Concurrency Issues with gnupg 1.2.3: keyring is deleted

Stefan Haller Stefan.Haller at ascom.ch
Tue Jul 27 08:58:04 CEST 2004 

Hi all

I have some concurrency problems with GPG. I would appreciate any help.

I wrote a service which verifies messages, afterwards processes the 
message and encrypts a result to return to the caller. Such a request 
arrives about once a second, sometimes more, sometimes less. In parallel, 
automatic public key imports may happen in case new keys are delivered to 
the system. The service runs up to 20 gnupg processes at the same time to 
get a good enough performance in request processing.

I am using gnupg because PGP provides all functionality I need and I was 
to lazy to program something on my own (I usually only found low-level 
interfaces to such encription tasks in the existing libraries).

Problem 1: locking of keyring, minor problem
Quite often, gpg tells me that the keyring is locked (using verify, sign 
or encrypt). Question: may I use the option --lock-never, or may this 
corrupt the keyring because of write accesses in those functions? Of 
course, I will do my own locking for updates that locks out verify, sign 
and encrypt functions in this case. Solution two (a bit less obfuscated) 
would be to spot the exit code if a lock file caused unsuccessful exit and 
rerun the operation in this case. Unfortunately, from what I see in 
g10/keyring.c it seems that gnupg returns always G10ERR_GENERAL in error 
cases, therefore, I will have to define my own return code that indicates 
locks.

Problem 2: keyring is completely deleted, fatal problem
Yesterday, my whole public key ring was deleted by gnupg (note, I'm not 
using the --lock-never function yet, current options are --batch, 
--no-secmem-warning and --always-trust).
Well it happend that the system was importing several keys while the 
service was running. An import was happening and at the same time a verify 
was started. The verify returned the message '"pubring.gpg" created' and 
the whole ring was suddently 0 bytes. The backup was gone, too, because 
more keys were imported afterwards. Therefore, I suspect that locking does 
not work appropriately when importing. Do you confirm that?

I would appreciate any advice on how to solve this. Or should I abandon 
gnupg completely as it is not intended to be used with more than one 
instance for the same user?

Thank you for your time.
 Stefan Haller


Stefan Haller
Software Development
Transport Revenue
________________________________ 
Ascom Autelca Ltd.
Worbstrasse 201
CH-3073 Gümligen 
Phone 
Fax 
+41 31 999 65 06
+41 31 999 65 82 
stefan.haller at ascom.ch
www.ascom.com

More information about the Gnupg-devel mailing list