subject:"Bug#928894\: \[pkg\-gnupg\-maint\] Bug#928894\: custom keyring is not honoured"

Bug#928894: [pkg-gnupg-maint] Bug#928894: custom keyring is not honoured

2019-05-13 Thread Daniel Kahn Gillmor

On Mon 2019-05-13 01:01:57 +0100, Toni Mueller wrote:
> I did not do this. This variable is unset in my environment.

right, you were working with a pre-existing keyring.  I believe that
keyring already had a copy of the teabot public key.

> Your experiment only shows that the key did *not* end
> up in /tmp/cdtemp.AhkyjS/pubring.kbx. Otherwise, the "gpg -k" above
> should have listed it, instead of saying "No public key".

yes.  i understand your bug report to claim that the default keyring is
being used, when you ask it to not be used.

I was demonstrating that the default keyring was not actually used when
i tried to replicate the issue.

>> perhaps the teabot key was already in your default keyring before you
>> run the --recv-keys operation?  that would certainly explain the
>> behavior that you're seeing.
>
> No, it does not. If a key is already there, it would not say
> "imported: 1".

I don't think this is an accurate analysis.  when you say
--no-default-keyring --keyring /path/to/foo, and /path/to/foo is an
empty keyring, then gpg *should* say "imported: 1" when it adds a key to
/path/to/foo, regardless of whether there the same key is present in the
default keyring This still has no effect on the default keyring, as
you've asked it to not touch the default keyring.

> And since it said "imported: 1" for you, I challenge you to find the
> location of that key, because it is obviously not in your temporary
> keyring.

I beg to differ.  it is not in the default keyring, but it *is* in the
temporary keyring.

I'm still trying to understand and replicate your report.  perhaps the
difference is in whether or not we're using the standard homedir for
gpg?  so i tried with a throwaway account, without setting a different
homedir, and still couldn't replicate:

--
0 jj955@alice:~$ gpg --version
gpg (GnuPG) 2.2.15
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/jj955/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
0 jj955@alice:~$ rm -rf .gnupg ~/gitea.gpg
0 jj955@alice:~$ mkdir -m 0700 .gnupg
0 jj955@alice:~$ echo list-options show-keyring > .gnupg/gpg.conf
0 jj955@alice:~$ gpg -k tea...@gitea.io
gpg: keybox '/home/jj955/.gnupg/pubring.kbx' created
gpg: /home/jj955/.gnupg/trustdb.gpg: trustdb created
gpg: error reading key: No public key
2 jj955@alice:~$ touch ~/gitea.gpg
0 jj955@alice:~$ gpg --keyring ~/gitea.gpg -k tea...@gitea.io
gpg: error reading key: No public key
2 jj955@alice:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys 
CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys
gpg: key 2D9AE806EC1592E2: public key "Teabot " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:   imported: 1
0 jj955@alice:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys 
CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys
gpg: key 2D9AE806EC1592E2: "Teabot " not changed
gpg: Total number processed: 1
gpg:  unchanged: 1
0 jj955@alice:~$ gpg --keyring ~/gitea.gpg -k tea...@gitea.io
Keyring: /home/jj955/gitea.gpg
--
pub   rsa4096 2018-06-24 [SC] [expires: 2020-06-23]
  7C9E68152594688862D62AF62D9AE806EC1592E2
uid   [ unknown] Teabot 
sub   rsa4096 2018-06-24 [E] [expires: 2020-06-23]
sub   rsa4096 2018-06-24 [S] [expires: 2019-06-24]

0 jj955@alice:~$ 
--

I tried again on a different machine with gpg 2.2.13, and still could
not replicate:

--
0 dkg@sid:~$ gpg --version
gpg (GnuPG) 2.2.13
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/dkg/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
0 dkg@sid:~$ rm -rf ~/.gnupg ~/gitea.gpg
0 dkg@sid:~$ mkdir -m 0700 ~/.gnupg
0 dkg@sid:~$ echo list-options show-keyring > ~/.gnupg/gpg.conf
0 dkg@sid:~$ gpg -k tea...@gitea.io
gpg: keybox '/home/dkg/.gnupg/pubring.kbx' created
gpg: /home/dkg/.gnupg/trustdb.gpg: trustdb created
gpg: error reading key: No public key
2

Bug#928894: [pkg-gnupg-maint] Bug#928894: custom keyring is not honoured

2019-05-12 Thread Toni Mueller




Hi Daniel,

On Sun, May 12, 2019 at 06:52:17PM -0400, Daniel Kahn Gillmor wrote:
> I'm not sure that this demonstrates what you're describing.
> 
> Here is a run with gpg 2.2.15-1 that demonstrates the key being fetched
> into the extra keyring:
> 
> 0 dkg@alice:/tmp/cdtemp.AhkyjS$ export GNUPGHOME=$(pwd)

I did not do this. This variable is unset in my environment.

