--- /dev/null
+Return-Path: <dkg@fifthhorseman.net>\r
+X-Original-To: notmuch@notmuchmail.org\r
+Delivered-To: notmuch@notmuchmail.org\r
+Received: from localhost (localhost [127.0.0.1])\r
+ by olra.theworths.org (Postfix) with ESMTP id 15E3C431FAF\r
+ for <notmuch@notmuchmail.org>; Mon, 8 Jul 2013 04:44:37 -0700 (PDT)\r
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org\r
+X-Spam-Flag: NO\r
+X-Spam-Score: 0\r
+X-Spam-Level: \r
+X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]\r
+ autolearn=disabled\r
+Received: from olra.theworths.org ([127.0.0.1])\r
+ by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)\r
+ with ESMTP id cg4Y838DEXKw for <notmuch@notmuchmail.org>;\r
+ Mon, 8 Jul 2013 04:44:29 -0700 (PDT)\r
+Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108])\r
+ by olra.theworths.org (Postfix) with ESMTP id 35CA0431FAE\r
+ for <notmuch@notmuchmail.org>; Mon, 8 Jul 2013 04:44:29 -0700 (PDT)\r
+Received: from [192.168.13.179] (lair.fifthhorseman.net [108.58.6.98])\r
+ by che.mayfirst.org (Postfix) with ESMTPSA id 40D68F980;\r
+ Mon, 8 Jul 2013 07:44:25 -0400 (EDT)\r
+Message-ID: <51DAA617.4090308@fifthhorseman.net>\r
+Date: Mon, 08 Jul 2013 07:44:23 -0400\r
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>\r
+User-Agent: Mozilla/5.0 (X11; Linux x86_64;\r
+ rv:17.0) Gecko/20130630 Icedove/17.0.7\r
+MIME-Version: 1.0\r
+To: Neil Roberts <neil@linux.intel.com>\r
+Subject: Re: [PATCH 0/2] Prompting for the GPG password within Emacs\r
+References: <1373195672-9338-1-git-send-email-neil@linux.intel.com>\r
+ <51D9F4E6.1030504@fifthhorseman.net> <87r4f9xqc7.fsf@neilpc.config>\r
+In-Reply-To: <87r4f9xqc7.fsf@neilpc.config>\r
+X-Enigmail-Version: 1.5.1\r
+Content-Type: multipart/signed; micalg=pgp-sha512;\r
+ protocol="application/pgp-signature";\r
+ boundary="----enig2PTDHJLRHHSIOUJJPDHBO"\r
+Cc: notmuch@notmuchmail.org\r
+X-BeenThere: notmuch@notmuchmail.org\r
+X-Mailman-Version: 2.1.13\r
+Precedence: list\r
+List-Id: "Use and development of the notmuch mail system."\r
+ <notmuch.notmuchmail.org>\r
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>\r
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>\r
+List-Post: <mailto:notmuch@notmuchmail.org>\r
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>\r
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=subscribe>\r
+X-List-Received-Date: Mon, 08 Jul 2013 11:44:37 -0000\r
+\r
+This is an OpenPGP/MIME signed message (RFC 4880 and 3156)\r
+------enig2PTDHJLRHHSIOUJJPDHBO\r
+Content-Type: text/plain; charset=UTF-8\r
+Content-Transfer-Encoding: quoted-printable\r
+\r
+Hi Niel--\r
+\r
+On 07/08/2013 07:07 AM, Neil Roberts wrote:\r
+\r
+> Both machines are trusted personal machines so I can put the keys on\r
+> either (or both).\r
+\r
+cool, this makes it a little bit easier.\r
+\r
+> I think what would be ideal is if OpenSSH could\r
+> support gpg-agent forwarding like it does for ssh-agent.\r
