update debian packaging Standards-Version to 3.8.1

[monkeysphere.git] / website / bugs / handle-passphrase-locked-secret-keys.mdwn

diff --git a/website/bugs/handle-passphrase-locked-secret-keys.mdwn b/website/bugs/handle-passphrase-locked-secret-keys.mdwn
index a61b5ba369317eb8a367007fa96cd3f87f0e7dd8..b58650ebae088a6633425346ca2ba57ebdb24a2c 100644 (file)
--- a/website/bugs/handle-passphrase-locked-secret-keys.mdwn
+++ b/website/bugs/handle-passphrase-locked-secret-keys.mdwn
@@ -1,4 +1,4 @@
-[[meta title="MonkeySphere needs to be able to cleanly export passphrase-locked secret keys from the GPG keyring"]]
+[[meta title="MonkeySphere can't deal with passphrase-locked primary keys"]]
 
 At the moment, the only tool we have to export passphrase-locked
 secret keys from the GPG keyring is `gpg` itself (and `gpg2`, which
@@ -32,15 +32,28 @@ primary key, then something like the following script should actually
 work for reasonable values of `$KEYID`:
 
        TMPDIR=$(mktemp -d)
-       uname 077
+       umask 077
        mkfifo "$TMPDIR/passphrase"
        kname="MonkeySphere Key $KEYID"
        mkfifo "$TMPDIR/$kname"
-       ssh-agent "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" &
-       gpg  --passphrase-fd 3 3<"$TMPDIR/passphrase" --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname"
+       ssh-askpass "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" &
+       gpg  --passphrase-fd 3 3<"$TMPDIR/passphrase" \
+         --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \
+         --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" &
        (cd "$TMPDIR" && ssh-add -c "$kname")
        rm -rf "$TMPDIR"        
 
+Good news!  [I've crafted a patch for GnuTLS to enable it to read
+exported subkeys using this GNU
+extension](http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html),
+so if we can get it incorporated into upstream (and/or into debian),
+we have a possible solution, as long as the authentication key is a
+subkey, and not a primary key.
+
+As of version 0.11-1, `monkeysphere subkey-to-ssh-agent` implements
+this particular strategy (and fails cleanly if the version of GnuTLS
+present doesn't support the GNU dummy S2K extension).
+
 ---------
 
 Ben Laurie and Rachel Willmer's
@@ -81,3 +94,24 @@ Concerns:
 ---------
 
 Other alternatives?
+
+--------
+
+Can this bug be closed? dkg [reported in a comment for a related
+bug](/bugs/install-seckey2sshagent-in-usr-bin/):
+
+       Version 0.11-1 now has the monkeysphere subkey-to-ssh-agent
+       subcommand, which works cleanly in the presence of a
+       functionally-patched GnuTLS.
+
+--------
+
+Even with the patched GnuTLS, monkeysphere currently can't currently
+deal with passphrase-locked primary keys.  I've changed the title of
+this bug, but i'd like to keep it open until we are able to deal with
+that.  The other comments here seem still quite relevant to that
+need.
+
+I've changed the title of this bug to reflect the narrowed scope.
+
+       --dkg