Re: Help! I messed up guix-past

[Konrad Hinsen]

Hi Ludo,

> Such keys cannot be accessed without knowing the passphrase, no matter
> what software you use.

I agree in theory, but practice disagree. The only other explanation I
can see is that GnuPG has stored my password somewhere in the file
system without me knowing about it. That isn't a reassuring explanation
either.

Demo:

  $ gpg --list-keys konrad.hinsen@cnrs.fr
  pub   rsa4096 2018-06-11 [SC]
        076A1D7B1EF77E068D2AC07CEC17F85277D7932C
  uid           [ultimate] Konrad Hinsen (http://khinsen.net/) 
<konrad.hinsen@cnrs.fr>
  sub   rsa4096 2018-06-11 [E]

The "protection mode" of this key is openpgp-s2k3-sha1-aes-cbc (I looked
it up in the key file, following the documentation you pointed to).

  $ echo 1 2 3 | gpg -r konrad.hinsen@cnrs.fr --encrypt --armor > counting.gpg
  $ gpg --decrypt counting.gpg 
  gpg: WARNING: server 'gpg-agent' is older than us (2.2.19 < 2.2.32)
  gpg: Note: Outdated servers may lack important security fixes.
  gpg: Note: Use the command "gpgconf --kill all" to restart them.
  gpg: encrypted with 4096-bit RSA key, ID 8A9433D79D772795, created 2018-06-11
        "Konrad Hinsen (http://khinsen.net/) <konrad.hinsen@cnrs.fr>"
  1 2 3

I haven't typed in the key's password for a few months. The last time I
did was before the update of GnuPG that broke everything for me. I have
rebooted the machine many times since then.

The same operation on a Debian server with no pinentry available (but
the same keyring) yields:

  $ gpg --decrypt counting.gpg 
  gpg: encrypted with 4096-bit RSA key, ID 8A9433D79D772795, created 2018-06-11
        "Konrad Hinsen (http://khinsen.net/) <konrad.hinsen@cnrs.fr>"
  gpg: public key decryption failed: No pinentry
  gpg: decryption failed: No secret key

which is what I would expect. And with a properly configured pinentry
program, it asks for the password.

Cheers,
  Konrad