[pkg-gnupg-maint] Bug#836772: Bug#836772: gnupg: unable to sign anyone's keys
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Sep 6 20:37:46 UTC 2016
Hi Ramakrishnan--
On Tue 2016-09-06 05:12:07 -0400, Ramakrishnan Muthukrishnan wrote:
> On Tue, Sep 6, 2016, at 12:47 PM, Daniel Kahn Gillmor wrote:
>> If it still fails, what happens when you expand the permissions on your
>> terminal before doing an su ? For example, if your Keyring Account is
>> named "keyring-account" and you have the acl package installed, you
>> might try a wrapper like this:
>>
>> #!/bin/sh
>> setfacl -m u:keyring-account:rw $(tty)
>> su - keyring-account
>> setfacl -x u:keyring-account $(tty)
>
> Ok, I tried that. The first setfacl command is returning an error:
>
> "setfacl: /dev/pts/1: Operation not supported"
>
> After logging in, it had the same behaviour as before, failing with
> Permission denied message. I am guessing the setfacl failed and hence it
> didn't have any effect.
hm, right, it looks like devpts doesn't support acls:
https://serverfault.com/questions/398659/acl-on-dev-pts/398683
https://lwn.net/Articles/121773/
That's a shame. what about changing the group membership of the tty
before triggering the su - ?
chgrp $(getent passwd keyring-user | cut -f4 -d:) $(tty)
chmod g+rw $(tty)
to be clear: these tests are all diagnostics just to make sure we
understand the problem.
I'd like in general to come up with a more useful configuration that
meets your goals.
To be clear: i think you're doing these operations separately because
you don't want to expose your secret key material to the Main Account.
Is that right?
If so, have you considered launching a gpg-agent process from your
Keyring Account and exporting an "extra socket" that is accessible by
your Main Account? Would an arrangement like that meet your needs?
> I just tried logging into the machine from the terminal (with the
> pinentry-program set to the ncurses version setup in the conf file) and
> that worked perfectly. So, this "bug" is not blocking me from signing
> the keys.
OK, that's good to hear :)
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160906/33108fa8/attachment.sig>
More information about the pkg-gnupg-maint
mailing list