Does gpg ask for password even with gpg-agent

gpg-agent

I started gpg-agent as follows:

eval `gpg-agent --daemon --preset`

and in this terminal window, used the gpg-preset-passphrase command as recommended:

echo secretpassword | /usr/libexec/gpg-preset-passphrase --preset KEYGRIPID

I then used this answer to verify the password was indeed correctly cached:

echo 'GET_PASSPHRASE --no-ask KEYGRIPID Err Pmt Des'|gpg-connect-agent |
  perl -pe 's/([0-9a-fA-F]{2})/chr(hex $1)/eg'

When I now run gpg to sign or encrypt something, I get prompted for a password. This should not happen.

gpg -u KEYGRIPID --clearsign --batch somefile.txt

<curses-based prompt>

Once I enter the password correctly, and re-run the gpg-sign command, I do not get prompted. This indicates that the password is cached, albeit differently.

gpg version 2.0.14

Best Answer

It's not the keygripid but the fingerprint of the key. Here is the reference. Here's a fugly perl script to help you extract the needed values:

gpg -K --fingerprint | 
perl -lne '$/="\n\n"' \
 -e if ( ($len,$grip,$fp)=/^sec\s+(\w+)\/([0-9A-Z]+).* fingerprint = (.*?)\s+uid\s/ms)' \
 -e { $fp =~ s/\s*//g; print "$grip $fp";}'

outputs:

EF2141BE 24C5202D6905CB0A5C94AB36134E3618EF6141B8
1BA3D65B 484EE4F3DC2595FAF91F51A9731342954BAFD753

Copy the 2nd column and pass that into the preset command

echo secretpassword | /usr/libexec/gpg-preset-passphrase --preset

Related Solutions

GPG-Agent – Using gpg-agent Between Different Sessions

gpg does not look for the socket (this is different with the new version 2.1) but for the environment variable GPG_AGENT_INFO. This is not set on log in. That is the problem. Obviously you have the option use-standard-socket in gpg-agent.conf so that the socket name is always the same.

You should set the variable in a login script run a simple script afterwards which checks whether gpg-agent is running:

export GPG_AGENT_INFO=/path/to/your/HOME/.gnupg/S.gpg-agent:42:1
gpg-connect-agent /bye &>/dev/null || gpg-agent --daemon &>/dev/null

That is the part for using gpg. For SSH you also need SSH_AUTH_SOCK. The easiest way to get both variables set is to add the line

write-env-file "${HOME}/.gpg-agent-info

to the config file gpg-agent.conf and to run this script after the above:

. "${HOME}/.gpg-agent-info"
export SSH_AUTH_SOCK

This is explaned in the gpg-agent man page.

How does GPG agent work

Gpg-agent is a program that runs in the background (a daemon) and stores GPG secret keys in memory. When a GPG process needs the key, it contacts the running gpg-agent program through a socket and requests the key. If the agent process has the key, it provides it to gpg. If it doesn't, it attempts to load the encrypted key from your keyring, and prompts you for the key's passphrase. Once the agent has obtained the decrypted key, it passes it to the gpg process. In addition to GPG keys, Gpg-agent can similarly store SSH keys and provide them to SSH processes, like the ssh-agent program that comes with SSH.

The main point of using a key agent is so that you don't have to type your passphrase every single time you use your key. The agent keeps the key in memory from one time to the next. GPG itself can't do that because the process terminates once it's done its job.

Another thing that a key agent can do is allow GPG running on a remote machine to obtain keys in the local agent (which may load them from a local file and prompt for your passphrase). Gpg-agent can't do this yet, it is a planned feature. SSH has had agent forwarding for a very long time. (This is a reason not to use gpg-agent for SSH keys.)

GPG 1.x or 2.0.x knows that the agent is running because the GPG_AGENT_INFO variable is set. This variable contains the location of the socket to communicate with the agent as well as the process ID of the agent. GPG 2.1 always places the agent socket in ~/.gnupg. GPG 2.x always starts an agent process if one isn't running.

You can start the agent simply by running gpg-agent. If you want to keep an agent process as part of your session, you can replace the invocation of your session manager by gpg-agent my-session-manager; some distributions set this up automatically. GPG will automatically start the agent, and GPG 2.1 will additionally find a running agent without needing an environment variable, so you don't need to start it this way unless you use an older version of GPG or you use the agent to store other types of keys such as SSH.

You can send the agent commands with the gpg-connect-agent shell command. Send the kill command to kill the agent process (or send it a signal).

Gpg-agent ships with GPG itself. Some distributions package it separately.

Best Answer

Related Solutions

GPG-Agent – Using gpg-agent Between Different Sessions

How does GPG agent work

Related Question