> 0 dkg@alice:/tmp/cdtemp.AhkyjS$ touch $(pwd)/extra.gpg
> 0 dkg@alice:/tmp/cdtemp.AhkyjS$ gpg --no-default-keyring --keyring 
> $(pwd)/extra.gpg --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0
> gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys
> gpg: /tmp/cdtemp.AhkyjS/trustdb.gpg: trustdb created
> gpg: key 2D9AE806EC1592E2: public key "Teabot " imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:   imported: 1
> 0 dkg@alice:/tmp/cdtemp.AhkyjS$ gpg --list-options show-keyring -k 
> tea...@gitea.io
> gpg: keybox '/tmp/cdtemp.AhkyjS/pubring.kbx' created
> gpg: error reading key: No public key
> 2 dkg@alice:/tmp/cdtemp.AhkyjS$ ls -la
> total 24
> drwx--  4 dkg  dkg   160 May 12 18:48 .
> drwxrwxrwt 28 root root 1420 May 12 18:47 ..
> drwx--  2 dkg  dkg60 May 12 18:48 crls.d
> -rw-r--r--  1 dkg  dkg  6467 May 12 18:48 extra.gpg
> -rw-r--r--  1 dkg  dkg  6467 May 12 18:48 extra.gpg~
> drwx--  2 dkg  dkg40 May 12 18:48 private-keys-v1.d
> -rw---  1 dkg  dkg32 May 12 18:48 pubring.kbx
> -rw---  1 dkg  dkg  1200 May 12 18:48 trustdb.gpg
> 0 dkg@alice:/tmp/cdtemp.AhkyjS$ 

Your experiment only shows that the key did *not* end
up in /tmp/cdtemp.AhkyjS/pubring.kbx. Otherwise, the "gpg -k" above
should have listed it, instead of saying "No public key".

> perhaps the teabot key was already in your default keyring before you
> run the --recv-keys operation?  that would certainly explain the
> behavior that you're seeing.

No, it does not. If a key is already there, it would not say
"imported: 1". And since it said "imported: 1" for you, I challenge you
to find the location of that key, because it is obviously not in your
temporary keyring.

For what it's worth, here's another run, setting GNUPGHOME:


$ touch ~/mnt/tools/gitea-keys.gpg
$ GNUPGHOME=`/bin/pwd`
$ echo ${GNUPGHOME}
/home/toni/mnt/tools
$ gpg --list-options show-keyring -k tea...@gitea.io
gpg: please do a --check-trustdb
gpg: error reading key: No public key
$ gpg  --keyring ~/mnt/tools/gitea-keys.gpg   --list-options show-keyring -k 
tea...@gitea.io
gpg: please do a --check-trustdb
gpg: error reading key: No public key
$ gpg  --keyring ~/mnt/tools/gitea-keys.gpg --no-default-keyring --recv-keys 
CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: key 0x2D9AE806EC1592E2: 6 signatures not checked due to missing keys
gpg: key 0x2D9AE806EC1592E2: public key "Teabot " imported
gpg: Total number processed: 1
gpg:   imported: 1
$ gpg  --keyring ~/mnt/tools/gitea-keys.gpg --no-default-keyring --recv-keys 
CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: key 0x2D9AE806EC1592E2: 6 signatures not checked due to missing keys
gpg: key 0x2D9AE806EC1592E2: "Teabot " not changed
gpg: Total number processed: 1
gpg:  unchanged: 1
$ gpg  --keyring ~/mnt/tools/gitea-keys.gpg   --list-options show-keyring -k 
tea...@gitea.io
gpg: please do a --check-trustdb
Keyring: /home/toni/.gnupg/pubring.gpg
--
pub   rsa4096/0x2D9AE806EC1592E2 2018-06-24 [SC] [expires: 2020-06-23]
  7C9E68152594688862D62AF62D9AE806EC1592E2
uid   [ unknown] Teabot 
sub   rsa4096/0x1FBE01D7CBADB9A0 2018-06-24 [E] [expires: 2020-06-23]
sub   rsa4096/0x5FC346329753F4B0 2018-06-24 [S] [expires: 2019-06-24]

