From: "Michael Teichgräber" <mt@wmipf.in-berlin.de>
Subject: Re: pgg*.el and passphrase caching
Date: Wed, 20 Aug 2003 09:29:58 +0200 [thread overview]
Message-ID: <87u18clrbd.fsf@wmipf.in-berlin.de> (raw)
In-Reply-To: <gegg.m3lltqnhot.fsf@beldin.gothgoose.net> (Mark Trettin's message of "Tue, 19 Aug 2003 11:02:42 +0200")
Mark Trettin <mtr-dev0@gmx.de> writes:
> I *think* the problem is, that all messages also are "encrypted to self"
> and pgg.el wants to take the first Key-ID it finds (and this is the one
> of the originator of the mail).
This looks like the same I once reported on gnus-bug@gnus.org:
| Message-ID: <87he9ww7pt.fsf@iridium.renata.de>
| Subject: pgg-decrypt-region: wrong key-ID displayed
| Date: Sat, 22 Mar 2003 01:44:30 +0100
|
| when trying to decrypt a message that has been encrypted to me and to
| the sender, the sender's key-ID is displayed when PGG is prompting for
| the passphrase of _my_ key.
|
| The reason for this is the way the local `pgg-default-user-id' is
| determined within pgg-decrypt-region in pgg.el:
|
| (packet (cdr (assq 1 (with-temp-buffer
| (insert-buffer buf)
| (pgg-decode-armor-region
| (point-min) (point-max))))))
| (key (cdr (assq 'key-identifier packet)))
| (pgg-default-user-id
| (if key
| (concat "0x" (pgg-truncate-key-identifier key))
| pgg-default-user-id))
|
| Pgg-decode-armor-region returns per example a list:
|
| ((18)
| (1
| (version . 3)
| (key-identifier . "7F362B5EDCE28EC5") <-- sender's key-ID
| (public-key-algorithm . ELG-E))
| (1
| (version . 3)
| (key-identifier . "DC38B8B40E9C9C4B") <-- my key ID
| (public-key-algorithm . ELG-E))) ,
|
| so that `(cdr (assq 1 ...' leads to a `packet' containing the sender's
| key information. PGG then prompts with `GnuPG passphrase for 0xDCE28EC5:'
| instead of `...0E9C9C4B:'.
|
| A way to change this could be first to search for a packet containing
| a key identifier that equals the (long) key identifier of the key with
| user ID `pgg-default-user-id', and then--if no matching packet could
| be found--use the sequence as it is coded at the moment.
|
| This can be a bit complicated, since the user ID `pgg-default-user-id'
| may be given in various ways, so that it would be neccessary to invoke
| something similar to `(pgg-*-lookup-key pgg-default-user-id t)' to get
| a list of long key identifiers of subkeys (`ssb') of this private key.
|
| An easy approach would be to change the prompt into just `GnuPG
| passphrase:' without showing the key identifier.
|
|
| The current implementation also has the (keyboard-wearing) side
| effect, that passphrase caching in these cases does not work, since
| the passphrase of the sender's secret key obviously cannot be in my
| cache. (The easy approach would not fix this.)
I've appended a patch I used at that time to get it working the
following way:
> Is there a way to say: "Always take one of my Key-IDs"? And then
> decrypt the messages with the cached phrase?
The interface in PGG is extended by a function
pgg-lookup-secret-keys-avail (similar to pgg-lookup-key) that should
return a list of IDs of all your secret keys. Each backend would have
to define such a function. I only implemented one for the
GnuPG-backend: pgg-gpg-lookup-secret-keys-avail.
Then, in pgg-decrypt-region, Gnus wouldn't only extract the key ID of
the first packet of the message, but those of all key packets.
This list `msg-keys' then is intersected with the `user-keys' returned
by pgg-gpg-lookup-secret-keys-avail. The first match is used as `key'
ID (in contrast to the key ID of the first packet, as it is coded in
PGG at the moment).
Because I have switched to using gpg-agent, where Gnus' passphrase
caching won't be used, I forgot about this problem.
Perhaps the appended patch can serve as an example for a fix that
covers all PGG backends.
