[Pkg-gnupg-commit] [gnupg2] 05/102: gpg: Allow unattended deletion of secret keys.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jun 17 00:14:48 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg2.
commit ac9ff644b12c4dfa55d466af8ae6af54d1646893
Author: Werner Koch <wk at gnupg.org>
Date: Tue May 10 11:01:42 2016 +0200
gpg: Allow unattended deletion of secret keys.
* agent/command.c (cmd_delete_key): Make the --force option depend on
--disallow-loopback-passphrase.
* g10/call-agent.c (agent_delete_key): Add arg FORCE.
* g10/delkey.c (do_delete_key): Pass opt.answer_yes to
agent_delete_key.
--
Unless the agent has been configured with
--disallow-loopback-passpharse an unattended deletion of a secret key
is now possible with gpg by using --batch _and_ --yes.
Signed-off-by: Werner Koch <wk at gnupg.org>
---
agent/command.c | 10 ++++++++--
doc/gpg-agent.texi | 15 ++++++++++++++-
doc/gpg.texi | 11 +++++++++--
g10/call-agent.c | 9 ++++++---
g10/call-agent.h | 2 +-
g10/delkey.c | 8 +++++++-
6 files changed, 45 insertions(+), 10 deletions(-)
diff --git a/agent/command.c b/agent/command.c
index c94fdd3..dfbb831 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -2333,8 +2333,9 @@ cmd_export_key (assuan_context_t ctx, char *line)
static const char hlp_delete_key[] =
"DELETE_KEY [--force] <hexstring_with_keygrip>\n"
"\n"
- "Delete a secret key from the key store.\n"
- "Unless --force is used the agent asks the user for confirmation.\n";
+ "Delete a secret key from the key store. If --force is used\n"
+ "and a loopback pinentry is allowed, the agent will not ask\n"
+ "the user for confirmation.";
static gpg_error_t
cmd_delete_key (assuan_context_t ctx, char *line)
{
@@ -2349,6 +2350,11 @@ cmd_delete_key (assuan_context_t ctx, char *line)
force = has_option (line, "--force");
line = skip_options (line);
+ /* If the use of a loopback pinentry has been disabled, we assume
+ * that a silent deletion of keys shall also not be allowed. */
+ if (!opt.allow_loopback_pinentry)
+ force = 0;
+
err = parse_keygrip (ctx, line, grip);
if (err)
goto leave;
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 2989d3b..b45874d 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -337,6 +337,10 @@ internal cache of @command{gpg-agent} with passphrases.
Disallow or allow clients to use the loopback pinentry features; see
the option @option{pinentry-mode} for details. Allow is the default.
+The @option{--force} option of the Assuan command @command{DELETE_KEY}
+is also controlled by this option: The option is ignored if a loopback
+pinentry is disallowed.
+
@item --no-allow-external-cache
@opindex no-allow-external-cache
Tell Pinentry not to enable features which use an external cache for
@@ -820,8 +824,17 @@ fi
@section Agent's Assuan Protocol
Note: this section does only document the protocol, which is used by
-GnuPG components; it does not deal with the ssh-agent protocol.
+GnuPG components; it does not deal with the ssh-agent protocol. To
+see the full specification of each command, use
+
+ at example
+ gpg-connect-agent 'help COMMAND' /bye
+ at end example
+ at noindent
+or just 'help' to list all available commands.
+
+ at noindent
The @command{gpg-agent} daemon is started on demand by the GnuPG
components.
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 3cad361..a09e610 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -376,13 +376,20 @@ safeguard against accidental deletion of multiple keys.
@item --delete-secret-keys @code{name}
@opindex delete-secret-keys
-Remove key from the secret keyring. In batch mode the key
-must be specified by fingerprint.
+gRemove key from the secret keyring. In batch mode the key must be
+specified by fingerprint. The option @option{--yes} can be used to
+advice gpg-agent not to request a confirmation. This extra
+pre-caution is done because @command{gpg} can't be sure that the
+secret key (as controlled by gpg-agent) is only used for the given
+OpenPGP public key.
+
@item --delete-secret-and-public-key @code{name}
@opindex delete-secret-and-public-key
Same as @option{--delete-key}, but if a secret key exists, it will be
removed first. In batch mode the key must be specified by fingerprint.
+The option @option{--yes} can be used to advice gpg-agent not to
+request a confirmation.
@item --export
@opindex export
diff --git a/g10/call-agent.c b/g10/call-agent.c
index c5bd694..d8c6ded 100644
--- a/g10/call-agent.c
+++ b/g10/call-agent.c
@@ -2349,9 +2349,11 @@ agent_export_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
/* Ask the agent to delete the key identified by HEXKEYGRIP. If DESC
is not NULL, display DESC instead of the default description
- message. */
+ message. If FORCE is true the agent is advised not to ask for
+ confirmation. */
gpg_error_t
-agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc)
+agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
+ int force)
{
gpg_error_t err;
char line[ASSUAN_LINELENGTH];
@@ -2376,7 +2378,8 @@ agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc)
return err;
}
- snprintf (line, DIM(line)-1, "DELETE_KEY %s", hexkeygrip);
+ snprintf (line, DIM(line)-1, "DELETE_KEY%s %s",
+ force? " --force":"", hexkeygrip);
err = assuan_transact (agent_ctx, line, NULL, NULL,
default_inq_cb, &dfltparm,
NULL, NULL);
diff --git a/g10/call-agent.h b/g10/call-agent.h
index 208b75b..06a19d4 100644
--- a/g10/call-agent.h
+++ b/g10/call-agent.h
@@ -196,7 +196,7 @@ gpg_error_t agent_export_key (ctrl_t ctrl, const char *keygrip,
/* Delete a key from the agent. */
gpg_error_t agent_delete_key (ctrl_t ctrl, const char *hexkeygrip,
- const char *desc);
+ const char *desc, int force);
/* Change the passphrase of a key. */
gpg_error_t agent_passwd (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
diff --git a/g10/delkey.c b/g10/delkey.c
index f76277c..966c571 100644
--- a/g10/delkey.c
+++ b/g10/delkey.c
@@ -184,8 +184,14 @@ do_delete_key( const char *username, int secret, int force, int *r_sec_avail )
prompt = gpg_format_keydesc (node->pkt->pkt.public_key,
FORMAT_KEYDESC_DELKEY, 1);
err = hexkeygrip_from_pk (node->pkt->pkt.public_key, &hexgrip);
+ /* NB: We require --yes to advise the agent not to
+ * request a confirmation. The rationale for this extra
+ * pre-caution is that since 2.1 the secret key may also
+ * be used for other protocols and thus deleting it from
+ * the gpg would also delete the key for other tools. */
if (!err)
- err = agent_delete_key (NULL, hexgrip, prompt);
+ err = agent_delete_key (NULL, hexgrip, prompt,
+ opt.answer_yes);
xfree (prompt);
xfree (hexgrip);
if (err)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list