[pkg-gnupg-maint] Bug#928894: Bug#928894: custom keyring is not honoured
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon May 13 15:05:53 BST 2019
On Mon 2019-05-13 01:01:57 +0100, Toni Mueller wrote:
> I did not do this. This variable is unset in my environment.
right, you were working with a pre-existing keyring. I believe that
keyring already had a copy of the teabot public key.
> Your experiment only shows that the key did *not* end
> up in /tmp/cdtemp.AhkyjS/pubring.kbx. Otherwise, the "gpg -k" above
> should have listed it, instead of saying "No public key".
yes. i understand your bug report to claim that the default keyring is
being used, when you ask it to not be used.
I was demonstrating that the default keyring was not actually used when
i tried to replicate the issue.
>> perhaps the teabot key was already in your default keyring before you
>> run the --recv-keys operation? that would certainly explain the
>> behavior that you're seeing.
>
> No, it does not. If a key is already there, it would not say
> "imported: 1".
I don't think this is an accurate analysis. when you say
--no-default-keyring --keyring /path/to/foo, and /path/to/foo is an
empty keyring, then gpg *should* say "imported: 1" when it adds a key to
/path/to/foo, regardless of whether there the same key is present in the
default keyring This still has no effect on the default keyring, as
you've asked it to not touch the default keyring.
> And since it said "imported: 1" for you, I challenge you to find the
> location of that key, because it is obviously not in your temporary
> keyring.
I beg to differ. it is not in the default keyring, but it *is* in the
temporary keyring.
I'm still trying to understand and replicate your report. perhaps the
difference is in whether or not we're using the standard homedir for
gpg? so i tried with a throwaway account, without setting a different
homedir, and still couldn't replicate:
--------------------------
0 jj955 at alice:~$ gpg --version
gpg (GnuPG) 2.2.15
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/jj955/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
0 jj955 at alice:~$ rm -rf .gnupg ~/gitea.gpg
0 jj955 at alice:~$ mkdir -m 0700 .gnupg
0 jj955 at alice:~$ echo list-options show-keyring > .gnupg/gpg.conf
0 jj955 at alice:~$ gpg -k teabot at gitea.io
gpg: keybox '/home/jj955/.gnupg/pubring.kbx' created
gpg: /home/jj955/.gnupg/trustdb.gpg: trustdb created
gpg: error reading key: No public key
2 jj955 at alice:~$ touch ~/gitea.gpg
0 jj955 at alice:~$ gpg --keyring ~/gitea.gpg -k teabot at gitea.io
gpg: error reading key: No public key
2 jj955 at alice:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys
gpg: key 2D9AE806EC1592E2: public key "Teabot <teabot at gitea.io>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
0 jj955 at alice:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys
gpg: key 2D9AE806EC1592E2: "Teabot <teabot at gitea.io>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
0 jj955 at alice:~$ gpg --keyring ~/gitea.gpg -k teabot at gitea.io
Keyring: /home/jj955/gitea.gpg
------------------------------
pub rsa4096 2018-06-24 [SC] [expires: 2020-06-23]
7C9E68152594688862D62AF62D9AE806EC1592E2
uid [ unknown] Teabot <teabot at gitea.io>
sub rsa4096 2018-06-24 [E] [expires: 2020-06-23]
sub rsa4096 2018-06-24 [S] [expires: 2019-06-24]
0 jj955 at alice:~$
--------------------------
I tried again on a different machine with gpg 2.2.13, and still could
not replicate:
--------------------------
0 dkg at sid:~$ gpg --version
gpg (GnuPG) 2.2.13
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/dkg/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
0 dkg at sid:~$ rm -rf ~/.gnupg ~/gitea.gpg
0 dkg at sid:~$ mkdir -m 0700 ~/.gnupg
0 dkg at sid:~$ echo list-options show-keyring > ~/.gnupg/gpg.conf
0 dkg at sid:~$ gpg -k teabot at gitea.io
gpg: keybox '/home/dkg/.gnupg/pubring.kbx' created
gpg: /home/dkg/.gnupg/trustdb.gpg: trustdb created
gpg: error reading key: No public key
2 dkg at sid:~$ touch ~/gitea.gpg
0 dkg at sid:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys
