Thunderbird/Enigmail: How can I make gpg-agent absent-minded?
I've recently setup Thunderbird with Enigmail on my Xubuntu box. The Enigmail was automatically configured to use gpg-agent for passphrase handling. I've imported my public and private pgp keys into gpg, and I've successfully setup IMAP on Thunderbird. Now whenever I receive an encrypted email I can decrypt it by clicking on it - this is where thunderbird/enigmail/gpg-agent prompts for the private key passphrase.
Once I enter it I can decrypt the mail normally. The thing is that I only have to enter the passphrase once per session. Every other email will be decrypted automatically. The only problem is that the gpg-agent is everknowing. It doesn't seem to forget the authentication no matter how long I keep the PC running (even with thunderbird closed). This kind of bugs me because I'd like the system to forget the authentication after 5 minutes since the pgp private key was last needed. Is there a way to do this for my setup? I've read some docs about having to specify some settings for gpg-agent. I created a file named gpg-agent.conf in my ~/.gnupg/ folder and put these settings inside. They don't seem to have an effect though: Quote:
|
Do you have the OpenPGP menu option in Thunderbird? There is a "Preferences" option in the menu. On the "Basic" tab, you can set the passphrase idle timeout value. I have mine set to 30 minutes, but you can set it to 5 minutes or 1 minute, whatever you like.
|
The option is there and is set to 5 minutes. But when I click the OK button, I get the following warning:
Quote:
|
I don't use gpg-agent, so I don't know much about it. Did you send the gpg-agent daemon a SIGHUP after you added the default and max cache TTL options?
From the man page: Quote:
|
use-agent is already present and I didn't send any SIGHUP's. Instead I rebooted the machine.
So...? |
Quote:
I see a "never ask for passphrase" over here on the same Preferences dialog... YMMV Enigmail 1.1.2 on Tbird 3.1.9 |
Quote:
Why someone would have a pgp key that was not protected by a passphrase eludes me. |
Quote:
Are you also using keychain? It has the ability to also start gpg-agent. |
I have a default Xubuntu installation, and I've only just started using gpg. There are a bunch of public keys tn the database and my private key. I don't use keychain.
I'd really like to know why gpg-agent refuses to obey the settings in that config file. |
The reason I mentioned keychain is because it can also start gpg-agent, and that might cause conflicts with the one you are starting via your ~/.gnupg/gpg.conf. You said you aren't using keychain, so that's good, but you should check to see that only one copy of gpg-agent is running. If there is more than one (per logged on user) then you could experience conflicts due to different cache ttl being specified.
Verify you only have one gpg-agent running. Code:
ps -ef | grep gpg You should also have a file called ~/.gpg-agent-info with information about the currently running gpg-agent process. |
I'm the only user on this computer.
"ps -ef | grep gpg" shows this: Quote:
Quote:
Quote:
|
It does appear you are running two gpg-agent daemons. You can see two PIDs in your ps output, both with the same parent PID. The first one lists both ssh-agent and gpg-agent. Your GPG_AGENT_INFO is pointing to a directory in /tmp created by the second PID, 2263. Whatever was put there by process number 2262 has been overwritten.
Check all the usual places for starting stuff at login time, like .xsession, .profile, .bashrc, and see if you can find the duplicate start. I believe you'll need to eliminate one or the other of them. By the way, putting config files or the output from commands in CODE tags makes it a bit more readable than using QUOTE because CODE preserves formatting (e.g., white space). |
So you think that running the two instances is the problem?
Can I test this by terminating both processes and manually starting just one? I'll also look for the duplicate. EDIT: Funny thing is... when I terminate both of those gpg processes, Thunderbirs is still able to decrypt my email w/o asking for password, even if I exit and restart it. |
Yes, running multiple instances is potentially problematic. This doc says to avoid it: http://www.gnupg.org/documentation/m...002dAGENT.html
I would suggest killing both agents, then close and reopen Thunderbird and test how Enigmail behaves without gpg-agent running. Set a low idle timeout value in the OpenPGP Preferences and see if it honors it. If so, then start one instance of gpg-agent and check to see if your ttl is honored. |
I already killed both agents, and thunderbird was still able to decrypt aven after I closed and reopened it. Thunderbird/Enigmail does not seem to honor the local timeout or the "Use gpg-agent for passphrases" checkbox. And for some reason new instances of Thunderbird/Enigmail are still able to decrypt emails even 12 hours after both gpg-agents have been terminated. How the heck are they getting access to the private key? It must be cached somewhere outside gpg-agent.
|
All times are GMT -5. The time now is 02:53 AM. |