From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 709AD139694 for ; Thu, 20 Jul 2017 08:17:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 81A701FC016; Thu, 20 Jul 2017 08:17:17 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2C61C1FC002 for ; Thu, 20 Jul 2017 08:17:17 +0000 (UTC) Received: from [10.100.0.22] (host-37-191-226-104.lynet.no [37.191.226.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: k_f) by smtp.gentoo.org (Postfix) with ESMTPSA id B0C9E341824 for ; Thu, 20 Jul 2017 08:17:15 +0000 (UTC) Subject: Re: [gentoo-dev] can't gpg sign with repoman, but can with git To: gentoo-dev@lists.gentoo.org References: <20170719224357.65daa079368e57f637380fe3@gentoo.org> <1067a22c-5df0-8536-ff99-c55ef3b4bfc3@gentoo.org> <1500500652.32362.9.camel@gentoo.org> <20170720084941.52a0a9f4da604dd2de65fe74@gentoo.org> From: Kristian Fiskerstrand Message-ID: <91c6cc7d-2e03-4dc9-0c58-c63d049d13d0@gentoo.org> Date: Thu, 20 Jul 2017 10:16:50 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <20170720084941.52a0a9f4da604dd2de65fe74@gentoo.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9DdnxNbnDMq3HbHfVBhpDSnf7E7Ps0hD2" X-Archives-Salt: 8bb0e83c-8f2c-45f4-9f94-3b6d48f3c055 X-Archives-Hash: ae19702009db36407322757219da4d84 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9DdnxNbnDMq3HbHfVBhpDSnf7E7Ps0hD2 Content-Type: multipart/mixed; boundary="vLFiE7hrfiJ0K8lBsNEK6cducW4UcFr7M"; protected-headers="v1" From: Kristian Fiskerstrand Reply-To: k_f@gentoo.org To: gentoo-dev@lists.gentoo.org Message-ID: <91c6cc7d-2e03-4dc9-0c58-c63d049d13d0@gentoo.org> Subject: Re: [gentoo-dev] can't gpg sign with repoman, but can with git References: <20170719224357.65daa079368e57f637380fe3@gentoo.org> <1067a22c-5df0-8536-ff99-c55ef3b4bfc3@gentoo.org> <1500500652.32362.9.camel@gentoo.org> <20170720084941.52a0a9f4da604dd2de65fe74@gentoo.org> In-Reply-To: <20170720084941.52a0a9f4da604dd2de65fe74@gentoo.org> --vLFiE7hrfiJ0K8lBsNEK6cducW4UcFr7M Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 07/20/2017 07:49 AM, Andrew Savchenko wrote: > Some pinentry issues imho if GPG_TTY makes it work, at least it was > when I hit that half a year ago with this suggested as a solution. It's= > not a solution, it's a workaround, as users need to do something. This is a documented feature from upstream, mainly on secure systems you want pinentry to be directed to a specific terminal and not whichever an application calling gpg is called from, as this can also result in information leak if a fake pinentry is used etc. So by default, pinentry is started with the tty that gpg-agent is started in, which can be a protected environment (even more so with the possibility of remote gpg-agent, allowing it to run in a protected sandbox and communicating solely over IPC) With the graphical pinentries this is a bit different (they are less secure by design, since they are running on a system with a GUI to begin with..) , gnome3 one will use some DBUS funkery, whereby gtk+ and qt ones will be easier to debug as they rely mostly on DISPLAY variable to trigger. By default a curses pinentry is used as fallback (but that requires proper GPG_TTY, of which the proper very much can be the initial tty from the agent) What I have noticed with regards to git though, but not had time to debug is that it seems to do something odd with regards to communicating with the agent to begin with, and possibly spawns an own agent, at least sufficiently confusing that for smartcard use it fail to access the card due to locking and needing to re-insert the card.. with similar mechanism to use it outside of git context again afterwards. --=20 Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 --vLFiE7hrfiJ0K8lBsNEK6cducW4UcFr7M-- --9DdnxNbnDMq3HbHfVBhpDSnf7E7Ps0hD2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEtOrRIMf4mkrqRycHJQt6/tY3nYUFAllwZvIACgkQJQt6/tY3 nYXfaAf9HODndKfjTGZrWIhUG1bsjSDI8+0dzYMG551K6aJxnbXIGJi4tXvjgyFM 3dZfZvNCS8nwM6bfu76A5S3zfYV63yup9xNZKyCgbudBAKhm+gYXmhOpY0UbdQyy LjW3Hk+wVeAO9q9bQadd3BUlN4ecSDFfsfa408ZUZud/Dn+NTarLRRhOomBXO/IX pDJC+d59bnutZXmUx4WCB2xsoiKlzSJoeHTsEb13SKWrUIvgIr65oR5Qcd7slC+R kHxevCH4OzqkoqwCGfWdXd9IomG/uSzqrxXUSPrdo42HLvNasvYJ+wbZ9oW/z7q4 RZPrYzmhbdbXa6h4oJVP2+SmMFtEUg== =/qqp -----END PGP SIGNATURE----- --9DdnxNbnDMq3HbHfVBhpDSnf7E7Ps0hD2--