#361539 Errors importing keys with readonly debian-keyring.gpg

Package:
debian-keyring
Source:
debian-keyring
Submitter:
Nikolaus Schulz
Date:
2021-08-29 12:27:03 UTC
Severity:
important
Blocked By:
Bug Title
318853

  0

[gnupg/514] gnupg: no simple way to sign a key in a global keyring

normal about 8 years ago

38858

  0

[gnupg/514] gnupg: no simple way to sign a key in a global keyring

normal about 8 years ago

499550

  0

[gnupg/514] gnupg: no simple way to sign a key in a global keyring

normal about 8 years ago

48077

  0

[gnupg/514] gnupg: no simple way to sign a key in a global keyring

normal about 8 years ago

#361539#5
Date:
2006-04-08 22:38:45 UTC
From:
To:
Hi,

as suggested in the debian-keyring README, I've added the Debian keyrings
directly:

,----[ ~/.gnupg/gpg.conf ]
| keyring /usr/share/keyrings/debian-keyring.gpg
| keyring /usr/share/keyrings/debian-keyring.pgp
| keyserver wwwkeys.de.pgp.net
`----

Here's a typescript of what happens importing a key:

penelope[nikolaus]$ gpg --recv-keys XXXXXXXX
gpg: requesting key XXXXXXXX from hkp server wwwkeys.de.pgp.net
gpg: key XXXXXXXX: public key "<id>" imported
gpg: can't create `/usr/share/keyrings/debian-keyring.gpg.tmp': Read-only file system
gpg: failed to rebuild keyring cache: file open error
gpg: can't create `/usr/share/keyrings/debian-keyring.pgp.tmp': Read-only file system
gpg: failed to rebuild keyring cache: file open error
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:	1  signed:   0	trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:		   imported: 1
penelope[nikolaus]$


Have a nice day,
Nikolaus

#361539#10
Date:
2006-08-16 17:03:25 UTC
From:
To:
Nikolaus Schulz <microschulz@web.de> wrote:

Hi Nikolaus,

I think this is not a bug.  You just missed the next paragraph in the
README, telling you

,----
| GPG cannot modify keys in these root-owned files.  In order to edit or
| sign keys in the Debian keyring you will first need to import them to
| your personal keyring.  If ~/.gnupg/gpg.conf lists the debian-keyring
| files, keys already in the Debian keyring will not be imported to your
| personal keyring.  You can use "gpg --no-options --import" to force
| GPG to ignore gpg.conf and import keys to your personal keyring only.
`----

Should we close this bug?

Regards, Frank

#361539#13
Date:
2006-08-18 23:13:05 UTC
From:
To:
Hi Frank!

Frank Küster wrote:

Hmm.  I'm not very fluid with gnupg, but first, the README section you're
citing starts with the clear statement:

,----[ README ]
| Using the debian-keyring with gpg
| ---------------------------------
|
| Add these lines to the bottom of your ~/.gnupg/gpg.conf[1] file:
|
| keyring /usr/share/keyrings/debian-keyring.gpg
| keyring /usr/share/keyrings/debian-keyring.pgp
`----

And this _does not work_.

    Second, I may be lacking the necessary insight how gnupg works, but
IIRC, when I included the given "keyring" lines in ~/gpg.conf,  it was
not the procedure of "editing or signing keys in the Debian keyring"
that failed, but the procedure of importing (any) keys in my private
keyring.  This is different from what the paragraph you cited speaks
about.

HAND,
Nikolaus

#361539#18
Date:
2008-02-23 18:12:40 UTC
From:
To:
Hello,

I'm just seeing this from time to time in mutt. While trying to validate
a signature I get this output. It would be great to have at least a
workaround for this.

Regards,
Andrei

#361539#27
Date:
2008-09-14 22:32:14 UTC
From:
To:
This is a significant problem for me as well.

There are reasonable circumstances where a system administrator would
want users to always have access to a system-maintained keyring.  The
users should of course also have no problems simultaneously
manipulating and updating their own user-controlled keyring.

