Hallo, * Guilhem Moulin [Wed, Sep 02 2015, 11:49:43PM]: > Hi, > > On Wed, 02 Sep 2015 at 22:20:03 +0200, Eduard Bloch wrote: > > * Guilhem Moulin [Tue, Sep 01 2015, 10:43:19PM]: > >> On Tue, 01 Sep 2015 at 22:11:23 +0200, Eduard Bloch wrote: > > But I saw no trustdb check when caff is working... > > caff doesn't create a trust database because it doesn't rely on the WoT
caff doesn't but, for example, an obvious step after a KSP is to run gpg --homedir ~/.caff/gnupghome --import something.gpg (the keyring distributed for that signing party). This simple operation gets you a trustdb installed into ~/.caff/gnupghome . And yes, I learned about --key-file option now after reading the manpage. However, I am no longer sure that my problem is really related to trustdb. I just restored the suspicious gnupghome directory then removed trustdb.gpg there and tried again. Result: the original error "Legacy key". So, the apparent fix via single --check-db run is probably a red herring and the original issue (failing automated migration) still persists. > > This makes me wonder, I see --no-auto-check-trustdb in your gpg options... > > maybe this is the > > key? It needs to update trustdb prior to migration but it's forbidden. > > Then this should be forwarded to upstream GnuPG. --trust-model=always > should skip any operation on the trust database, including trust value > updates. Ok... it's not explained like this in the manpage but I'd assume it. > > It shouldn't do anything if no update is needed. I checked that: > > restored broken dir, reproduced mentioned problem, called the command, > > watched the update finished, called caff again, and it worked just fine. > > Yes it does something: if a there was no ‘~/.caff/gnupghome/trustdb.gpg’ > file then it is created. IMHO it's a quite ugly hack to involve a trust > database operation since caff has never relied on a trust model. I'll > rather forward the issue to GnuPG. Agreed. This whole thing looks more and more like a gpg2 issue. > Your test shows that gpg2 is able to perform the keyring migration (with > --trust-model=always) on a fresh ‘~/.caff/gnupghome’, ie, when no trust > database exists. So this should only be an issue if you have been > fiddling around with ‘gpg --homedir ~/.caff/gnupghome’ manually, right? I only said that --check-trustdb has fixed it and I suspected some things from that moment. And "manually" is such an ugly word... Regards, Eduard.
signature.asc
Description: Digital signature