gpg: Allow unattended deletion of secret keys.

* agent/command.c (cmd_delete_key): Make the --force option depend on
--disallow-loopback-passphrase.
* g10/call-agent.c (agent_delete_key): Add arg FORCE.
* g10/delkey.c (do_delete_key): Pass opt.answer_yes to
agent_delete_key.
--

Unless the agent has been configured with
--disallow-loopback-passpharse an unattended deletion of a secret key
is now possible with gpg by using --batch _and_ --yes.

Signed-off-by: Werner Koch <wk@gnupg.org>

agent/command.c

@@ -2333,8 +2333,9 @@ cmd_export_key (assuan_context_t ctx, char *line)
 static const char hlp_delete_key[] =
   "DELETE_KEY [--force] <hexstring_with_keygrip>\n"
   "\n"
-  "Delete a secret key from the key store.\n"
-  "Unless --force is used the agent asks the user for confirmation.\n";
+  "Delete a secret key from the key store.  If --force is used\n"
+  "and a loopback pinentry is allowed, the agent will not ask\n"
+  "the user for confirmation.";
 static gpg_error_t
 cmd_delete_key (assuan_context_t ctx, char *line)
 {
@@ -2349,6 +2350,11 @@ cmd_delete_key (assuan_context_t ctx, char *line)
   force = has_option (line, "--force");
   line = skip_options (line);
 
+  /* If the use of a loopback pinentry has been disabled, we assume
+   * that a silent deletion of keys shall also not be allowed.  */
+  if (!opt.allow_loopback_pinentry)
+    force = 0;
+
   err = parse_keygrip (ctx, line, grip);
   if (err)
     goto leave;

doc/gpg-agent.texi

@@ -337,6 +337,10 @@ internal cache of @command{gpg-agent} with passphrases.
 Disallow or allow clients to use the loopback pinentry features; see
 the option @option{pinentry-mode} for details.  Allow is the default.
 
+The @option{--force} option of the Assuan command @command{DELETE_KEY}
+is also controlled by this option: The option is ignored if a loopback
+pinentry is disallowed.
+
 @item --no-allow-external-cache
 @opindex no-allow-external-cache
 Tell Pinentry not to enable features which use an external cache for
@@ -820,8 +824,17 @@ fi
 @section Agent's Assuan Protocol
 
 Note: this section does only document the protocol, which is used by
-GnuPG components; it does not deal with the ssh-agent protocol.
+GnuPG components; it does not deal with the ssh-agent protocol.  To
+see the full specification of each command, use
 
+@example
+  gpg-connect-agent 'help COMMAND' /bye
+@end example
+
+@noindent
+or just 'help' to list all available commands.
+
+@noindent
 The @command{gpg-agent} daemon is started on demand by the GnuPG
 components.
 

doc/gpg.texi

@@ -376,13 +376,20 @@ safeguard against accidental deletion of multiple keys.
 
 @item --delete-secret-keys @code{name}
 @opindex delete-secret-keys
-Remove key from the secret keyring. In batch mode the key
-must be specified by fingerprint.
+gRemove key from the secret keyring. In batch mode the key must be
+specified by fingerprint.  The option @option{--yes} can be used to
+advice gpg-agent not to request a confirmation.  This extra
+pre-caution is done because @command{gpg} can't be sure that the
+secret key (as controlled by gpg-agent) is only used for the given
+OpenPGP public key.
+
 
 @item --delete-secret-and-public-key @code{name}
 @opindex delete-secret-and-public-key
 Same as @option{--delete-key}, but if a secret key exists, it will be
 removed first. In batch mode the key must be specified by fingerprint.
+The option @option{--yes} can be used to advice gpg-agent not to
+request a confirmation.
 
 @item --export
 @opindex export

g10/call-agent.c

@@ -2349,9 +2349,11 @@ agent_export_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
 
 /* Ask the agent to delete the key identified by HEXKEYGRIP.  If DESC
    is not NULL, display DESC instead of the default description
-   message.  */
+   message.  If FORCE is true the agent is advised not to ask for
+   confirmation. */
 gpg_error_t
-agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc)
+agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
+                  int force)
 {
   gpg_error_t err;
   char line[ASSUAN_LINELENGTH];
@@ -2376,7 +2378,8 @@ agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc)
         return err;
     }
 
-  snprintf (line, DIM(line)-1, "DELETE_KEY %s", hexkeygrip);
+  snprintf (line, DIM(line)-1, "DELETE_KEY%s %s",
+            force? " --force":"", hexkeygrip);
   err = assuan_transact (agent_ctx, line, NULL, NULL,
                          default_inq_cb, &dfltparm,
                          NULL, NULL);

g10/call-agent.h

@@ -196,7 +196,7 @@ gpg_error_t agent_export_key (ctrl_t ctrl, const char *keygrip,
 
 /* Delete a key from the agent.  */
 gpg_error_t agent_delete_key (ctrl_t ctrl, const char *hexkeygrip,
-                              const char *desc);
+                              const char *desc, int force);
 
 /* Change the passphrase of a key.  */
 gpg_error_t agent_passwd (ctrl_t ctrl, const char *hexkeygrip, const char *desc,

g10/delkey.c

@@ -184,8 +184,14 @@ do_delete_key( const char *username, int secret, int force, int *r_sec_avail )
               prompt = gpg_format_keydesc (node->pkt->pkt.public_key,
                                            FORMAT_KEYDESC_DELKEY, 1);
               err = hexkeygrip_from_pk (node->pkt->pkt.public_key, &hexgrip);
+              /* NB: We require --yes to advise the agent not to
+               * request a confirmation.  The rationale for this extra
+               * pre-caution is that since 2.1 the secret key may also
+               * be used for other protocols and thus deleting it from
+               * the gpg would also delete the key for other tools. */
               if (!err)
-                err = agent_delete_key (NULL, hexgrip, prompt);
+                err = agent_delete_key (NULL, hexgrip, prompt,
+                                        opt.answer_yes);
               xfree (prompt);
               xfree (hexgrip);
               if (err)