gpg-agent in Enigmail/Thunderbird

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I recall some time ago I had a question as to how I can use gpg-agent
in Windows for Thunderbird/Enigmail. Since there is no release of
gpg-agent for Windows (without building it yourself), I had to enter
in my passphrase every time TB started up (I had the pass cache for
9999 minutes).

I figured out that in the Enigmail options, you can have it add string
of options before the command. If you add --passphrase "#####" it will
bypass the --passphrase-fd 0 that it puts there by default. The only
downside is that the pass is not stored securely.
- --

Zach Himsel <z.himsel[at]gmail.com>
(aka DJ Zeru <djzeru[at]gmail.com>)
======================
() ASCII Ribbon - Against HTML mail
/\ Campaign - & vCard Signatures
======================
OpenPGP Public Key ID: 0xD1093592
http://zach-himsel.is.dreaming.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: =================================================
Comment: Key ID: 0xD1093592 (zach-himsel.is.dreaming.org)
Comment: -------------------------------------------------
Comment: () ASCII Ribbon - against HTML email
Comment: /\ Campaign - & vCard signatures
Comment: =================================================

iQEVAwUBRMZvOpHoJdzRCTWSAQrK8QgAiJQPEcTK/V1KtbM/TzaQV4U72&#43;LlOJk3
3pP+ihrdonb/3/44BvAj+S4GE9CsYxSvNY9i+Z6vue9rIuLAvo5vFaRUWZtFyvY3
zdkfmiPQsI7DeO3qNd2xSxWogt3urDqKICot5TssJI1mrNn9mKrqp0f760fya2mY
V83Wf+zdbDbB0Ub7A1eGZ7aaQxS59z3Q0r4FXvtsfhvGYsD03;PoDoBZnfAcr12/U
05YAjCx+6UL7yUPdEgJtAWmQfujbnXW+J4s+L7jx1EEKvYu/WFNJ3/2e9VWPbr37
XVUflhvy5CvJe+O+YamQ4A3rg7arf3Rti/wcMLMkA9JMURWEK4oTxw==
=kGx/
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Zach Himsel wrote:
&gt; I recall some time ago I had a question as to how I can use gpg-agent
> in Windows for Thunderbird/Enigmail. Since there is no release of
> gpg-agent for Windows (without building it yourself), I had to enter

Building it yourself... That was a joke, right? Anyone who wishes to build
their windows binaries on a windows system, is with the exception of GnuPG 1.4
out of luck. It's Werner's Debian Linux cross-compile way or the highway.

It would certainly be helpful if the GnuPG/GPG4Win crowd would at least build
the pieces of gpg 1.9 to allow the use of OpenPGP cards for SSH authentication
on windows systems.

BTW, there is a release of gpg-agent. It's hideously out-of-date.

> in my passphrase every time TB started up (I had the pass cache for
> 9999 minutes).

I use this same configuration. I have to enter my passphrase about once a week.
Having users periodically enter their passphrase helps them to remember it. I
think we already have more than enough unrevoked orphan keys on the servers.

> I figured out that in the Enigmail options, you can have it add string
&gt; of options before the command. If you add --passphrase "#####" it will
> bypass the --passphrase-fd 0 that it puts there by default. The only
> downside is that the pass is not stored securely.

You'd be better off just setting your key not to have a passphrase. At least
then, you wouldn't be fooling yourself by thinking that your key was the
slightest bit secure against attack.

- --
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?&quot; / "two words: good decisions."
&quot;what's the key to good decisions?" / "one word: experience."
&quot;how do i get experience?" / "two words: bad decisions."

&quot;Just how do the residents of Haiku, Hawai'i hold conversations?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5-svn-curl-4197-2006-07-20 (Windows PIII)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the £33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRMZ0fL4fmBEYuzc6AQJNBwP/a2IJX4rARMcFaM60+;6Yt1I2B8IhpRS40
A0/7E7VzKcxxTCUMpzQ9U1tGmhYxXxGVzuTU56CxmQbDOxC4l0NRUmxIZa3uBnxf
h++xZ3QBSDtueifP0A&#43;1g6CirOloWlif3eRG58r/QAd63YhEOJ+DAk/TCYS4Tlmz
lJdDaet4lPiIPwMFAUTGdH8dBKxKYI0qEBECMx4Anj9hGpGcZrUsleUt29mVZybc
UwvoAJ9sA4tJsYQE8iB8v1qLl&#43;w3BEQV2Q==
=k6kf
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

John Clizbe wrote:
&gt; Building it yourself... That was a joke, right? Anyone who wishes to
> build their windows binaries on a windows system, is with the
> exception of GnuPG 1.4 out of luck. It's Werner's Debian Linux
>; cross-compile way or the highway.

I reluctantly have to concur with this. The dev crew does not seem
especially interested in Win32 as a platform, nor in bughunting for Win32.

That's not to say Win32/GnuPG is bad... just that it's the redheaded
stepchild.

> "Just how do the residents of Haiku, Hawai'i hold conversations?"

I'm writing this from OSCON right now--Andrew van der Stock of the OWASP
Project is about to deliver a speech on securing Web 2.0 applications,
and I suspect it'll be a good one--and I heard from another con
participant that at Damian Conway's talk he mentioned that he once wrote
a Perl module which prefixed random haiku to standard error messages.

(Wow. Do I get the award for run-on sentence?)