The natural way to perform such a split is to do as the README
suggests, and add extra keyring lines to ~/.gnupg/gpg.conf

However, with this configuration, even simple keyserver fetches for
non-privileged users look like this:

0 wt215@squeak:~$ cat .gnupg/gpg.conf
keyring /usr/share/keyrings/debian-keyring.gpg
0 wt215@squeak:~$ gpg --keyserver keys.gnupg.net --recv d21739e9
gpg: requesting key D21739E9 from hkp server keys.gnupg.net
gpg: key D21739E9: public key "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" imported
gpg: can't create `/usr/share/keyrings/debian-keyring.gpg.tmp': Permission denied
gpg: failed to rebuild keyring cache: file open error
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
2 wt215@squeak:~$

The leading number in the shell prompt indicates the return code from
the last command, so this apparent successful import is returning with
code 2.  According to gpg(1), that means a "fatal error":

  RETURN VALUE
       The program returns 0 if everything was fine, 1 if at least a
       signature was bad, and other error codes for fatal errors.

Even more confusing, the result does not seem to be consistent.
Running the same command a second time looks like this:

0 wt215@squeak:~$ gpg --keyserver keys.gnupg.net --recv d21739e9
gpg: requesting key D21739E9 from hkp server keys.gnupg.net
gpg: key D21739E9: "Daniel Kahn Gillmor <dkg@fifthhorseman.net>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
0 wt215@squeak:~$

Is there a diagnosis for what's causing this problem?  Is there a
better way to accomplish the goal i outlined above of having a
system-maintained keyring *and* a user-maintained keyring?  Is this
associated with any upstream bug?

The only related upstream issue i could find was here:

https://bugs.g10code.com/gnupg/issue514

which Werner closed as "not a bug" -- but without addressing the
underlying need to be able to include system-maintained keyrings
during regular use.

Thanks for maintaining gpg in debian,

#361539#32
Date:
2008-09-19 10:14:31 UTC
From:
To:
I agree. However the bug you've followed up to is assigned to the
debian-keyring package, whereas the issue really seems to be gpg's
behaviour.

I think GPG probably wants to do something like:

1 GPG should understand about read-only keyrings.
2 Read/write keyrings should be checked for keys before read-only
  keyrings.
3 If a key in a read-only keyring is updated then the result should be
  written to a read/write keyring (which will then take precedence over
  the read-only one thanks to 2)

Also possibly it should be reading all keyrings always for keys and
combining them, which would allow the system keyring to be updated and
users who've updated keys contained in it to automatically get more
updates. Or maybe it should just look at read-only keyrings for a
--recv-key.

Having had a look at the bugs on gnupg I think 38857 and 48077 are worth
a look. It's interesting that Werner Koch is saying in 38857 that the
ability to have multiple keyrings will be dropped in the future, though
this was back in 2005.

J.

#361539#37
Date:
2008-09-19 17:37:06 UTC
From:
To:
clone 361539 -1
reassign -1 gnupg
thanks

Hrm, yes you're right about that.  It affects the usefulness of the
debian-keyring package, but it does look to be a bug in GPG instead.
I'm cloning this bug.  Feel free to close the clone, if you think i've
done this improperly.  (i wasn't sure if i should assign the clone to
gnupg or gnupg2, as both seem to have the same misbehavior; is another
clone warranted?)

I think this misses some nuance that GPG needs.  For example, if a key
that is present in a r/w keyring has no certifications on it, but
there *are* certifications on it in a r/o keyring, you'd like to be
able to evaluate the r/o certifications, even though the key was found
in the first keyring.

I think this is the right way to go.

Keyrings are basically simple aggregations of various certifications
about a particular key or key+UserID association.  Each certification
that is aggregated is a distinct OpenPGP packet, bound by its
structure and contents to the relevant key or key+UserID.

If gpg wants to look for or evaluate a particular certification (or
type of certification), it should search in *both* the r/w keyrings
and the r/o keyrings.  I'm not sure that the order matters, as long as
the certifications are valid.  There are ways of resolving precedence
between two certifications (e.g.  which one was issued later) that
should be *more* relevant than the writability of the keyring in which
the certification is stored.