$ l `/bin/pwd`/gitea-keys.gpg
-rw-r- 1 toni toni 0 May 13 00:55 /home/toni/mnt/tools/gitea-keys.gpg
$ 


Enjoy,
Toni

Bug#928894: [pkg-gnupg-maint] Bug#928894: custom keyring is not honoured

2019-05-12 Thread Daniel Kahn Gillmor

Control: tags 928894 + moreinfo

Hi Toni--

On Sun 2019-05-12 19:46:45 +0100, Toni wrote:
> --recv-keys does not seem to honour the keyring options, so the received
> key ends up in the wrong keyring:
>
> $ touch ~/mnt/tools/gitea-keys.gpg
> $ gpg  --no-default-keyring  --keyring ~/mnt/tools/gitea-keys.gpg --recv-keys 
> CC64B1DB67ABBEECAB24B6455FC346329753F4B0
> gpg: key 0x2D9AE806EC1592E2: 6 signatures not checked due to missing keys
> gpg: key 0x2D9AE806EC1592E2: public key "Teabot " imported
> gpg: Total number processed: 1
> gpg:   imported: 1
> $ gpg --list-options show-keyring -k tea...@gitea.io
> gpg: please do a --check-trustdb
> Keyring: /home/toni/.gnupg/pubring.gpg
> --
> pub   rsa4096/0x2D9AE806EC1592E2 2018-06-24 [SC] [expires: 2020-06-23]
>   7C9E68152594688862D62AF62D9AE806EC1592E2
> uid   [ unknown] Teabot 
> sub   rsa4096/0x1FBE01D7CBADB9A0 2018-06-24 [E] [expires: 2020-06-23]
> sub   rsa4096/0x5FC346329753F4B0 2018-06-24 [S] [expires: 2019-06-24]

I'm not sure that this demonstrates what you're describing.

Here is a run with gpg 2.2.15-1 that demonstrates the key being fetched
into the extra keyring:

0 dkg@alice:/tmp/cdtemp.AhkyjS$ export GNUPGHOME=$(pwd)
0 dkg@alice:/tmp/cdtemp.AhkyjS$ touch $(pwd)/extra.gpg
0 dkg@alice:/tmp/cdtemp.AhkyjS$ gpg --no-default-keyring --keyring 
$(pwd)/extra.gpg --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys
gpg: /tmp/cdtemp.AhkyjS/trustdb.gpg: trustdb created
gpg: key 2D9AE806EC1592E2: public key "Teabot " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:   imported: 1
0 dkg@alice:/tmp/cdtemp.AhkyjS$ gpg --list-options show-keyring -k 
tea...@gitea.io
gpg: keybox '/tmp/cdtemp.AhkyjS/pubring.kbx' created
gpg: error reading key: No public key
2 dkg@alice:/tmp/cdtemp.AhkyjS$ ls -la
total 24
drwx--  4 dkg  dkg   160 May 12 18:48 .
drwxrwxrwt 28 root root 1420 May 12 18:47 ..
drwx--  2 dkg  dkg60 May 12 18:48 crls.d
-rw-r--r--  1 dkg  dkg  6467 May 12 18:48 extra.gpg
-rw-r--r--  1 dkg  dkg  6467 May 12 18:48 extra.gpg~
drwx--  2 dkg  dkg40 May 12 18:48 private-keys-v1.d
-rw---  1 dkg  dkg32 May 12 18:48 pubring.kbx
-rw---  1 dkg  dkg  1200 May 12 18:48 trustdb.gpg
0 dkg@alice:/tmp/cdtemp.AhkyjS$ 

perhaps the teabot key was already in your default keyring before you
run the --recv-keys operation?  that would certainly explain the
behavior that you're seeing.

 --dkg


signature.asc
Description: PGP signature

Bug#928894: [pkg-gnupg-maint] Bug#928894: custom keyring is not honoured

Bug#928894: [pkg-gnupg-maint] Bug#928894: custom keyring is not honoured

Bug#928894: [pkg-gnupg-maint] Bug#928894: custom keyring is not honoured

3 matches

Site Navigation

Mail list logo

Footer information