On Mon, 02 Oct 2000, Christian Pernegger wrote: > gpg tries to create a temporary file in /usr/share/keyrings/ > when mutt verifies a signature. (That fails.) Yes, gpg is funny like that :-) No concept of cleaning up lockfiles to avoid stupid deadlocks, no concept of timing out sockets (thus deadlocking in some cases) and no concept of /tmp being the right place for temporary files. Bleargh, I really wish I had something better than gpg to do all the key management. I suggest you write a script to freshen up gpg's key database. I'll attach mine, but be advised that it is quite rough and you'll probably want to clean it up. This has the good advantage of fetching new copies of ALL keys it can find. One actually must do this if he is not sure he'll receive any eventual revogation certificates from the key onwers first hand :-( gpg really, really, really needs some kind of --refresh-keyring function, as outdated keys are a security concern. > Of course I can import the keyring but then it'd be rather > pointless to put it in /usr/share/, wouldn't it? Why? It's readonly data, it belongs in /usr/share. gpg is broken, not debian-keyring. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
#!/bin/sh ## GNUPG Maintenance script ## ### ### User-defined parameters ### ## Read-Only keyrings ROKEYRINGS="/usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-keyring.pgp" ## Keyserver list #KEYSERVERS="keyring.debian.org wwwkeys.eu.pgp.net wwwkeys.us.pgp.net" KEYSERVERS="wwwkeys.eu.pgp.net wwwkeys.us.pgp.net" PROG=`basename $0` ######################################################################## set +e if test -x /usr/bin/time; then TIMECMD=/usr/bin/time else TIMECMD= fi runupdate() { # Does an update run gpg --batch --list-keys --fast-list | grep ^pub\ | awk '{ print $2 }' | sed s/^.*\\/// | xargs -r ${TIMECMD} gpg -q --batch --lock-multiple --recv-key $@ } ## First, update public ring from any readonly keyrings echo ${PROG}: Updating RW keyring from RO keyrings... echo ${PROG}: Keyrings: ${ROKEYRINGS} ${TIMECMD} gpg --batch --quiet --fast-import ${ROKEYRINGS} echo ## Now, refresh key data from dynamic sources echo ${PROG}: Requesting fresh key data from public keyservers... for i in ${KEYSERVERS} ; do echo ${PROG}: Keyserver ${i}... runupdate --keyserver ${i} echo done ## Now, rebuild database echo ${PROG}: Rebuilding trust database... gpg --batch --quiet --update-trustdb echo ${PROG}: DONE.
Attachment:
pgpNWJxegCUkE.pgp
Description: PGP signature