如何調整 GnuPG 背景執行 gpg-agent 時的相關設定並延長密碼快取期限 | The Will Will Web

The Will Will Web

記載著 Will 在網路世界的學習心得與技術分享

如何調整 GnuPG 背景執行 gpg-agent 時的相關設定並延長密碼快取期限

因為我現在每次 git commit 都會進行 GPG 簽章,第一次 commit 時會跳出一個視窗輸入 OpenPGP 的密鑰的密碼,接著會自動將 gpg-agent 程式跑在背景,在一定時間內就不用再次輸入密碼。不過 gpg-agent 預設快取時間只有 600 秒 (十分鐘),但我一天內不會每 10 分鐘 Commit 一次,這個快取功能形同虛設,完全沒用!這篇文章將分享如何調整預設值,讓你在一天內都不用再次輸入 GPG 密碼。

Please enter the passphrase to unlock the OpenPGP secret key

在 Windows 安裝 Gpg4win 的同時,也會幫你安裝 GNU Privacy Guard (GnuPG) 命令列工具,其中就包含 gpg-agent 代理程式。

找出 gpg-agent.conf 設定檔的所在路徑

  • 查詢 GPG 版本資訊

    gpg --version
    

    Linux

    $ gpg --version
    gpg (GnuPG) 2.2.20
    libgcrypt 1.8.6
    Copyright (C) 2020 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Home: /home/will/.gnupg
    Supported algorithms:
    Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
            CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2
    

    Windows

    C:\>gpg --version
    gpg (GnuPG) 2.2.23
    libgcrypt 1.8.6
    Copyright (C) 2020 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Home: C:/Users/user/AppData/Roaming/gnupg
    Supported algorithms:
    Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
            CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2
    

    從上述版本資訊可以看到一個 Home: 欄位,這裡指出 gpg-agent.conf 設定檔的所在路徑!

  • 常見的 gpg-agent.conf 設定檔路徑

    Linux / macOS

    ~/.gnupg/gpg-agent.conf
    

    Windows

    %AppData%\gnupg\gpg-agent.conf
    

調整 gpg-agent 快取時間

  • 延長快取時間的 gpg-agent.conf 設定內容範例

    default-cache-ttl 86400
    max-cache-ttl 604800
    

    單位:秒 (Seconds)

    default-cache-ttl 設定 24 小時內自動密碼快取失效,如果期間有存取過快取,會重置快取時間,自動延長到期時間到當下加上 24 小時。

    max-cache-ttl 設定 7 天,代表快取到第七天之後,無論如何都需要再次輸入密碼。

  • 重新載入 gpg-agent.conf 設定

    gpgconf --reload gpg-agent
    
  • 查詢目前 gpg-agent.conf 設定

    gpgconf --list-options gpg-agent
    
    Monitor:1:0:Options controlling the diagnostic output:0:0::::
    verbose:12:0:verbose:0:0::::
    quiet:8:0:be somewhat more quiet:0:0::::
    Configuration:1:0:Options controlling the configuration:0:0::::
    disable-scdaemon:8:1:do not use the SCdaemon:0:0::::
    enable-ssh-support:0:0:enable ssh support:0:0::::
    ssh-fingerprint-digest:24:2:use ALGO to show ssh fingerprints:1:1:ALGO:"md5::
    enable-putty-support:0:0:enable putty support:0:0::::
    Debug:1:1:Options useful for debugging:0:0::::
    debug-level:26:1:set the debugging level to LEVEL:1:1:LEVEL:"none::
    log-file:8:1:write server mode logs to FILE:32:1:FILE:::
    Security:1:0:Options controlling the security:0:0::::
    default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::86400
    default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800::
    max-cache-ttl:24:2:set maximum PIN cache lifetime to N seconds:3:3:N:7200::604800
    max-cache-ttl-ssh:24:2:set maximum SSH key lifetime to N seconds:3:3:N:7200::
    ignore-cache-for-signing:8:0:do not use the PIN cache when signing:0:0::::
    allow-emacs-pinentry:8:1:allow passphrase to be prompted through Emacs:0:0::::
    grab:8:2::0:0::::
    no-allow-external-cache:8:0:disallow the use of an external password cache:0:0::::
    no-allow-mark-trusted:8:1:disallow clients to mark keys as "trusted":0:0::::
    no-allow-loopback-pinentry:8:2:disallow caller to override the pinentry:0:0::::
    Passphrase policy:1:1:Options enforcing a passphrase policy:0:0::::
    enforce-passphrase-constraints:8:2:do not allow bypassing the passphrase policy:0:0::::
    min-passphrase-len:24:1:set minimal required length for new passphrases to N:3:3:N:8::
    min-passphrase-nonalpha:24:2:require at least N non-alpha characters for a new passphrase:3:3:N:1::
    check-passphrase-pattern:24:2:check new passphrases against pattern in FILE:32:1:FILE:::
    max-passphrase-days:24:2:expire the passphrase after N days:3:3:N:0::
    enable-passphrase-history:8:2:do not allow the reuse of old passphrases:0:0::::
    pinentry-timeout:24:1:set the Pinentry timeout to N seconds:3:3:N:0::
    

關閉 gpg-agent 背景程式

如果你想要立即關閉 gpg-agent 程式的話,可以用以下命令完成:

gpgconf --kill gpg-agent

相關連結