--
Michael
Index: pgg-gpg.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/pgg-gpg.el,v
retrieving revision 6.18
diff -u -p -r6.18 pgg-gpg.el
--- pgg-gpg.el 8 Aug 2003 23:25:24 -0000 6.18
+++ pgg-gpg.el 20 Aug 2003 07:12:52 -0000
@@ -117,6 +117,24 @@
(progn (end-of-line)(point)))
":")) 8)))))
+(defun pgg-gpg-lookup-secret-keys-avail ()
+ "Get a list of all key IDs from secret keyring."
+ (let ((args (list "--with-colons" "--no-greeting" "--batch"
+ "--list-secret-keys" "--fast-list-mode"))
+ keylist)
+ (with-temp-buffer
+ (apply #'call-process pgg-gpg-program nil t nil args)
+ (goto-char (point-min))
+ (while (re-search-forward "^\\(ssb\\|sec\\|sub\\|pub\\):" nil t)
+ (setq keylist
+ (cons
+ (substring
+ (nth 3 (split-string
+ (buffer-substring (- (match-end 0) 1)
+ (progn (end-of-line)(point)))
+ ":")) 8) keylist))))
+ keylist))
+
(defun pgg-gpg-encrypt-region (start end recipients &optional sign)
"Encrypt the current region between START and END.
If optional argument SIGN is non-nil, do a combined sign and encrypt."
Index: pgg.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/pgg.el,v
retrieving revision 6.20
diff -u -p -r6.20 pgg.el
--- pgg.el 24 Jul 2003 02:58:18 -0000 6.20
+++ pgg.el 20 Aug 2003 07:12:52 -0000
@@ -192,11 +192,26 @@ the region."
"Decrypt the current region between START and END."
(interactive "r")
(let* ((buf (current-buffer))
- (packet (cdr (assq 1 (with-temp-buffer
+ (packets (with-temp-buffer
(insert-buffer-substring buf)
- (pgg-decode-armor-region
- (point-min) (point-max))))))
- (key (cdr (assq 'key-identifier packet)))
+ (pgg-decode-armor-region start end)))
+ (packet (cdr (assq 1 packets)))
+ (key (let (found-key
+ msg-keys
+ (user-keys
+ (pgg-lookup-secret-keys-avail)))
+ ;; extract key IDs from session key packets -> msg-keys
+ (dolist (element packets msg-keys)
+ (if (eq (car element) 1)
+ (let ((key (assq 'key-identifier element)))
+ (if key (setq msg-keys
+ (cons (pgg-truncate-key-identifier
+ (cdr key)) msg-keys))))))
+ ;; intersect key IDs of available secret keys with msg-keys
+ (dolist (key user-keys found-key)
+ (if (member key msg-keys)
+ (unless found-key (setq found-key key))))
+ (if found-key found-key (cdr (assq 'key-identifier packet)))))
(pgg-default-user-id
(if key
(concat "0x" (pgg-truncate-key-identifier key))
@@ -341,6 +356,9 @@ within the region."
(defun pgg-lookup-key (string &optional type)
(pgg-invoke "lookup-key" (or pgg-scheme pgg-default-scheme) string type))
+
+(defun pgg-lookup-secret-keys-avail ()
+ (pgg-invoke "lookup-secret-keys-avail" (or pgg-scheme pgg-default-scheme)))
(defvar pgg-insert-url-function (function pgg-insert-url-with-w3))
next prev parent reply other threads:[~2003-08-20 7:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-19 9:02 Mark Trettin
2003-08-19 18:31 ` Kirk Strauser
2003-08-20 5:57 ` Michael Teichgräber
2003-08-20 14:07 ` Kirk Strauser
2003-08-20 15:00 ` Kirk Strauser
[not found] ` <86d6f0nw4g.fsf@doze.rijnh.nl>
2003-08-20 16:38 ` Kirk Strauser
2003-08-20 16:44 ` Simon Josefsson
2003-08-20 6:23 ` Xavier Maillard
2003-08-20 7:29 ` Michael Teichgräber [this message]
2003-08-20 15:31 ` Mark Trettin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87u18clrbd.fsf@wmipf.in-berlin.de \
--to=mt@wmipf.in-berlin.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).