Re: [Duplicity-talk] Manifest stores SHA1 hash of files, checked before restore?

[edgar . soldin]

On 14.07.2011 18:57, Chris Poole wrote:
> On Thu, Jul 14, 2011 at 12:43 PM,  <address@hidden> wrote:
>> latest duplicity has the possibility to define env var SIGN_PASSPHRASE and 
>> PASSPHRASE. this way you don't have to input them manually.
> 
> This isn't something I want to do; using gpg-agent is a compromise,
> but I'd still prefer to use it for short periods of time only.
> 
>> there is no code to compare signing vs. encryption key, so they are asked 
>> for separately. I am not sure if the double input to ensure correctness is a 
>> wise decision. i would plead to have it putted in and if it is wrong gpg 
>> will complain later on.
> 
> But when I backup incrementally, why is it wanting my passphrase for
> encryption? It doesn't need to to encrypt to my public key, so it
> should only require it for signing.

it needs to decrypt the remote manifest. please read the mailing list 
discussion linked in http://bugs.launchpad.net/duplicity/+bug/687295

> 
> Local and remote caches were synced, so it didn't have to pull
> manifest and signature files from the remote and decrypt them before
> starting the backup.

as above. as far as i recall the sync is determined by information which is in 
encrypted remote manifest.

> 
> When I perform a full backup, I'm only asked for my passphrase twice.
> Still too much, I think, since gpg would throw an error if the
> passphrase didn't allow the first signing to take place, so the
> replication on the user's part shouldn't be required.

that's what i argued. but the opposite also has a point that this way you don't 
have to restart duplicity. see ken's answer 2/3 posts ago.

ede/duply.net