Hi, On 11/05/15 14:32, Jason A. Donenfeld wrote: > Why not just override the GNUPGHOME environment variable instead, and > store a separate keyring and gnupg.conf file elsewhere than ~/.gnupg? > Are there downsides of that approach?
One downside is that gpg/gpg2 by default checks the $GNUPGHOME ownership and permissions, and if the directory is writable or owned by anyone but the user running pass, gpg always prints this: ----- gpg: WARNING: unsafe ownership on homedir `/etc/pass-gnupghome' ----- I.e. if GNUPGHOME=/etc/pass-gnupghome owned by root:root the users will always get a warning. gpg(1) man page explains why adding 'no-permission-warning' to $GNUPGHOME/gpg.conf does not help: "the warning for unsafe --homedir permissions cannot be suppressed in the gpg.conf file, as this would allow an attacker to place an unsafe gpg.conf file in place" AFAIK to avoid the homedir ownership/permission warnings the options are: 1. Create the custom $GNUPGHOME and a copy of the custom gpg.conf there for each of the users separately. 2. Add --no-permission-warning command line option to gpg/gpg2 commands in Pass (which of course should not be done by default). Besides the ownership/permission warning the idea of using GNUPGHOME with special gpg.conf does seem to work. Here's what I did: ----- $ export GNUPGHOME=/etc/pass-gnupghome $ sudo mkdir $GNUPGHOME $ sudo tee $GNUPGHOME <<EOT_GPG_CONF trust-model always trustdb-name ~/.gnupg/trustdb.gpg no-default-keyring keyring /etc/pki/gpg/the-separate-keyring.gpg secret-keyring ~/.gnupg/secring.gpg no-random-seed-file EOT_GPG_CONF ----- Thanks, Ville -- Ville Mattila, CSC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
