[Pkg-gnupg-commit] [gnupg2] 05/102: gpg: Allow unattended deletion of secret keys.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jun 17 00:14:48 UTC 2016 

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch experimental
in repository gnupg2.

commit ac9ff644b12c4dfa55d466af8ae6af54d1646893
Author: Werner Koch <wk at gnupg.org>
Date:   Tue May 10 11:01:42 2016 +0200

    gpg: Allow unattended deletion of secret keys.
    
    * agent/command.c (cmd_delete_key): Make the --force option depend on
    --disallow-loopback-passphrase.
    * g10/call-agent.c (agent_delete_key): Add arg FORCE.
    * g10/delkey.c (do_delete_key): Pass opt.answer_yes to
    agent_delete_key.
    --
    
    Unless the agent has been configured with
    --disallow-loopback-passpharse an unattended deletion of a secret key
    is now possible with gpg by using --batch _and_ --yes.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>
---
 agent/command.c    | 10 ++++++++--
 doc/gpg-agent.texi | 15 ++++++++++++++-
 doc/gpg.texi       | 11 +++++++++--
 g10/call-agent.c   |  9 ++++++---
 g10/call-agent.h   |  2 +-
 g10/delkey.c       |  8 +++++++-
 6 files changed, 45 insertions(+), 10 deletions(-)

diff --git a/agent/command.c b/agent/command.c
index c94fdd3..dfbb831 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -2333,8 +2333,9 @@ cmd_export_key (assuan_context_t ctx, char *line)
 static const char hlp_delete_key[] =
   "DELETE_KEY [--force] <hexstring_with_keygrip>\n"
   "\n"
-  "Delete a secret key from the key store.\n"
-  "Unless --force is used the agent asks the user for confirmation.\n";
+  "Delete a secret key from the key store.  If --force is used\n"
+  "and a loopback pinentry is allowed, the agent will not ask\n"
+  "the user for confirmation.";
 static gpg_error_t
 cmd_delete_key (assuan_context_t ctx, char *line)
 {
@@ -2349,6 +2350,11 @@ cmd_delete_key (assuan_context_t ctx, char *line)
   force = has_option (line, "--force");
   line = skip_options (line);
 
+  /* If the use of a loopback pinentry has been disabled, we assume
+   * that a silent deletion of keys shall also not be allowed.  */
+  if (!opt.allow_loopback_pinentry)
+    force = 0;
+
   err = parse_keygrip (ctx, line, grip);
   if (err)
     goto leave;
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 2989d3b..b45874d 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -337,6 +337,10 @@ internal cache of @command{gpg-agent} with passphrases.
 Disallow or allow clients to use the loopback pinentry features; see
 the option @option{pinentry-mode} for details.  Allow is the default.
 
+The @option{--force} option of the Assuan command @command{DELETE_KEY}
+is also controlled by this option: The option is ignored if a loopback
+pinentry is disallowed.
+
 @item --no-allow-external-cache
 @opindex no-allow-external-cache
 Tell Pinentry not to enable features which use an external cache for
@@ -820,8 +824,17 @@ fi
 @section Agent's Assuan Protocol
 
 Note: this section does only document the protocol, which is used by
-GnuPG components; it does not deal with the ssh-agent protocol.
+GnuPG components; it does not deal with the ssh-agent protocol.  To
+see the full specification of each command, use
+
+ at example
+  gpg-connect-agent 'help COMMAND' /bye
+ at end example
 
+ at noindent
+or just 'help' to list all available commands.
+
+ at noindent
 The @command{gpg-agent} daemon is started on demand by the GnuPG
 components.
 
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 3cad361..a09e610 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -376,13 +376,20 @@ safeguard against accidental deletion of multiple keys.
 
 @item --delete-secret-keys @code{name}
 @opindex delete-secret-keys
-Remove key from the secret keyring. In batch mode the key
-must be specified by fingerprint.
+gRemove key from the secret keyring. In batch mode the key must be
+specified by fingerprint.  The option @option{--yes} can be used to
+advice gpg-agent not to request a confirmation.  This extra
+pre-caution is done because @command{gpg} can't be sure that the
+secret key (as controlled by gpg-agent) is only used for the given
+OpenPGP public key.
+
 
 @item --delete-secret-and-public-key @code{name}
 @opindex delete-secret-and-public-key
 Same as @option{--delete-key}, but if a secret key exists, it will be
 removed first. In batch mode the key must be specified by fingerprint.
+The option @option{--yes} can be used to advice gpg-agent not to
+request a confirmation.
 
 @item --export
 @opindex export
diff --git a/g10/call-agent.c b/g10/call-agent.c
index c5bd694..d8c6ded 100644
--- a/g10/call-agent.c
+++ b/g10/call-agent.c
@@ -2349,9 +2349,11 @@ agent_export_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
 

 /* Ask the agent to delete the key identified by HEXKEYGRIP.  If DESC
    is not NULL, display DESC instead of the default description
-   message.  */
+   message.  If FORCE is true the agent is advised not to ask for
+   confirmation. */
 gpg_error_t
-agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc)
+agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
+                  int force)
 {
   gpg_error_t err;
   char line[ASSUAN_LINELENGTH];
@@ -2376,7 +2378,8 @@ agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc)
         return err;
     }
 
-  snprintf (line, DIM(line)-1, "DELETE_KEY %s", hexkeygrip);
+  snprintf (line, DIM(line)-1, "DELETE_KEY%s %s",
+            force? " --force":"", hexkeygrip);
   err = assuan_transact (agent_ctx, line, NULL, NULL,
                          default_inq_cb, &dfltparm,
                          NULL, NULL);
diff --git a/g10/call-agent.h b/g10/call-agent.h
index 208b75b..06a19d4 100644
--- a/g10/call-agent.h
+++ b/g10/call-agent.h
@@ -196,7 +196,7 @@ gpg_error_t agent_export_key (ctrl_t ctrl, const char *keygrip,
 
 /* Delete a key from the agent.  */
 gpg_error_t agent_delete_key (ctrl_t ctrl, const char *hexkeygrip,
-                              const char *desc);
+                              const char *desc, int force);
 
 /* Change the passphrase of a key.  */
 gpg_error_t agent_passwd (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
diff --git a/g10/delkey.c b/g10/delkey.c
index f76277c..966c571 100644
--- a/g10/delkey.c
+++ b/g10/delkey.c
@@ -184,8 +184,14 @@ do_delete_key( const char *username, int secret, int force, int *r_sec_avail )
               prompt = gpg_format_keydesc (node->pkt->pkt.public_key,
                                            FORMAT_KEYDESC_DELKEY, 1);
               err = hexkeygrip_from_pk (node->pkt->pkt.public_key, &hexgrip);
+              /* NB: We require --yes to advise the agent not to
+               * request a confirmation.  The rationale for this extra
+               * pre-caution is that since 2.1 the secret key may also
+               * be used for other protocols and thus deleting it from
+               * the gpg would also delete the key for other tools. */
               if (!err)
-                err = agent_delete_key (NULL, hexgrip, prompt);
+                err = agent_delete_key (NULL, hexgrip, prompt,
+                                        opt.answer_yes);
               xfree (prompt);
               xfree (hexgrip);
               if (err)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git

More information about the Pkg-gnupg-commit mailing list