Mailing List Archive

caching of passphrase is not working in windows , gpg agent version 2.2.23
Hi folks,



I am kind of stuck on this, hence reaching out to you guyz.


GPG is prompting for passphrase even though passphrase cached in gpg-agent
<https://stackoverflow.com/questions/64939717/gpg-is-promting-for-passphrase-even-though-passphrase-cache-is-set-in-gpg-agent>
(windows) Following steps I did.

1. installed gpg on windows from https://gnupg.org/download/ (version
- 2.2.23)

2. imported the key : - > gpg --import <key File name>

3. in home dir set the allow-preset-passphrase in gpg-agent.conf.

4. from powershell started agent

"$gpgPath\bin\gpg-connect-agent.exe" reloadagent /bye



5. powershell set passphrase

"$gpgPath\bin\gpg-preset-passphrase.exe" -v -c -P "$pgpPassphrase"

6. mvn sign and deploy

mvn gpg:sign-and-deploy-file -B

"-Dfile=E:\Publish\files-1.0.12-test.jar"

"-Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2"

"-Drevision=1.0.12-test" "-DrepositoryId=ossrh"

"-Dversion=1.0.12-test" "-DgroupId=datamodel" "-DartifactId=files"

"-Dsources=E:\Publish\files-1.0.12-test-sources.jar"

"-Djavadoc=E:\Publish\files-1.0.12-test-javadoc.jar"

"-Dpackaging=jar" "-DpomFile=E:\Publish\pom.xml"





it prompted the passphrase, I already cached it at step 5.

Not sure what is going wrong here .Is it a bug ? Few questions, really
appreciate if any one can help or i

1. I don't see any option in windows, to verify if passphrase has been
cached . Does anyone know how to do that ?

2. Are there any steps I am missing causing the passphrase prompt?

3. Any other direction , I should investigate.



I am kind of stuck here. Any help is very much appreciated.
Thanks
Surender
Re: caching of passphrase is not working in windows , gpg agent version 2.2.23 [ In reply to ]
On Mon, 23 Nov 2020 09:18, surender singh pawar said:

> 4. from powershell started agent
>
> "$gpgPath\bin\gpg-connect-agent.exe" reloadagent /bye

Why do you do this? The import operation already started the agent. In
any case to explicitly start the agent please use

gpgconf --launch gpg-agent

> "$gpgPath\bin\gpg-preset-passphrase.exe" -v -c -P "$pgpPassphrase"

You need to add the keygrip to the invocation; from the man page:

gpg-preset-passphrase [options] [command] cacheid

cacheid is either a 40 character keygrip of hexadecimal
characters identifying the key for which the passphrase should be
set or cleared. The keygrip is listed along with the key when
running the command: gpgsm --with-keygrip --list-secret-keys.
Alternatively an arbitrary string may be used to identify a
passphrase; it is suggested that such a string is prefixed with
the name of the application (e.g foo:12346). Scripts should
always use the option --with-colons, which provides the keygrip
in a "grp" line (cf. ‘doc/DETAILS’)/

Thus something like

gpg-preset-passphrase -vcP "$pgpPassphrase" 00112233445566778898aabvccddeeff

You should also review your architecture and the attack tree: Why use a
passphrase at all (with its KDF induced delays) if you put it into a
script. Better remove the passphrase from the key.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: caching of passphrase is not working in windows , gpg agent version 2.2.23 [ In reply to ]
Thanks for quick reply i did the following command only to put
passphrase in cache ( missed id while writing mail ) got id from gpg
--list-secret-keys
gpg-preset-passphrase -vcP "$pgpPassphrase"
*00112233445566778898aabvccddeeff *

How can I confirm if a passphrase set in the cache ? is there any debug
log which I can see to confirm it.

Can you share .if possible, any steps how to build windows gpg agent using
source code.? Most docs are for linux.

details for question is here as well
gnupg - windows :GPG is prompting for passphrase even though passphrase
cache is set in gpg-agent - Super User
<https://superuser.com/questions/1604539/windows-gpg-is-prompting-for-passphrase-even-though-passphrase-cache-is-set-in>


Thanks
surender

On Mon, Nov 23, 2020 at 11:55 PM Werner Koch <wk@gnupg.org> wrote:

> On Mon, 23 Nov 2020 09:18, surender singh pawar said:
>
> > 4. from powershell started agent
> >
> > "$gpgPath\bin\gpg-connect-agent.exe" reloadagent /bye
>
> Why do you do this? The import operation already started the agent. In
> any case to explicitly start the agent please use
>
> gpgconf --launch gpg-agent
>
> > "$gpgPath\bin\gpg-preset-passphrase.exe" -v -c -P "$pgpPassphrase"
>
> You need to add the keygrip to the invocation; from the man page:
>
> gpg-preset-passphrase [options] [command] cacheid
>
> cacheid is either a 40 character keygrip of hexadecimal
> characters identifying the key for which the passphrase should be
> set or cleared. The keygrip is listed along with the key when
> running the command: gpgsm --with-keygrip --list-secret-keys.
> Alternatively an arbitrary string may be used to identify a
> passphrase; it is suggested that such a string is prefixed with
> the name of the application (e.g foo:12346). Scripts should
> always use the option --with-colons, which provides the keygrip
> in a "grp" line (cf. ‘doc/DETAILS’)/
>
> Thus something like
>
> gpg-preset-passphrase -vcP "$pgpPassphrase"
> 00112233445566778898aabvccddeeff
>
> You should also review your architecture and the attack tree: Why use a
> passphrase at all (with its KDF induced delays) if you put it into a
> script. Better remove the passphrase from the key.
>
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
Re: caching of passphrase is not working in windows , gpg agent version 2.2.23 [ In reply to ]
On Dienstag, 24. November 2020 09:30:18 CET surender singh pawar via Gnupg-
users wrote:
> Thanks for quick reply i did the following command only to put
> passphrase in cache ( missed id while writing mail ) got id from gpg
> --list-secret-keys
> gpg-preset-passphrase -vcP "$pgpPassphrase"
> *00112233445566778898aabvccddeeff *

Is this id really the keygrip of the key? Or is it probably the key's
fingerprint? You need to add --with-keygrip to make --list-secret-keys show
the keygrip.

Regards,
Ingo