Anyway. He was shocked to discover that this throwaway, meant-for-humor
module actually saw use in production systems. When he incredulously
asked why they were using it, the answer was "well, it gets the end
users to actually _read_ the error messages!&quot;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCgAGBQJExn8kAAoJELcA9IL&#43;r4EJNSAIAI/oGbMK8IwhrpabRa7UYuKX
KzgyWfHdvvZtasFbHTmopJlgE6XJYlMrGAD7mJ3z/GjMexWXToOd5kiqGmVZF4gK
xAzbRKnQvFZobltB6aM4wecJ2Orv5/Ul2SSWsMKvMSePL95EJzGQ6E4Q4NCJR9nw
fqamt18F9HMb0eXFFzucI+0LZcICXYCodlImFiKyE0gC&#43;FENdWpuHYY0vQcwbRE6
AnqYLc+onSdLalwDuri2HBo4eaydEpAOeIEUe8PZzj7LcSCUQPdqTbOEXfvV2Mme
IKdln/Z4vgKlGSwnIHyNhZyu+ud1zSpx6hPlwiMTPbMhA2jMQ5ELxZk8TImO3b4=
=MHmT
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

In reply to Zach Himsel's message sent 2006-07-25 15:21:

> I recall some time ago I had a question as to how I can use gpg-agent
> in Windows for Thunderbird/Enigmail. Since there is no release of
> gpg-agent for Windows (without building it yourself), I had to enter
>; in my passphrase every time TB started up (I had the pass cache for
> 9999 minutes).
>
> I figured out that in the Enigmail options, you can have it add string
&gt; of options before the command. If you add --passphrase "#####" it will
> bypass the --passphrase-fd 0 that it puts there by default. The only
> downside is that the pass is not stored securely.

Yes, as long as gpg-agent support is selected Enigmail will drop the
";--passphrase-fd 0" in its command when you do that. Enigmail accepted
my passphrase arg, but the former arg persisted until I checked to
enable gpg-agent, then it worked fine.

Cool! Thanks for something easier than even entering my passphrase once
per session! I'm not concerned about the treatment of the passphrase
because my Thunderbird profile, mail folders, and Enigmail log folder
reside on an encrypted volume.

- --
List Moderator, PGP Encryption Help Team

Mike Daigle http://www.mikedaigle.ca
My PGP Key Send email with subject=pgpkey-request
Gossamer Spider Web of Trust http://www.gswot.org

-----BEGIN PGP SIGNATURE-----
Comment: GSWoT:CA1 Gossamer Spider Web of Trust www.gswot.org
Comment: Mike Daigle Ontario, Canada www.mikedaigle.ca

iEYEAREDAAYFAkTGeCIACgkQTvHh4CsVTmIJGgCeNqJrJ+lmlvCo9Pfcs0ARQADh
YwEAoKIMqt6BznulVRS0sgC7brjgbwZQ
=p61H
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Daigle wrote:
&gt; Yes, as long as gpg-agent support is selected Enigmail will drop the
> "--passphrase-fd 0" in its command when you do that. Enigmail accepted
> my passphrase arg, but the former arg persisted until I checked to
> enable gpg-agent, then it worked fine.
>;
> Cool! Thanks for something easier than even entering my passphrase once
> per session! I'm not concerned about the treatment of the passphrase
> because my Thunderbird profile, mail folders, and Enigmail log folder
&gt; reside on an encrypted volume.
&gt;

Which version of gpg-agent are you running and from where?

- --
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?&quot; / "two words: good decisions."
&quot;what's the key to good decisions?" / "one word: experience."
&quot;how do i get experience?" / "two words: bad decisions."

&quot;Just how do the residents of Haiku, Hawai'i hold conversations?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5-svn-curl-4197-2006-07-20 (Windows PIII)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the £33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRMbNRb4fmBEYuzc6AQLIGQQAzC7B3SpfNPVwk2OHUb41m0R7FsNemIE4
BnEGmStdVpBHnB978WdLEh1eRMSlhG3aT8MUVEbuD0nW6IFD&#43;YjegGBsOC/RI5pN
ovHkUW4YS0inNifMK5IEPZrJWk/ypjZLeWEQVB6JV/uHrH1puOjLCD40No41ad&#43;E
gnne5rzDsEuIPwMFAUTGzUgdBKxKYI0qEBECOeYAoJeAPgI8IFRh1GskIdGfSOg9
3spzAJwPC9Xw980u2PUB7i1PMCdg32gKVQ==
=3;Pw+
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

In reply to John Clizbe's message sent 2006-07-25 22:02:

>>>; Yes, as long as gpg-agent support is selected Enigmail will drop
>>> the "--passphrase-fd 0" in its command when you do that. Enigmail
>>>; accepted my passphrase arg, but the former arg persisted until I
>>;> checked to enable gpg-agent, then it worked fine.

&gt; Which version of gpg-agent are you running and from where?

I'm not running gpg-agent. I just learned from this thread that enabling
support in Enigmail for gpg-agent allows the "--passphrase-fd 0" in the
gpg command line to be overridden with a --passphrase arg in Enigmail's
options. If I don't check the box in Enigmail to enable gpg-agent, it
won't use the passphrase I supply in Enigmail's optional arg's.

- --
List Moderator, PGP Encryption Help Team

Mike Daigle http://www.mikedaigle.ca
My PGP Key Send email with subject=pgpkey-request
Gossamer Spider Web of Trust http://www.gswot.org

-----BEGIN PGP SIGNATURE-----
Comment: GSWoT:CA1 Gossamer Spider Web of Trust www.gswot.org
Comment: Mike Daigle Ontario, Canada www.mikedaigle.ca

iEYEAREDAAYFAkTG1XwACgkQTvHh4CsVTmI8PQCgvbI7zMToFYsIevpzq6tQ7BQ+
CSgAn1Sq0mwqCM/AzZl65wO/jwg7OvOc
=rUgF
-----END PGP SIGNATURE-----