If gpg wants to *add* a new certification to a key or key+UserID (via
--recv, --sign-key, --lsign-key, --import, --edit-key, etc), it should
ensure that the key itself and any relevant User IDs and
self-signatures are placed in the r/w keyring (copying from the r/o
keyring, if needed).  Then it should place the new certification into
the r/w keyring, attached to the relevant point.  Transferring the
subject material (key, UserID, and self-sigs) ensures that if the r/o
keyring goes away at some point (or was only there temporarily in the
first place), you'll still have a valid r/w keyring.

Thanks for the pointers; if removing support for multiple keyrings is
actually a design goal, it would be a real shame.  But it doesn't seem
to be acted on, since the man page for gpg2 (first released in 2006,
well after the remark you note) contains several references to
multiple keyrings.

#361539#46
Date:
2021-08-29 12:25:58 UTC
From:
To:
Date: Wed, 28 Mar 2012 13:55:28 -0400 >From: Samuel Bronson >-------------
SGkgRnJhbmshCgpGcmFuayBLw7xzdGVyIHdyb3RlOgo+IE5pa29sYXVzIFNjaHVseiA8bWljcm9zY2h1bHpAd2ViLmRlPiB3cm90ZToKPiAKPiA+IFBhY2thZ2U6IGRlYmlhbi1rZXlyaW5nCj4gPiBWZXJzaW9uOiAyMDA1LjA1LjI4Cj4gPiBTZXZlcml0eTogbm9ybWFsCj4gPgo+ID4gSGksCj4gPgo+ID4gYXMgc3VnZ2VzdGVkIGluIHRoZSBkZWJpYW4ta2V5cmluZyBSRUFETUUsIEkndmUgYWRkZWQgdGhlIERlYmlhbiBrZXlyaW5ncwo+ID4gZGlyZWN0bHk6Cj4gPgo+ID4gLC0tLS1bIH4vLmdudXBnL2dwZy5jb25mIF0KPiA+IHwga2V5cmluZyAvdXNyL3NoYXJlL2tleXJpbmdzL2RlYmlhbi1rZXlyaW5nLmdwZwo+ID4gfCBrZXlyaW5nIC91c3Ivc2hhcmUva2V5cmluZ3MvZGViaWFuLWtleXJpbmcucGdwCj4gPiB8IGtleXNlcnZlciB3d3drZXlzLmRlLnBncC5uZXQKPiA+IGAtLS0tCj4gPgo+ID4gSGVyZSdzIGEgdHlwZXNjcmlwdCBvZiB3aGF0IGhhcHBlbnMgaW1wb3J0aW5nIGEga2V5Ogo+ID4KPiA+IHBlbmVsb3BlW25pa29sYXVzXSQgZ3BnIC0tcmVjdi1rZXlzIFhYWFhYWFhYCj4gPiBncGc6IHJlcXVlc3Rpbmcga2V5IFhYWFhYWFhYIGZyb20gaGtwIHNlcnZlciB3d3drZXlzLmRlLnBncC5uZXQKPiA+IGdwZzoga2V5IFhYWFhYWFhYOiBwdWJsaWMga2V5ICI8aWQ+IiBpbXBvcnRlZAo+ID4gZ3BnOiBjYW4ndCBjcmVhdGUgYC