Working with a system-shared keyring

Dan McGee dpmcgee at gmail.com
Thu Jun 2 00:41:13 CEST 2011


We're trying to get a full implementation of package and database
signing going for Arch Linux using gpgme/gpg, and have run into a few
small hiccups. The goal was to actually use the web of trust features
rather than relying on gpgv and trusting everything in a given
keyring, as it seems every other distro using singing has done.
However, gpg is very particular about permissions, locking, and
ownership, and when layering gpgme on top of this, it becomes even
harder to work within the bounds of what is available.

A quick console session is shown below. Basically the idea is the
system GPG homedir used by the package manager is located at
/etc/pacman.d/gnupg/, and is world readable, as are all the files
within. There will never be private key information in this location.

So my questions are:
1. Does anyone else have experience with a shared among users keyring?
2. What is best/secure practice when it comes to this? Outside of
--lock-never, yum does something that seems silly, but works- make a
user-owned copy of the entire keyring directory and then uses that.
3. gpgme doesn't allow us to bypass the trustdb.gpg locking; is there
any possibility of allowing gpgme to run with --lock-never in a
read-only mode?

Any feedback is welcome, thanks in advance!

-Dan

$ sudo gpg --homedir /etc/pacman.d/gnupg --verify
/home/makepkg/packages/libmysqlclient-5.5.12-1-x86_64.pkg.tar.xz.sig
gpg: WARNING: unsafe permissions on homedir `/etc/pacman.d/gnupg'
gpg: Signature made Tue 17 May 2011 09:13:06 AM CDT using DSA key ID F53A76ED
gpg: Good signature from "Dan McGee <dpmcgee at gmail.com>"
gpg:                 aka "Dan McGee (Developer) <dan at archlinux.org>"
gpg:                 aka "Dan McGee (Jabber) <toofishes at toofishes.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A5CA 9D55 15DC 2CA7 3DF7  48CA 5C2E 46A0 F53A 76ED

$ gpg --homedir /etc/pacman.d/gnupg --verify
/home/makepkg/packages/libmysqlclient-5.5.12-1-x86_64.pkg.tar.xz.sig
gpg: WARNING: unsafe ownership on homedir `/etc/pacman.d/gnupg'
gpg: Signature made Tue 17 May 2011 09:13:06 AM CDT using DSA key ID F53A76ED
gpg: failed to create temporary file
`/etc/pacman.d/gnupg/.#lk0x149f680.galway.5260': Permission denied
gpg: fatal: can't create lock for `/etc/pacman.d/gnupg/trustdb.gpg'
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768

$ gpg --lock-never --homedir /etc/pacman.d/gnupg --verify
/home/makepkg/packages/libmysqlclient-5.5.12-1-x86_64.pkg.tar.xz.sig
gpg: WARNING: unsafe ownership on homedir `/etc/pacman.d/gnupg'
gpg: Signature made Tue 17 May 2011 09:13:06 AM CDT using DSA key ID F53A76ED
gpg: NOTE: trustdb not writable
gpg: Good signature from "Dan McGee <dpmcgee at gmail.com>"
gpg:                 aka "Dan McGee (Developer) <dan at archlinux.org>"
gpg:                 aka "Dan McGee (Jabber) <toofishes at toofishes.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A5CA 9D55 15DC 2CA7 3DF7  48CA 5C2E 46A0 F53A 76ED



More information about the Gnupg-users mailing list