-10 09:01:42 +0000
commit	ac9ff644b12c4dfa55d466af8ae6af54d1646893 (patch)
tree	53c7e2f423de931b5f87bedc9850de115fa5bc8e
parent	gpg: Fix buglet in the check_all_keysigs function. (diff)
download	gnupg-ac9ff644b12c4dfa55d466af8ae6af54d1646893.tar.gz gnupg-ac9ff644b12c4dfa55d466af8ae6af54d1646893.zip