Re: Help! I messed up guix-past

[Ludovic Courtès]

Hi,

Konrad Hinsen <konrad.hinsen@fastmail.net> skribis:

> In my case, $PATH has my Guix profile first, and I always run the gpg
> from my Guix profile. But it picks up the gpg-agent from Ubuntu, which
> lives at /usr/bin/gpg-agent.

OK.

> It may well be possible to fix this issue (for example, patch gnupg such
> that it launches the agent via the full path to the store), but for me
> there is also a loss-of-confidence issue. If a messed-up software
> installation grants password-less access to my keys, then my keys
> effectively have no password protection any more. Attackers only need to
> install two different gpg versions to have access to my keys. That's why
> I want to get rid of gpg, rather than fix it superficially.

Maybe there’s a misunderstanding because AFAIK, what you describe is not
possible.  Passphrase-protected keys are effectively encrypted, using
symmetric encryption:

  
https://github.com/gpg/gnupg/blob/master/agent/keyformat.txt#protected-private-key-format

You can see them in ~/.gnupg/private-keys-v1.d/.

Such keys cannot be accessed without knowing the passphrase, no matter
what software you use.

Thanks,
Ludo’.