91c3Ivc2hhcmUva2V5cmluZ3MvZGViaWFuLWtleXJpbmcuZ3BnLnRtcCc6IFJlYWQtb25seSBmaWxlIHN5c3RlbQo+IAo+IEhpIE5pa29sYXVzLAo+IAo+IEkgdGhpbmsgdGhpcyBpcyBub3QgYSBidWcuICBZb3UganVzdCBtaXNzZWQgdGhlIG5leHQgcGFyYWdyYXBoIGluIHRoZQo+IFJFQURNRSwgdGVsbGluZyB5b3UKPiAKPiAsLS0tLQo+IHwgR1BHIGNhbm5vdCBtb2RpZnkga2V5cyBpbiB0aGVzZSByb290LW93bmVkIGZpbGVzLiAgSW4gb3JkZXIgdG8gZWRpdCBvcgo+IHwgc2lnbiBrZXlzIGluIHRoZSBEZWJpYW4ga2V5cmluZyB5b3Ugd2lsbCBmaXJzdCBuZWVkIHRvIGltcG9ydCB0aGVtIHRvCj4gfCB5b3VyIHBlcnNvbmFsIGtleXJpbmcuICBJZiB+Ly5nbnVwZy9ncGcuY29uZiBsaXN0cyB0aGUgZGViaWFuLWtleXJpbmcKPiB8IGZpbGVzLCBrZXlzIGFscmVhZHkgaW4gdGhlIERlYmlhbiBrZXlyaW5nIHdpbGwgbm90IGJlIGltcG9ydGVkIHRvIHlvdXIKPiB8IHBlcnNvbmFsIGtleXJpbmcuICBZb3UgY2FuIHVzZSAiZ3BnIC0tbm8tb3B0aW9ucyAtLWltcG9ydCIgdG8gZm9yY2UKPiB8IEdQRyB0byBpZ25vcmUgZ3BnLmNvbmYgYW5kIGltcG9ydCBrZXlzIHRvIHlvdXIgcGVyc29uYWwga2V5cmluZyBvbmx5Lgo+IGAtLS0tCgpIbW0uICBJJ20gbm90IHZlcnkgZmx1aWQgd2l0aCBnbnVwZywgYnV0IGZpcnN0LCB0aGUgUkVBRE1FIHNlY3Rpb24geW91J3JlCmNpdGluZyBzdGFydHMgd2l0aCB0aGUgY2xlYXIgc3RhdGVtZW50OiAKCiwtLS0tWyBSRUFETUUgXQp8IFVzaW5nIHRoZSBkZWJpYW4ta2V5cmluZyB3aXRoIGdwZwp8IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQp8CnwgQWRkIHRoZXNlIGxpbmVzIHRvIHRoZSBib3R0b20gb2YgeW91ciB+Ly5nbnVwZy9ncGcuY29uZlsxXSBmaWxlOgp8Cnwga2V5cmluZyAvdXNyL3NoYXJlL2tleXJpbmdzL2RlYmlhbi1rZXlyaW5nLmdwZwp8IGtleXJpbmcgL3Vzci9zaGFyZS9rZXlyaW5ncy9kZWJpYW4ta2V5cmluZy5wZ3AKYC0tLS0KCkFuZCB0aGlzIF9kb2VzIG5vdCB3b3JrXy4gCgo+IFNob3VsZCB3ZSBjbG9zZSB0aGlzIGJ1Zz8KCiAgICBTZWNvbmQsIEkgbWF5IGJlIGxhY2tpbmcgdGhlIG5lY2Vzc2FyeSBpbnNpZ2h0IGhvdyBnbnVwZyB3b3JrcywgYnV0CklJUkMsIHdoZW4gSSBpbmNsdWRlZCB0aGUgZ2l2ZW4gImtleXJpbmciIGxpbmVzIGluIH4vZ3BnLmNvbmYsICBpdCB3YXMKbm90IHRoZSBwcm9jZWR1cmUgb2YgImVkaXRpbmcgb3Igc2lnbmluZyBrZXlzIGluIHRoZSBEZWJpYW4ga2V5cmluZyIKdGhhdCBmYWlsZWQsIGJ1dCB0aGUgcHJvY2VkdXJlIG9mIGltcG9ydGluZyAoYW55KSBrZXlzIGluIG15IHByaXZhdGUKa2V5cmluZy4gIFRoaXMgaXMgZGlmZmVyZW50IGZyb20gd2hhdCB0aGUgcGFyYWdyYXBoIHlvdSBjaXRlZCBzcGVha3MKYWJvdXQuCgpIQU5ELCAKTmlrb2xhdXMKCg