On Mon 2019-05-13 01:01:57 +0100, Toni Mueller wrote: > I did not do this. This variable is unset in my environment.
right, you were working with a pre-existing keyring. I believe that keyring already had a copy of the teabot public key. > Your experiment only shows that the key did *not* end > up in /tmp/cdtemp.AhkyjS/pubring.kbx. Otherwise, the "gpg -k" above > should have listed it, instead of saying "No public key". yes. i understand your bug report to claim that the default keyring is being used, when you ask it to not be used. I was demonstrating that the default keyring was not actually used when i tried to replicate the issue. >> perhaps the teabot key was already in your default keyring before you >> run the --recv-keys operation? that would certainly explain the >> behavior that you're seeing. > > No, it does not. If a key is already there, it would not say > "imported: 1". I don't think this is an accurate analysis. when you say --no-default-keyring --keyring /path/to/foo, and /path/to/foo is an empty keyring, then gpg *should* say "imported: 1" when it adds a key to /path/to/foo, regardless of whether there the same key is present in the default keyring This still has no effect on the default keyring, as you've asked it to not touch the default keyring. > And since it said "imported: 1" for you, I challenge you to find the > location of that key, because it is obviously not in your temporary > keyring. I beg to differ. it is not in the default keyring, but it *is* in the temporary keyring. I'm still trying to understand and replicate your report. perhaps the difference is in whether or not we're using the standard homedir for gpg? so i tried with a throwaway account, without setting a different homedir, and still couldn't replicate: -------------------------- 0 jj955@alice:~$ gpg --version gpg (GnuPG) 2.2.15 libgcrypt 1.8.4 Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/jj955/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 0 jj955@alice:~$ rm -rf .gnupg ~/gitea.gpg 0 jj955@alice:~$ mkdir -m 0700 .gnupg 0 jj955@alice:~$ echo list-options show-keyring > .gnupg/gpg.conf 0 jj955@alice:~$ gpg -k tea...@gitea.io gpg: keybox '/home/jj955/.gnupg/pubring.kbx' created gpg: /home/jj955/.gnupg/trustdb.gpg: trustdb created gpg: error reading key: No public key 2 jj955@alice:~$ touch ~/gitea.gpg 0 jj955@alice:~$ gpg --keyring ~/gitea.gpg -k tea...@gitea.io gpg: error reading key: No public key 2 jj955@alice:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0 gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys gpg: key 2D9AE806EC1592E2: public key "Teabot <tea...@gitea.io>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 0 jj955@alice:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0 gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys gpg: key 2D9AE806EC1592E2: "Teabot <tea...@gitea.io>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 0 jj955@alice:~$ gpg --keyring ~/gitea.gpg -k tea...@gitea.io Keyring: /home/jj955/gitea.gpg ------------------------------ pub rsa4096 2018-06-24 [SC] [expires: 2020-06-23] 7C9E68152594688862D62AF62D9AE806EC1592E2 uid [ unknown] Teabot <tea...@gitea.io> sub rsa4096 2018-06-24 [E] [expires: 2020-06-23] sub rsa4096 2018-06-24 [S] [expires: 2019-06-24] 0 jj955@alice:~$ -------------------------- I tried again on a different machine with gpg 2.2.13, and still could not replicate: -------------------------- 0 dkg@sid:~$ gpg --version gpg (GnuPG) 2.2.13 libgcrypt 1.8.4 Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/dkg/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 0 dkg@sid:~$ rm -rf ~/.gnupg ~/gitea.gpg 0 dkg@sid:~$ mkdir -m 0700 ~/.gnupg 0 dkg@sid:~$ echo list-options show-keyring > ~/.gnupg/gpg.conf 0 dkg@sid:~$ gpg -k tea...@gitea.io gpg: keybox '/home/dkg/.gnupg/pubring.kbx' created gpg: /home/dkg/.gnupg/trustdb.gpg: trustdb created gpg: error reading key: No public key 2 dkg@sid:~$ touch ~/gitea.gpg 0 dkg@sid:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0 gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys gpg: key 2D9AE806EC1592E2: public key "Teabot <tea...@gitea.io>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 0 dkg@sid:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0 gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys gpg: key 2D9AE806EC1592E2: "Teabot <tea...@gitea.io>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 0 dkg@sid:~$ gpg --keyring ~/gitea.gpg -k tea...@gitea.io Keyring: /home/dkg/gitea.gpg ---------------------------- pub rsa4096 2018-06-24 [SC] [expires: 2020-06-23] 7C9E68152594688862D62AF62D9AE806EC1592E2 uid [ unknown] Teabot <tea...@gitea.io> sub rsa4096 2018-06-24 [E] [expires: 2020-06-23] sub rsa4096 2018-06-24 [S] [expires: 2019-06-24] 0 dkg@sid:~$ --------------------------- > For what it's worth, here's another run, setting GNUPGHOME: > $ touch ~/mnt/tools/gitea-keys.gpg > $ GNUPGHOME=`/bin/pwd` > $ echo ${GNUPGHOME} > /home/toni/mnt/tools > $ gpg --list-options show-keyring -k tea...@gitea.io > gpg: please do a --check-trustdb > gpg: error reading key: No public key > $ gpg --keyring ~/mnt/tools/gitea-keys.gpg --list-options show-keyring -k > tea...@gitea.io > gpg: please do a --check-trustdb > gpg: error reading key: No public key > $ gpg --keyring ~/mnt/tools/gitea-keys.gpg --no-default-keyring --recv-keys > CC64B1DB67ABBEECAB24B6455FC346329753F4B0 > gpg: key 0x2D9AE806EC1592E2: 6 signatures not checked due to missing keys > gpg: key 0x2D9AE806EC1592E2: public key "Teabot <tea...@gitea.io>" imported > gpg: Total number processed: 1 > gpg: imported: 1 > $ gpg --keyring ~/mnt/tools/gitea-keys.gpg --no-default-keyring --recv-keys > CC64B1DB67ABBEECAB24B6455FC346329753F4B0 > gpg: key 0x2D9AE806EC1592E2: 6 signatures not checked due to missing keys > gpg: key 0x2D9AE806EC1592E2: "Teabot <tea...@gitea.io>" not changed > gpg: Total number processed: 1 > gpg: unchanged: 1 > $ gpg --keyring ~/mnt/tools/gitea-keys.gpg --list-options show-keyring -k > tea...@gitea.io > gpg: please do a --check-trustdb > Keyring: /home/toni/.gnupg/pubring.gpg > -------------------------------------- > pub rsa4096/0x2D9AE806EC1592E2 2018-06-24 [SC] [expires: 2020-06-23] > 7C9E68152594688862D62AF62D9AE806EC1592E2 > uid [ unknown] Teabot <tea...@gitea.io> > sub rsa4096/0x1FBE01D7CBADB9A0 2018-06-24 [E] [expires: 2020-06-23] > sub rsa4096/0x5FC346329753F4B0 2018-06-24 [S] [expires: 2019-06-24] > > $ l `/bin/pwd`/gitea-keys.gpg > -rw-r----- 1 toni toni 0 May 13 00:55 /home/toni/mnt/tools/gitea-keys.gpg > $ The shell here has set, but not *exported* GNUPGHOME. That means that any of the gpg subprocesses don't see the environment variable, and therefore don't obey it. So this still uses your standard GnuPG homedir. i'm wondering whether there is some setting in your ~/.gnupg/gpg.conf that is causing this misbehavior. For example, maybe there is some "keyring /home/toni/.gnupg/pubring.gpg" line in there? Can you share your gpg.conf? Feel free to e-mail it to me privately (to 0xC4BC2DDB38CCE96485EBE9C2F20691179038E5C6) if you like. However, the thing i don't understand about this run (and have not been able to replicate) is that your final command shows that the key in question is found in pubring.gpg after the import, but was not present on the first run of "gpg --list-options show-keyring -k tea...@gitea.io". I don't understand how that's happening, unless there is something else feeding that key into your keyring in the background in some other operation. And it doesn't happen for me when i try. If i could replicate the problem, i would be happy to dig into it further, but i'm still unable to do so. So i still need more information from you to help me figure this out. One thing i do notice is that you're still using a "pubring.gpg" -- even though modern GnuPG defaults to using pubring.kbx. Thinking maybe GnuPG was getting confused about the legacy pubring, I tried the same run again after setting one up (with "touch ~/.gnupg/pubring.gpg"). That run still failed to replicate the behavior you describe, though. --dkg
signature.asc
Description: PGP signature
