How to check if your GPG key is in cache PART 2 - demu.red

Followup Part3

GPG Cache Checking: deja vu

Until this week I had been using a clean way of checking if my laptop GPG key was cached.
...
If this doesn't sound like a familiar story, see Part1.

A Broken Solution

This week debian sid moved to using gpg2 as gpg. After the upgrade I found that my Backups were no longer passing, via my Conky Script. However my awk was still working when run in the terminal... odd.

gpg-connect-agent 'keyinfo --list' /bye 2>/dev/null | awk 'BEGIN{CACHED=0} /^S/ {match($0, /S\sKEYINFO\s\S+\s\S\s\S+\s\S+\s(\S)\s\S\s\S+\s\S+\s\S/, m); if(m[1]==1){CACHED=1}} END{print CACHED}'

Why it Broke

When I upgraded, I moved from:

  • gnupg 1.4.20-6 to 2.1.14-5 gnupg2 was separate
  • gnupg2 2.1.11-7 to 2.1.14-5
  • gnupg-agent 2.1.11-7 to 2.1.14-5

Post upgrade, gpg-connect-agent 'keyinfo --list' /bye still works normally.

~ -> gpg-connect-agent 'keyinfo --list' /bye
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED D - - - P - - -
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED D - - 1 P - - -
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED T REDACTEDREDACTEDREDACTEDREDACTED OPENPGP.1 - - - - -
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED T REDACTEDREDACTEDREDACTEDREDACTED OPENPGP.3 - - - - -
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED T REDACTEDREDACTEDREDACTEDREDACTED OPENPGP.2 - - - - -
OK

But sudo gpg-connect-agent 'keyinfo --list' /bye does not.

~ -> gpg-connect-agent 'keyinfo --list' /bye
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED D - - - P - - -
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED D - - - P - - -
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED T REDACTEDREDACTEDREDACTEDREDACTED OPENPGP.1 - - - - -
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED T REDACTEDREDACTEDREDACTEDREDACTED OPENPGP.3 - - - - -
S KEYINFO REDACTEDREDACTEDREDACTEDREDACTEDREDACTED T REDACTEDREDACTEDREDACTEDREDACTED OPENPGP.2 - - - - -
OK

After asking around on #gnupg, it looks like socket location was changed in version 2.1.13. (thank you K_F, for pointing me in the right direction) Instead of using $HOME/.gnupg/S.gpg-agent, gpg-agent now uses /run/user/${UID}/gnupg/S.gpg-agent Running sudo gpg-connect-agent -S /run/user/${UID}/gnupg/S.gpg-agent 'keyinfo --list' /bye produces the correct output again.

A Clean Solution... revisited

When sudo privileges are needed (otherwise things still work), you can use:

gpg-connect-agent -S /run/user/${UID}/gnupg/S.gpg-agent 'keyinfo --list' /bye 2>/dev/null | awk 'BEGIN{CACHED=0} /^S/ {match($0, /S\sKEYINFO\s\S+\s\S\s\S+\s\S+\s(\S)\s\S\s\S+\s\S+\s\S/, m); if(m[1]==1){CACHED=1}} END{print CACHED}'

This is assuming you aren't sudo -s, where $SUDO_UID would then be needed.

EDIT 19FEB2017: In hind sight, there is a better awk, which now doesn't have to be gawk:

gpg-connect-agent 'keyinfo --list' /bye 2>/dev/null | awk 'BEGIN{CACHED=0} /^S/ {if($7==1){CACHED=1}} END{if($0!=""){print CACHED} else {print "none"}}'
gpg-connect-agent -S /run/user/${UID}/gnupg/S.gpg-agent 'keyinfo --list' /bye 2>/dev/null | awk 'BEGIN{CACHED=0} /^S/ {if($7==1){CACHED=1}} END{print CACHED}'

Afterwords

While this does work for the cache check of my backups (with added code to account for $UID vs $SUDU_UID, as manually running and cryptshotr and running via cryptshotr-cron have different needs...)

, it does not handle sudo gpg... working...
sigh
So I am currently still using a hack, which is to link $HOME/.gnupg/S.gpg-agent to it's current location. After this, Things-Just-Work™.
For now.
ln -s /run/user/${UID}/gnupg/S.gpg-agent $HOME/.gnupg/S.gpg-agent

Part3
Part1
Backups
Conky script

- demure