Bug#619558: Does not need a GPG trustdb (/etc/apt/trustdb.gpg), just the trusted keyring
On Sat, Mar 26, 2011 at 10:33:17AM +0100, David Kalnischkies wrote:
> On Fri, Mar 25, 2011 at 05:19, Josh Triplett <josh@joshtriplett.org> wrote:
> > apt doesn't need to maintain the GPG trustdb in /etc/apt/trustdb.gpg;
> > apt trusts all keys in /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/*
> > .. Please consider getting rid of the trustdb, and if necessary just
> > telling GPG to trust all keys in the trusted keyring.
>
> Do you have an idea how to let this work?
>
>
> Last time i checked gpg doesn't like to be run without a trustdb…
>
> Following the gpg command apt-key uses to import the debian-archive-keyring
> without the --trustdb-name option it uses to switch to its own one:
>
> $ gpg --ignore-time-conflict --no-options --no-default-keyring
> --secret-keyring /etc/apt/secring.gpg --quiet --batch --keyring
> /usr/share/keyrings/debian-archive-keyring.gpg --export | gpg
> --ignore-time-conflict --no-options --no-default-keyring
> --secret-keyring /etc/apt/secring.gpg --keyring /etc/apt/trusted.gpg
> --primary-keyring /etc/apt/trusted.gpg --import
> gpg: key F42584E6: "Lenny Stable Release Key
> <debian-release@lists.debian.org>" not changed
> gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny)
> <ftpmaster@debian.org>" not changed
> gpg: key 6D849617: "Debian-Volatile Archive Automatic Signing Key
> (5.0/lenny)" not changed
> gpg: key B98321F9: "Squeeze Stable Release Key
> <debian-release@lists.debian.org>" not changed
> gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze)
> <ftpmaster@debian.org>" not changed
> gpg: Total number processed: 5
> gpg: unchanged: 5
> gpg: fatal: /root/.gnupg: directory does not exist!
> secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768
>
> if all keys are already present its successful but prints this gpg fatal -
> otherwise it fails with the same message
> (without the two-line statistic about processed keys).
>
> I think this is very similar to --secrect-keyring which isn't really needed,
> but gpg seems to insist on having it around…
--trustdb-name /dev/null seems to work just fine, as does
--secret-keyring /dev/null.
- Josh Triplett
Reply to: