Re: Help! I messed up guix-past

[Konrad Hinsen]

Hi Ludo,

> I remember there were issues along these lines at the time GnuPG 2.2 (?)
> was released and the previous major version was still around, but that
> was quite some time ago.
>
> I don’t have the solution off the top if my head, but there ought to be
> one; maybe having PATH consistently prefer either Guix’s profile or
> Ubuntu would help?

In my case, $PATH has my Guix profile first, and I always run the gpg
from my Guix profile. But it picks up the gpg-agent from Ubuntu, which
lives at /usr/bin/gpg-agent.

> Maybe we’ll improvise a GPG debugging sessions in Paris next week, who
> knows?  ;-)

It may well be possible to fix this issue (for example, patch gnupg such
that it launches the agent via the full path to the store), but for me
there is also a loss-of-confidence issue. If a messed-up software
installation grants password-less access to my keys, then my keys
effectively have no password protection any more. Attackers only need to
install two different gpg versions to have access to my keys. That's why
I want to get rid of gpg, rather than fix it superficially.

Cheers,
  Konrad