I am not sure if this is a bug or a feature, or if the problem lies with keychain or gpg-agent, so please advise.  I have both gnupg-1.4.7-r1 and -1.9.21 installed.  keychain-2.6.6 and pinentry-0.7.2-r3.

Let me explain the issue with an example.

Suppose you create a gpg key as prescribed using the gentoo handbook: http://www.gentoo.org/doc/en/gnupg-user.xml.  Say the key looks like this:

pub   1024D/AAAAAAAA 2007-08-11
uid                  John Doe <doe@null.org>
sub   2048g/BBBBBBBB 2007-08-11

where AAAAAAAA is the main key id and BBBBBBBB is the ELG encryption subkey.

You add AAAAAAA to keychain normally.  Assuming no gpg-agent is running, you login and keychain kicks off pinentry for key AAAAAAAA.  You enter the passphrase.

Now do this:

cd /tmp
echo hello > file
gpg --encrypt file
(Press return for the John Doe recipient.)

Now, when I decrypt the file:

gpg --decrypt file.asc

gpg-agent kicks off pinentry for the passphrase to the BBBBBBBB subkey so it can decrypt the file encoded with the John Doe public key.

That second request for the BBBBBBBB subkey passphrase is the problem.  Why doesn't gpg-agent use the main key's passphrase for the subkey?  I tried adding both AAAAAAAA and BBBBBBBB to keychain, but you only get prompted for one passphrase -- it seems to know the two keys belong together.

Since there is no separate passphrase for the BBBBBBBB encryption subkey, I should not be prompted to enter that passphrase a second time.

(I have my cache values set way high, so there's no caching expiration issue).

Is this a bug or a feature?



 




Reproducible: Always