[pkg-gnupg-maint] Bug#836772: Bug#836772: gnupg: unable to sign anyone's keys
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Sep 7 11:18:50 UTC 2016
On Tue 2016-09-06 23:50:31 +0200, Ramakrishnan Muthukrishnan wrote:
> [dkg wrote:]
>> chgrp $(getent passwd keyring-user | cut -f4 -d:) $(tty)
>
> Hmm. That command errored out with a "permission denied". But the second
> one succeeded.
sigh, sorry about that, i've been asking you to test things that i
really should have tried myself. it appears that the devpts filesystem
is much more limited than i expected it to be :/
>> chmod g+rw $(tty)
>
> As 'root', I added the keyring-user into the group 'tty' and then the
> signing worked just fine.
hm, i'm not sure that's particularly safe. it implies that keyring-user
is able to write to any of the ttys on the system :/
maybe the right approach is to do something like hand over the tty as an
file descriptor? that'd require quite a bit more plumbing upstream :/
> I didn't know about exporting the extra socket. Still reading up on the
> gpg2 and associated programs.
>
> I think it is perfectly fine with the setup where I can switch to
> virtual terminal and log into the acccount.
ok, i'm glad that setup works for you :) Please report back if you find
a good configuration that lets you use gpg-agent in this isolated mode.
I'll be at the OpenPGP.conf later this week and will try to brainstorm
with folks there about the right way to provide this sort of isolated
service effectively.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160907/938d395b/attachment.sig>
More information about the pkg-gnupg-maint
mailing list