Bug#619558: Does not need a GPG trustdb (/etc/apt/trustdb.gpg), just the trusted keyring
On Fri, Mar 25, 2011 at 05:19, Josh Triplett <josh@joshtriplett.org> wrote:
> apt doesn't need to maintain the GPG trustdb in /etc/apt/trustdb.gpg;
> apt trusts all keys in /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/*
> .. Please consider getting rid of the trustdb, and if necessary just
> telling GPG to trust all keys in the trusted keyring.
Do you have an idea how to let this work?
Last time i checked gpg doesn't like to be run without a trustdb…
Following the gpg command apt-key uses to import the debian-archive-keyring
without the --trustdb-name option it uses to switch to its own one:
$ gpg --ignore-time-conflict --no-options --no-default-keyring
--secret-keyring /etc/apt/secring.gpg --quiet --batch --keyring
/usr/share/keyrings/debian-archive-keyring.gpg --export | gpg
--ignore-time-conflict --no-options --no-default-keyring
--secret-keyring /etc/apt/secring.gpg --keyring /etc/apt/trusted.gpg
--primary-keyring /etc/apt/trusted.gpg --import
gpg: key F42584E6: "Lenny Stable Release Key
<debian-release@lists.debian.org>" not changed
gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny)
<ftpmaster@debian.org>" not changed
gpg: key 6D849617: "Debian-Volatile Archive Automatic Signing Key
(5.0/lenny)" not changed
gpg: key B98321F9: "Squeeze Stable Release Key
<debian-release@lists.debian.org>" not changed
gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze)
<ftpmaster@debian.org>" not changed
gpg: Total number processed: 5
gpg: unchanged: 5
gpg: fatal: /root/.gnupg: directory does not exist!
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768
if all keys are already present its successful but prints this gpg fatal -
otherwise it fails with the same message
(without the two-line statistic about processed keys).
I think this is very similar to --secrect-keyring which isn't really needed,
but gpg seems to insist on having it around…
The good think is if all -keyring packages switch to dropping files
into trusted.gpg.d
we don't need gpg as we don't need to maintain a single trusted.gpg file…
Best regards
David Kalnischkies
Reply to: