Bug#619558: Does not need a GPG trustdb (/etc/apt/trustdb.gpg), just the trusted keyring

To: Josh Triplett <josh@joshtriplett.org>, 619558@bugs.debian.org
Subject: Bug#619558: Does not need a GPG trustdb (/etc/apt/trustdb.gpg), just the trusted keyring
From: David Kalnischkies <kalnischkies+debian@gmail.com>
Date: Sat, 26 Mar 2011 10:33:17 +0100
Message-id: <[🔎] AANLkTi=Ku3DSHq02U21O6Pmr5Aqwy-Ytm3BfgvEKPx1=@mail.gmail.com>
Reply-to: David Kalnischkies <kalnischkies+debian@gmail.com>, 619558@bugs.debian.org
In-reply-to: <[🔎] 20110325041944.10650.63437.reportbug@feather>
References: <[🔎] 20110325041944.10650.63437.reportbug@feather>

On Fri, Mar 25, 2011 at 05:19, Josh Triplett <josh@joshtriplett.org> wrote:
> apt doesn't need to maintain the GPG trustdb in /etc/apt/trustdb.gpg;
> apt trusts all keys in /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/*
> ..  Please consider getting rid of the trustdb, and if necessary just
> telling GPG to trust all keys in the trusted keyring.

Do you have an idea how to let this work?


Last time i checked gpg doesn't like to be run without a trustdb…

Following the gpg command apt-key uses to import the debian-archive-keyring
without the --trustdb-name option it uses to switch to its own one:

$ gpg --ignore-time-conflict --no-options --no-default-keyring
--secret-keyring /etc/apt/secring.gpg --quiet --batch --keyring
/usr/share/keyrings/debian-archive-keyring.gpg --export | gpg
--ignore-time-conflict --no-options --no-default-keyring
--secret-keyring /etc/apt/secring.gpg --keyring /etc/apt/trusted.gpg
--primary-keyring /etc/apt/trusted.gpg --import
gpg: key F42584E6: "Lenny Stable Release Key
<debian-release@lists.debian.org>" not changed
gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny)
<ftpmaster@debian.org>" not changed
gpg: key 6D849617: "Debian-Volatile Archive Automatic Signing Key
(5.0/lenny)" not changed
gpg: key B98321F9: "Squeeze Stable Release Key
<debian-release@lists.debian.org>" not changed
gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze)
<ftpmaster@debian.org>" not changed
gpg: Total number processed: 5
gpg:              unchanged: 5
gpg: fatal: /root/.gnupg: directory does not exist!
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

if all keys are already present its successful but prints this gpg fatal -
otherwise it fails with the same message
(without the two-line statistic about processed keys).

I think this is very similar to --secrect-keyring which isn't really needed,
but gpg seems to insist on having it around…


The good think is if all -keyring packages switch to dropping files
into trusted.gpg.d
we don't need gpg as we don't need to maintain a single trusted.gpg file…


Best regards

David Kalnischkies

Reply to:

Follow-Ups:
- Bug#619558: Does not need a GPG trustdb (/etc/apt/trustdb.gpg), just the trusted keyring
  - From: Josh Triplett <josh@joshtriplett.org>

References:
- Bug#619558: Does not need a GPG trustdb (/etc/apt/trustdb.gpg), just the trusted keyring
  - From: Josh Triplett <josh@joshtriplett.org>

Prev by Date: Bug#619586: apt: [apt-transport-mirror] what(): std::bad_alloc (was: Re: cdn.debian.net as a project service?)
Next by Date: Bug#615147: marked as done (shouldn't happen. Please file a bug report against apt.)
Previous by thread: Bug#619558: Does not need a GPG trustdb (/etc/apt/trustdb.gpg), just the trusted keyring
Next by thread: Bug#619558: Does not need a GPG trustdb (/etc/apt/trustdb.gpg), just the trusted keyring
Index(es):
- Date
- Thread