Werner Koch dixit:
>Since the release of 2.1 the only valid use case for 1.4 are some
>non-POSIX systems (VMS), very old Unix systems, and for those users who
>still need to use their old (insecure) PGP-2 keys.
… and scripts, for example, we have a key generation script (wrapper
around --gen-key with certain options, which automatically fills in
stuff from LDAP) at work. Oh and some remote operations on servers.
[ on to version 2 ]
>Assuming that you are not using systemd, I would strongly suggest not to
>start gpg-agent by hand but let gpg et al start it on demand. The only
No, that’s **extremely** undesirable.
The “current” way is: when I log in, Debian’s X session magic starts
gpg-agent automatically. For some tools that need it, I also put…
GPG_AGENT_INFO=~/.gnupg/S.gpg-agent:0:1
… into the environment. That’s my :0 session.
Then I have a :2 session which is a VNC server. It’s started manually
from an xterm in the :0 session, so it inherits the agents.
I also have a script in /etc/profile.d/ which picks up both agents
when I log into the box via SSH.
gpg-agent is configured to use pinentry-kwallet, which reads the PGP
password from the KDE wallet.
This means I only have to login once after I boot up the machine,
and can then use the same agents no matter how I later log in (either
unlock the screen, jump onto the box via ssh, or use vncviewer).
This is important to have a non-sucking workflow. (It took me some,
long, time until gpg2 and pinentry stopped asking on the wrong
either terminal or X display, which basically made remote signing
unusable when I had not yet solved it with my current solution.)
Funnily enough, this all works well with gnupg. I only need gpg2
for S/MIME in Kontact/KDEPIM.
Also, compare (especially the warnings!):
tglase@tglase:~ $ gpg2 -K
gpg: keyserver option 'verbose' is unknown
gpg: keyserver option 'verbose' is unknown
gpg: WARNING: server 'gpg-agent' is older than us (2.1.11 < 2.1.14)
/home/tglase/.gnupg/pubring.gpg
-------------------------------
sec rsa4096 2009-01-05 [SCEA] [expires: 2018-01-13]
BCB19DAB35033640AE347A718950C1895EB8D3B3
uid [ultimate] Thorsten Glaser (tarent GmbH) <…>
uid [ultimate] Thorsten Glaser (Jabber) <…>
uid [ultimate] Thorsten Glaser (tarent GmbH) <…>
… versus…
tglase@tglase:~ $ gpg -K
/home/tglase/.gnupg/secring.gpg
-------------------------------
sec 3072R/272AD62F 2009-10-21 [expires: 2016-09-29]
uid Thorsten Glaser (tarent GmbH • Nur zu Testzwecken) <…>
uid testname (d) <…>
uid SiMKo 2 <…>
sec 2048R/EB839C67 2009-10-23
uid Thorsten Glaser (Testkey • tarent GmbH) <…>
sec 1024R/D1D8EFD2 2014-08-18
uid Test for Mozilla bug#1054187
sec 3072R/BD26DDA7 2015-06-11
uid TestMIT Glaser (tarent solutions GmbH) <…>
sec 4096R/5EB8D3B3 2009-01-05 [expires: 2013-01-04]
uid Thorsten Glaser (tarent GmbH) <…>
bye,
//mirabilos (extremely-long-time pgp2.6.3in user)
--
18:47⎜<mirabilos:#!/bin/mksh> well channels… you see, I see everything in the
same window anyway 18:48⎜<xpt:#!/bin/mksh> i know, you have some kind of
telnet with automatic pong 18:48⎜<mirabilos:#!/bin/mksh> haha, yes :D
18:49⎜<mirabilos:#!/bin/mksh> though that's more tinyirc – sirc is more comfy
