gpg passphrase cached by evolution

Thanks for your bug report. This bug has been reported to the developers of the software. You can track it and make comments here: http://bugzilla.gnome.org/show_bug.cgi?id=419901

@Robert: could you please state Evolution's and Evolution-Data-Server's versions?

I had a look at evo 2.11.4 (Gutsy), and it is using gnome-keyring to maintain the GPG passphrases.

On Tue, 2007-07-10 at 13:48 +0000, hggdh wrote:
> @Robert: could you please state Evolution's and Evolution-Data-Server's
> versions?
>
> I had a look at evo 2.11.4 (Gutsy), and it is using gnome-keyring to
> maintain the GPG passphrases.

Feisty does not use gnome-keyring, so it sounds like this will be fixed
in the next Ubuntu release.

-Rob

--
GPG key available at: <http://www.robertcollins.net/keys.txt>.

I am now confused, which is, I am afraid, my normal state.

I looked at the e-d-s-1.11.4 & 1.11.5, and both are build with WITH_GNOME_KEYRING undefined -- ergo, no g-kr integration.

On g-kr integration: we build e-d-s with a debian patch that disables it. The debian issue seems to have risen from the fact that there was integration with Gnome, but not with KDE, so debian disabled it. From the changelog:

evolution-data-server (1.8.1-2) experimental; urgency=low
(...)
  * For now, do not use gnome-keyring. [debian/rules] (closes: #392061)

And we build our version of it with the debian patches (at least this one). Nevertheless, I can see g-kr being driven. I wonder... this maybe have to do with seahorse-agent, in my case.

Rob, are you running KDE or Gnome?

> Rob, are you running KDE or Gnome?

I'm running feisty Ubuntu - Gnome.

I am not claiming that this is fixed in gutsy; just that it *sounded*
like it would be fixed :).

-Rob
--
GPG key available at: <http://www.robertcollins.net/keys.txt>.

neither am I, neither am I... but it does look like -- at least on Gutsy -- integration between Evolution and GPG is being performed by seahorse, and this problem does not surface.

That is, as long as you do deploy seahorse.

Anyway, I am unsure the same would happen on KDE -- do not remember my KDE days :-( -- so I am keeping this open.

I think this should be kept open until passphrase caching is removed from Evolution entirely.

@Sam Morris: upstream has already stated that Evo GPG passphrase dialog will be kept for backward compatibility. On my laptop, running Hardy, GPG passphrase caching is done by seahorse or gpg-agent, so there is no Evo passphrase caching. Before closing this bug I would like to know why you think we should keep it open.

A question remaining is why we still need GNUPG V1, but this is not for this bug.

Upstream seems content to keep Evolution doing passphrase caching for now.

However, once e-d-s is modified to use gpg2, it will no longer be able to do so. This is because gpg2 will *only* request passphrases via the gpg-agent; there is no longer any facility to input a passphrase directly into gpg2.

Aside from that though: I think the bug is still valid. Evolution should not handle sensitive information like passphrases itself: it is a large and complex piece of software. It is better to farm out handling of a user's passphrase to the gpg agent.

Evolution is still caching gpg key.

I am using Evolution 2.26.1.

Shouldn't this be elevated to a security issue and get a higher priority. If my mail is up and someone clicks on an encrypted message, it can be read without further interaction if I have already typed my passphrase.

Its a wishlist in ubuntu; I agree that this has security implications- its why I filed it ;). If you're interested in fixing it I suggest starting with the upstream bug.

Bug from 2007. Version not longer supportet.
Change status to Invalid (see gnome-bugs)