Prompting on concurrent invocations of gpg

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Prompting on concurrent invocations of gpg

John Lane
Hello, I have a scenario where gpg is prompting for a passphrase when I
don't think it should because it is cached in the agent. It seems to be
triggered by concurrent use. Here is an example.

First, create some encrypted data:

$ echo test | gpg --encrypt -o test.gpg -r <email-address>

Then decrypt it a number of times:

$ for n in {1..100}; do gpg --decrypt test.gpg &> /dev/null; done

This may prompt for a passphrase if it isn't cached but, if it does, it
should do so only once. I null the output because it's irrelevant. The
main point here is, this works as expected.

Now do the same, but concurrently:

$ for n in {1..10}; do ( gpg --decrypt test.gpg &> /dev/null;) & done

This will prompt for the passphrase a number of times. The number of
iterations can be small, but it seems to start prompting at 6.

Sometimes, not always and only on this concurrent example, I also see a
memory allocation error (this appears unrelated to the prompting and
happens after running the test a few times):

    gpg: public key decryption failed: Cannot allocate memory

Version information:
    gpg (GnuPG) 2.2.25 libgcrypt 1.8.7
    Linux 5.10.6-arch1-1 #1 SMP PREEMPT Sat, 09 Jan 2021 18:22:35 +0000
x86_64 GNU/Linux

Agent config:

    $ cat ~/.gnupg/gpg-agent.conf
    enable-ssh-support
    default-cache-ttl 900
    max-cache-ttl 3600

Why does this happen, can I do something to disable this behaviour, or
is it a bug ?

Thanks


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Prompting on concurrent invocations of gpg

Ingo Klöcker
On Dienstag, 16. März 2021 12:19:17 CET John Lane wrote:
> Hello, I have a scenario where gpg is prompting for a passphrase when I
> don't think it should because it is cached in the agent. It seems to be
> triggered by concurrent use. Here is an example.
[snip]
> $ for n in {1..10}; do ( gpg --decrypt test.gpg &> /dev/null;) & done
>
> This will prompt for the passphrase a number of times. The number of
> iterations can be small, but it seems to start prompting at 6.

Probably the easiest way to avoid this is to seed the cache of gpg-agent with
the needed passphrases before starting the concurrent invocations. See
man gpg-preset-passphrase
for details.

> Sometimes, not always and only on this concurrent example, I also see a
> memory allocation error (this appears unrelated to the prompting and
> happens after running the test a few times):
>
>     gpg: public key decryption failed: Cannot allocate memory

That sounds like a bug.

Regards,
Ingo

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Prompting on concurrent invocations of gpg

John Lane

>
> Probably the easiest way to avoid this is to seed the cache of gpg-agent with
> the needed passphrases before starting the concurrent invocations. See
> man gpg-preset-passphrase
> for details.
>

I just tried that to see if it would help. It doesn't make any
difference because the passphrase is already in the cache (ok, if the
password isn't in the cache then it does stop that first request). In
the example I gave it's the same payload being decrypted each time so
there is only one passphrase.


The subsequent unwanted prompts happen even when the passprase is
already cached. It's like some concurrent calls don't hit the cache.


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Prompting on concurrent invocations of gpg

John Lane
In reply to this post by John Lane

On 16/03/2021 11:19, John Lane wrote:
> Hello, I have a scenario where gpg is prompting for a passphrase when I
> don't think it should because it is cached in the agent. It seems to be
> triggered by concurrent use. Here is an example.
>

I've asked someone else to try this and they are seeing similar issues
with unexpected password prompts and out of memory errors. Although
their experience is not as extreme as mine (it doesn't happen as much
for them, but it does happen).

I've updated mine to gpg (GnuPG) 2.2.27 libgcrypt 1.8.7 and retested, I
am still having the problem.

Is there any more information that I can provide?

Is this something I should open a bug report for?

Thanks.


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users