Re: debian-keyring + gpg 'keyring' option

To: Christian Pernegger <pernegger@chello.at>
Cc: debian-user@lists.debian.org
Subject: Re: debian-keyring + gpg 'keyring' option
From: Henrique M Holschuh <hmh+debianml@rcm.org.br>
Date: Mon, 2 Oct 2000 10:12:15 -0200
Message-id: <20001002101215.A11818@godzillah>
In-reply-to: <20001002135819.A11124@southpark.chp>; from pernegger@chello.at on Seg, Out 02, 2000 at 01:58:19 +0200
References: <20001002135819.A11124@southpark.chp>

On Mon, 02 Oct 2000, Christian Pernegger wrote:
> gpg tries to create a temporary file in /usr/share/keyrings/
> when mutt verifies a signature. (That fails.)

Yes, gpg is funny like that :-) No concept of cleaning up lockfiles to avoid
stupid deadlocks, no concept of timing out sockets (thus deadlocking in some
cases) and no concept of /tmp being the right place for temporary files.
Bleargh, I really wish I had something better than gpg to do all the key
management.

I suggest you write a script to freshen up gpg's key database. I'll attach
mine, but be advised that it is quite rough and you'll probably want to
clean it up.

This has the good advantage of fetching new copies of ALL keys it can find.
One actually must do this if he is not sure he'll receive any eventual
revogation certificates from the key onwers first hand :-( gpg really,
really, really needs some kind of --refresh-keyring function, as outdated
keys are a security concern.

> Of course I can import the keyring but then it'd be rather
> pointless to put it in /usr/share/, wouldn't it?

Why? It's readonly data, it belongs in /usr/share. gpg is broken, not
debian-keyring.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

#!/bin/sh
## GNUPG Maintenance script
##

###
### User-defined parameters
###

## Read-Only keyrings
ROKEYRINGS="/usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-keyring.pgp"

## Keyserver list
#KEYSERVERS="keyring.debian.org wwwkeys.eu.pgp.net wwwkeys.us.pgp.net"
KEYSERVERS="wwwkeys.eu.pgp.net wwwkeys.us.pgp.net"

PROG=`basename $0`

########################################################################

set +e

if test -x /usr/bin/time; then
	TIMECMD=/usr/bin/time
else
	TIMECMD=
fi

runupdate() {
	# Does an update run
	gpg --batch --list-keys --fast-list | grep ^pub\  | awk '{ print $2 }' | sed s/^.*\\/// | xargs -r ${TIMECMD} gpg -q --batch --lock-multiple --recv-key $@
}

## First, update public ring from any readonly keyrings

echo ${PROG}: Updating RW keyring from RO keyrings...
echo ${PROG}: Keyrings: ${ROKEYRINGS}

${TIMECMD} gpg --batch --quiet --fast-import ${ROKEYRINGS}

echo

## Now, refresh key data from dynamic sources

echo ${PROG}: Requesting fresh key data from public keyservers...

for i in ${KEYSERVERS} ; do 
	echo ${PROG}: Keyserver ${i}...
	runupdate --keyserver ${i}
	echo
done

## Now, rebuild database

echo ${PROG}: Rebuilding trust database...
gpg --batch --quiet --update-trustdb

echo ${PROG}: DONE.

Attachment: pgpNWJxegCUkE.pgp
Description: PGP signature

Reply to:

References:
- debian-keyring + gpg 'keyring' option
  - From: Christian Pernegger <pernegger@chello.at>

Prev by Date: Re: Extended descriptions of non-free/non-US packages.
Next by Date: Re: Openssh errors
Previous by thread: Re: debian-keyring + gpg 'keyring' option
Next by thread: Openssh errors
Index(es):
- Date
- Thread