Hi Bernhard,
Here is more information:
Q: What are you trying to do?
A: Migrate from gnupg 1.4 to gnupg 2.x in an environment where gpg.exe is called by an application to encrypt and decrypt files.
Q: while you can run several instances of gpg-agent, can you be more elaborate, why you need them?
A: This is because of the way this file transfer system was built. Note that it was implemented at least fifteen years ago with version 1.4 of GNUPG, before the agent became mandatory.
Each partner has a directory, on the server where GPG4WIN is installed, which contains its public key and our public/secret key pair specific to that partner. Each time a file received from a partner or to be sent to a partner must be encrypted/decrypted, our application calls GNUPG. The directory specific to the partner concerned by the exchange is passed in the “–homedir” parameter. Eventually, when at least one file transfer has taken place with each partner, we end up with seventeen agents in execution.
Here are the two types of commands that are used:
Decryptions:
“C:\Program Files (x86)\GnuPG\bin\gpg.exe” --batch --yes --display-charset utf-8 --passphrase-fd 0 --pinentry-mode loopback --verbose --ignore-mdc-error --homedir C:\ProgRRQ\GnuPG\RRQGnuPG15P -r “RQ Prod” -o “\siaechpcq02\depotsys\EE5\EE5N731_Temp\dshr3n4q.h5c” -d \siaechpcq02\depotsys\EE5\EE5N731_Temp\kvhs3fev.04x
Encryptions et signature :
“C:\Program Files (x86)\GnuPG\bin\gpg.exe” --batch --yes --display-charset utf-8 --passphrase-fd 0 --pinentry-mode loopback --verbose --ignore-mdc-error --homedir C:\ProgRRQ\GnuPG\RRQGnuPG11P -r “CLE_CSPQTEHVRRQ” -o “\siaechpcq02\depotsys\EE5\EE5N731_Temp\jm105off.ryq” -se “\SIAECHPCQ02\DepotSys\EE5\EE5N731_Temp\s0ua2xbx.b1t”
Q: Note that gpg-agent only deals with the secret key material. And usually if there are several communication partners, you could just use the same key pair from your side for all of them, e.g. to sign a file. For the communication partners you are then using different public keys (and again, those are not managed by gpg-agent).
A: I haven’t found in the documentation yet why a key pair is created for each communication partner. Maybe they wanted to avoid impacting all partners at once when replacing the key when it expires.
The files we send are signed and encrypted and the files we receive are also encrypted. So the secret key becomes necessary in any case.
Q:To make analysis easier for others, I suggest you try to get the diagnostic message in English. This makes it easier to find the place in the source code where the message originates from.
A: Is there a way to force the messages in English? I use a French OS.
Q:As it is a general error, it is not directly clear why the socket cannot be created. I take it that it will be different directories that are tried, each for one gpg-agent. How often is: “sometime”? Can you try to quantify it?
There must be some factor triggering the unavailability of the socket, which will be important to understand the situation. Are you creating the sockets pretty fast? Because the operating system may need a bit to allow a socket to be re-used.
A:Here are some tests I did:
I start the seventeen agents one after the other with a batch file to simulate the call to gnupg by the applications. I tested with a delay between commands of 3, 30 and 300 seconds. Here is an excerpt from the batch file I’m using:
@echo %time%
“C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG01E /bye
@echo %time%
timeout /t 300
@echo %time%
“C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG02E /bye
@echo %time%
timeout /t 300
@echo %time%
“C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG03E /bye
@echo %time%
timeout /t 300
@echo %time%
“C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent” --homedir C:/ProgRRQ/GnuPG/RRQGnuPG04E /bye
@echo %time%
…
With gnupg 2.2.27:
With a delay of 3 seconds: 5 agents have not started (3-7-8-9-13)
With a delay of 30 seconds: 5 agents have not started (1-6-7-13-15)
With a delay of 300 seconds: 4 agents did not start (9-12-13-14)
With gnupg 2.3.7:
With a delay of 3 seconds: 3 agents did not start (12-14-17)
With a delay of 30 seconds: all agents have started
With a delay of 30 seconds (second try, 5 minutes between the two tries): 1 agent did not start (7)
With a delay of 30 seconds (third try, 5 minutes between the two tries): all agents have started
Q:Can you link to the section in the manual that you are referring to, when you say that the starting problem is in the manual?
A:I meant that the agent startup problem is present both when gpg.exe is called by the application and when I simulate a call to the agent with the command “gpg-connect-agent” --homedir C: /ProgRRQ/GnuPG/RRQGnuPGxxP /bye" in a command prompt.
Regards
Christian Roy