+\r
+Hm, interesting. I bet we could figure out a way to do this with\r
+existing OpenSSH without needing to patch anything, as long as you're\r
+willing to use helper utilities like socat.\r
+\r
+it came up on a blog post i made a while back about forwarding\r
+unix-domain sockets over ssh:\r
+\r
+ https://www.debian-administration.org/users/dkg/weblog/68\r
+\r
+but no one offered an explicit recipe, and my examples there are for\r
+forwarding a unix domain socket from the ssh client to the ssh server,\r
+which i think is the reverse of what you're proposing.\r
+\r
+\r
+I just did a little test, and got the following to work with a single\r
+connection (a bit more tuning and you can probably make it work repeatedl=\r
+y):\r
+\r
+on the remote server (i'll call it "xxx"), i did:\r
+\r
+ mkdir ~/.sockets\r
+ chmod 0700 ~/.sockets\r
+ export GPG_AGENT_INFO=3D~/.sockets/S.gpg-agent:0:1\r
+\r
+and on my local machine, i ran the following bash command (this is all\r
+one command, sorry about the line wrap):\r
+\r
+ socat\r
+ EXEC:'ssh xxx socat UNIX-LISTEN\:.sockets/S.gpg-agent STDIO'\r
+ UNIX:${GPG_AGENT_INFO%%:*}\r
+\r
+then on the remote server, i created a secret key, and ran:\r
+\r
+ echo test > test.txt\r
+ gpg --clearsign test.txt\r
+\r
+and was prompted by my local graphical gpg-agent.\r
+\r
+note that this means that any passphrases cached by my local gpg-agent\r
+are also visible to the account on the remote server, but in your\r
+scenario (you control and trust both machines) that should be OK.\r
+\r
+hth,\r
+\r
+ --dkg\r
+\r
+\r
+------enig2PTDHJLRHHSIOUJJPDHBO\r
+Content-Type: application/pgp-signature; name="signature.asc"\r
+Content-Description: OpenPGP digital signature\r
+Content-Disposition: attachment; filename="signature.asc"\r
+\r
+-----BEGIN PGP SIGNATURE-----\r
+Version: GnuPG v1.4.12 (GNU/Linux)\r
+Comment: Using GnuPG with Icedove - http://www.enigmail.net/\r
+\r
+iQJ8BAEBCgBmBQJR2qYXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w\r
+ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB\r
+NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcVN0P/AlR/q4gBc3ahHcUSM7cyHyS\r
+ICR8vcSjcCwSNxpZGFb6gzbMsHg8kzyMPt3ZNxM7Ovts8qdu9OpbFBo17QqgAT31\r
+6ipz3yc65MeAdWDSZBbYDDp6pMbWqyMNn/5ShtfNvpCopBft/PpfyFqUB9eJWklj\r
+Cd7iNCxbnE6oIrtu2x5lBW54THKfyu7RpAFCNhs7lj1OwlsS+rulhvA4DUzQ68Kq\r
+xTVwLoIMrVI8LTs6fA4omooXAnGYVyP430ZRe0fLFfTvbBxTKBKM0NG6Qp0FdH2h\r
+frNPYBRARnG2qcawcN1iKGg/iUIO9PfHbb0g0AZt9MfZi4xiwOxEyHqDJ+LJ+liF\r
+KYbRzRLTIhwTuzgSjJckZhPixo2kKhkov2evzSaxPzi2yIT6qP5JpdiLQx6v/Ga5\r
+oNDK1PJw0fNoFqgEgMvVYXQegkH0OPXCyFCiObKcB/0vbwjdbQHVAoChCDH/5LGc\r
+I16Pe8klx0Ovj7BRk0TUcdI7C5itbyBg9XmlZX7iyVlYJblb1LBFuNrg2jXjOkry\r
+O/Ex/rrITomwWRupOa1/plIyhl4Qb4K5t0hL7txNlDDGghw4f9RE/zL1GHx3ndrF\r
+jxc3GaHXOZN9dR35qsCeEqU/euQtFnC4IjJw9kX0/bzTMU01aqUvDWYxxe4EXZym\r
+0rwS8gJ/N10LRIeip0uC\r
+=F8du\r
+-----END PGP SIGNATURE-----\r
+\r
+------enig2PTDHJLRHHSIOUJJPDHBO--\r