[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Improving gpg-agent support

From: Ben Reser <ben_at_reser.org>
Date: Thu, 05 Jun 2014 15:47:06 -0700

On 6/2/14, 6:59 PM, Ben Reser wrote:
> The failure to cache on the first connection to the realm issue is a little bit
> harder to solve. There is actually a PRESET_PASSPHARSE call in gpg-agent's
> API. But it only works when gpg-agent is started with
> --allow-preset-passphrase. I think we should make the save function of the
> gpg-agent provider implement the PRESET_PASSPHRASE call. We can document to
> users they will have a better experience if they provide the
> --allow-preset-passphrase option to gpg-agent when they start it. We can
> ignore errors if it doesn't.
> There is another option and that is to use gpg-agent as a dumb store like we do
> other caches by combining PRESET_PASSPHRASE in the save function and
> GET_PASSPHARSE --no-ask in the first function. This would allow us to retain
> the behavior that the svn client asks for the password and thus not have to
> jump through hoops to support the cache system being responsible for the UI to
> request the password. Doing this of course would rquire that
> --allow-preset-passphrase be passed. So I think it'd probably be best to have
> a setting in our Subversion config that enables this mode but that then fails
> if --allow-preset-passphrase is not enabled on gpg-agent. This behavior would
> give the best experience to our users, but since it's intrusive on gpg-agent's
> configuration I don't think it should be default.

Neither of these two ideas can actually be done. Or at least I don't think
it's a good idea to implement them. When I wrote this email I'd seen this in
the help output from gpg-connect-agent:
# PRESET_PASSPHRASE <string_or_keygrip> <timeout> <hexstring>

So I went looking to find out what value to set the timeout to to say use
whatever the configured timeout is. Turns out that there is a much longer help
output for the specific commands and it returns:
# Set the cached passphrase/PIN for the key identified by the keygrip
# to passwd for the given time, where -1 means infinite and 0 means
# the default (currently only a timeout of -1 is allowed, which means
# to never expire it). If passwd is not provided, ask for it via the
# pinentry module.

As you can see only an infinite timeout is supported, which is not what I
believe people want with this support.

So I believe what I committed in r1600781 will be the final improvement we can
make. Without some additional improvements on the gpg-agent side.
Received on 2014-06-06 00:47:32 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.