gpg: key 2D9AE806EC1592E2: public key "Teabot <teabot at gitea.io>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
0 dkg at sid:~$ gpg --keyring ~/gitea.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: key 2D9AE806EC1592E2: 6 signatures not checked due to missing keys
gpg: key 2D9AE806EC1592E2: "Teabot <teabot at gitea.io>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
0 dkg at sid:~$ gpg --keyring ~/gitea.gpg -k teabot at gitea.io
Keyring: /home/dkg/gitea.gpg
----------------------------
pub rsa4096 2018-06-24 [SC] [expires: 2020-06-23]
7C9E68152594688862D62AF62D9AE806EC1592E2
uid [ unknown] Teabot <teabot at gitea.io>
sub rsa4096 2018-06-24 [E] [expires: 2020-06-23]
sub rsa4096 2018-06-24 [S] [expires: 2019-06-24]
0 dkg at sid:~$
---------------------------
> For what it's worth, here's another run, setting GNUPGHOME:
> $ touch ~/mnt/tools/gitea-keys.gpg
> $ GNUPGHOME=`/bin/pwd`
> $ echo ${GNUPGHOME}
> /home/toni/mnt/tools
> $ gpg --list-options show-keyring -k teabot at gitea.io
> gpg: please do a --check-trustdb
> gpg: error reading key: No public key
> $ gpg --keyring ~/mnt/tools/gitea-keys.gpg --list-options show-keyring -k teabot at gitea.io
> gpg: please do a --check-trustdb
> gpg: error reading key: No public key
> $ gpg --keyring ~/mnt/tools/gitea-keys.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0
> gpg: key 0x2D9AE806EC1592E2: 6 signatures not checked due to missing keys
> gpg: key 0x2D9AE806EC1592E2: public key "Teabot <teabot at gitea.io>" imported
> gpg: Total number processed: 1
> gpg: imported: 1
> $ gpg --keyring ~/mnt/tools/gitea-keys.gpg --no-default-keyring --recv-keys CC64B1DB67ABBEECAB24B6455FC346329753F4B0
> gpg: key 0x2D9AE806EC1592E2: 6 signatures not checked due to missing keys
> gpg: key 0x2D9AE806EC1592E2: "Teabot <teabot at gitea.io>" not changed
> gpg: Total number processed: 1
> gpg: unchanged: 1
> $ gpg --keyring ~/mnt/tools/gitea-keys.gpg --list-options show-keyring -k teabot at gitea.io
> gpg: please do a --check-trustdb
> Keyring: /home/toni/.gnupg/pubring.gpg
> --------------------------------------
> pub rsa4096/0x2D9AE806EC1592E2 2018-06-24 [SC] [expires: 2020-06-23]
> 7C9E68152594688862D62AF62D9AE806EC1592E2
> uid [ unknown] Teabot <teabot at gitea.io>
> sub rsa4096/0x1FBE01D7CBADB9A0 2018-06-24 [E] [expires: 2020-06-23]
> sub rsa4096/0x5FC346329753F4B0 2018-06-24 [S] [expires: 2019-06-24]
>
> $ l `/bin/pwd`/gitea-keys.gpg
> -rw-r----- 1 toni toni 0 May 13 00:55 /home/toni/mnt/tools/gitea-keys.gpg
> $
The shell here has set, but not *exported* GNUPGHOME. That means that
any of the gpg subprocesses don't see the environment variable, and
therefore don't obey it. So this still uses your standard GnuPG
homedir. i'm wondering whether there is some setting in your
~/.gnupg/gpg.conf that is causing this misbehavior. For example, maybe
there is some "keyring /home/toni/.gnupg/pubring.gpg" line in there?
Can you share your gpg.conf? Feel free to e-mail it to me privately (to
0xC4BC2DDB38CCE96485EBE9C2F20691179038E5C6) if you like.
However, the thing i don't understand about this run (and have not been
able to replicate) is that your final command shows that the key in
question is found in pubring.gpg after the import, but was not present
on the first run of "gpg --list-options show-keyring -k
teabot at gitea.io". I don't understand how that's happening, unless there
is something else feeding that key into your keyring in the background
in some other operation. And it doesn't happen for me when i try.
If i could replicate the problem, i would be happy to dig into it
further, but i'm still unable to do so. So i still need more
information from you to help me figure this out.
One thing i do notice is that you're still using a "pubring.gpg" -- even
though modern GnuPG defaults to using pubring.kbx. Thinking maybe GnuPG
was getting confused about the legacy pubring, I tried the same run
again after setting one up (with "touch ~/.gnupg/pubring.gpg"). That
run still failed to replicate the behavior you describe, though.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20190513/68ff28f0/attachment.sig>
More information about the pkg-gnupg-maint
mailing list