Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upgit-remote-gcrypt not working with qubes-gpg-client-wrapper (-q and --gen-rand not supported) #3445
Comments
andrewdavidwong
added
C: other
enhancement
labels
Jan 5, 2018
andrewdavidwong
added this to the Release 3.2 updates milestone
Jan 5, 2018
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
whohoho
Jan 13, 2018
another one:
gpg --no-tty --batch --force-mdc --compress-algo none --trust-model=always --passphrase-fd 3 -c
gpg --no-tty --compress-algo none --trust-model=always -se --throw-keyids --default-recipient-self
whohoho
commented
Jan 13, 2018
•
|
another one: gpg --no-tty --compress-algo none --trust-model=always -se --throw-keyids --default-recipient-self |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Jan 13, 2018
Member
|
On Sat, Jan 13, 2018 at 01:11:15AM +0000, whohoho wrote:
gpg --no-tty --batch --force-mdc --compress-algo none --trust-model=always --passphrase-fd 3 -c
Is this configurable to not use --passphrase-fd? --passphrase-fd does
not make sense in split gpg trust model - client VM should not know any
secret.
…--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
whohoho
Jan 13, 2018
In that command symmetric encryption with a passprase is used, so it does not actually have to go to the gpg vm.
I am working on a patch now to have the local gpg do those things.
whohoho
commented
Jan 13, 2018
|
In that command symmetric encryption with a passprase is used, so it does not actually have to go to the gpg vm. I am working on a patch now to have the local gpg do those things. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Jan 13, 2018
Member
Ah, indeed there is -c. Currently options whitelist is not context aware, so it isn't possible to whitelist options for specific mode only. And better keep it this way for simplicity.
Handling it locally indeed may be a good idea, should be doable in gpg-client-wrapper script, or yet another wrapper.
|
Ah, indeed there is Handling it locally indeed may be a good idea, should be doable in gpg-client-wrapper script, or yet another wrapper. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
whohoho
Jan 13, 2018
This is what i have now:
https://github.com/whohoho/qubes-app-linux-split-gpg/blob/master/gpg-client-wrapper
whohoho
commented
Jan 13, 2018
|
This is what i have now: |
whohoho commentedJan 4, 2018
•
edited
Edited 4 times
-
whohoho
edited Jan 4, 2018 (most recent)
-
whohoho
edited Jan 4, 2018
-
whohoho
edited Jan 4, 2018
-
whohoho
edited Jan 4, 2018
Qubes OS version: R3.2
Steps to reproduce the behavior:
sudo apt-get install git-remote-gcrypt
git config --add gpg.program /usr/bin/qubes-gpg-client-wrapper
git remote add crypted gcrypt::[remote-url]
git pull crypted master
Relevant errors:
/usr/bin/qubes-gpg-client-wrapper --no-tty --armor --gen-rand 1 9
qubes-gpg-client: unrecognized option '--gen-rand'
/usr/bin/qubes-gpg-client-wrapper --no-tty --status-fd 3 -q -d
qubes-gpg-client: invalid option -- 'q'
more errors after fixing prev. ones in git-remote-gcrypt
/usr/bin/qubes-gpg-client-wrapper --no-tty --with-colons --print-md SHA256
qubes-gpg-client: unrecognized option '--print-md'
/usr/bin/qubes-gpg-client-wrapper --no-tty --batch --no-default-keyring --secret-keyring /dev/null --keyring /dev/null --passphrase-fd 3 -d
qubes-gpg-client: unrecognized option '--no-default-keyring'