[pkg-gnupg-maint] Bug#852019: Bug#852019: gpgv: unknown type of key resource 'trustedkeys.kbx'
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jan 24 23:26:02 UTC 2017
On Tue 2017-01-24 15:13:29 -0500, Antoine Beaupré wrote:
>> I suspect that the problem with the listed file is that it doesn't
>> exist. i don't have that file either, and i don't plan to -- that file
>> is treated by gpgv as a curated keyring; if you put something in it,
>> gpgv will decide that that key can be relied on to make signatures in
>> general.
>
> If no one ise going to use that file on a regular basis - maybe its
> absence shouldn't generate a worrisome "General error"...
I agree, it would be better to have clearer error messages. I've just
recorded this upstream with:
https://bugs.gnupg.org/gnupg/issue2932
> Maybe this is simply a usability bug in devscripts/dget/dscverify.
It sounds to me like there are several usability improvements that could
be added to that toolchain for this purpose. Maybe you want to reopen
this bug and reassign it there as a wishlist?
>> I was considering whether to mark it as "normal" and tag it with
>> "moreinfo", but i think this report just describes confusion about what
>> the tools are supposed to do, so i'm going ahead and closing the report
>> directly. The tools are all behaving as documented, from what i can
>> tell. Please feel free to reopen if i've misunderstood, or if there are
>> specific changes that you think should be made that don't involve
>> breaking existing API.
>
> Well, I don't want to get into a reopening argument. If this is just me,
> we can move on.
It's not a "reopening argument" -- if there are existing tools that can
behave better without breaking their other use cases, it's not an
unreasonable request. I just don't see what you're asking for from
gpgv. gpgv's goal is to provide a very clearly defined interface for
programmatic tools that do signature verification. It shouldn't give
different results just because some key got added to your keyring
sometime, it expects an explicitly curated keyring.
That said, if you *want* to point gpgv explicitly to your pubring.kbx,
you can also do that without a problem, but you'll need to do that
explicitly.
> But it seems that one of the key issues in crypto is usability, and the
> messages here are mixed, at best, and utterly confusing for me, in this
> use case.
>
> I often try to sponsor packages for new people, and this confuses the
> hell out of me every time. ;)
maybe it'd be worthwhile to document what you think the workflow
*should* be and open wishlist reports against the relevant tools. If
it's confusing to you, it's very likely confusing to many other people
too.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170124/f0df6c66/attachment.sig>
More information about the pkg-gnupg-maint
mailing list