GNUPG HELP please

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 14 22:17:31 CEST 2009


Hi Connie--

On 10/14/2009 01:55 PM, CONNIE RODRIGUEZ wrote:
>  + /usr/local/bin/gpg -e -r REWARD /law/test/law/test/interface/watsonwyatt/data/epay.txt
>                 gpg: WARNING: unsafe permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'

This suggests that your configuration file may be readable or writable
by other users.  You can view the permissions on that file with:

  ls -l /home/lawbr/.gnupg/gpg.conf

You can lock it down with:

  chmod go-rwx /home/lawbr/.gnupg/gpg.conf

(note here that "go-rwx" means "remove (-) read (r), write (w), and
execute (x) from group (g) and all other users (o)" )

If you're not sure about the concept of filesystem permissions, it's
worthwhile to think about them a bit.  they'll come up fairly often on
unix systems.  wikipedia has a good start:

http://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions

>                 gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'

This is due to a directory being potentially readable or writable by
other users.  You can lock down the "enclosing directory" with:

 chmod go-rwx`/home/lawhr/.gnupg/

>                 gpg: WARNING: using insecure memory!

Search for "insecure memory" in the gpg manual page (try "man gpg") for
more information about this error under the BUGS section.  You may
either want to make gpg setuid root (if secure memory is important to
you) or to tell gpg to ignore this particular error by adding the
relvant option to your gpg.conf file.

>                 gpg: please see http://www.gnupg.org/faq.html for more information

have you read this?  It's worth reading!  You might be interested in
section 6.1 in particular:

  http://www.gnupg.org/faq.html#q6.1

>                 gpg: 4D5AFE2E: There is no assurance this key belongs to the named user

this is likely because you've imported the "REWARD" key into your remote
system without indicating any particular "ultimate" ownertrust.

gpg does a fair amount of work to make sure that keys belong to who you
think they should belong to -- it doesn't make any sense to encrypt data
to a key if you aren't sure whose key it is.

Presumably, there is someone who is making reasonable assertions about
which keys belong to which entities, and signing those keys.  You
probably want to designate "ultimate" ownertrust for that certifier on
your server.  For example, if you hold key DECAFBAD privately
(off-server), but you use that key to sign the REWARD key, you could
import the DECAFBAD public key on the server, and then (still on the
server) do:

 gpg --edit-key DECAFBAD
  trust

and then choose "ultimate" ownertrust.  Make sense?

>                 gpg: cannot open `/dev/tty': There is a request to a device or address that does not exist.

i dunno why this is coming up; what operating system are you running
this on?  what version of gpg?  did you build it yourself, or is it the
version provided by your OS?

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091014/92783533/attachment.pgp>


More information about the Gnupg-users mailing list