Lazy decryption for keyfiles #66

smlx · 2021-09-23T13:07:47Z

When performing signing for a given key, gpg will interrogate the
gpg-agent for availability of keygrips of all signing keys, not just
the one that ends up being used for the actual signing.

piv-agent used to pre-emptively decrypted the keyfiles when checking
them against the supplied keygrip. This change causes it to wait until
the actual point of signature before decrypting the keyfiles.

This means that you avoid a pinentry prompt for keyfiles when signing
using a hardware security device.

This change also makes a couple of error handling changes to make
piv-agent more robust when cancelling or failing pinentry prompts.

Closes: #58

When performing signing for a given key, gpg will interrogate the gpg-agent for availability of keygrips of _all_ signing keys, not just the one that ends up being used for the actual signing. piv-agent used to pre-emptively decrypted the keyfiles when checking them against the supplied keygrip. This change causes it to wait until the actual point of signature before decrypting the keyfiles. This means that you avoid a pinentry prompt for keyfiles when signing using a hardware security device. This change also makes a couple of error handling changes to make piv-agent more robust when cancelling or failing pinentry prompts.

smlx added the enhancement New feature or request label Sep 23, 2021

smlx enabled auto-merge September 23, 2021 13:07

smlx merged commit f964f11 into main Sep 23, 2021

smlx deleted the lazy-keyfile-decryption branch September 23, 2021 13:09

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Lazy decryption for keyfiles #66

Lazy decryption for keyfiles #66

smlx commented Sep 23, 2021

Lazy decryption for keyfiles #66

Lazy decryption for keyfiles #66

Conversation

smlx commented Sep 23, 2021