We're trying to get a full implementation of package and database signing going for Arch Linux using gpgme/gpg, and have run into a few small hiccups. The goal was to actually use the web of trust features rather than relying on gpgv and trusting everything in a given keyring, as it seems every other distro using singing has done. However, gpg is very particular about permissions, locking, and ownership, and when layering gpgme on top of this, it becomes even harder to work within the bounds of what is available.
A quick console session is shown below. Basically the idea is the system GPG homedir used by the package manager is located at /etc/pacman.d/gnupg/, and is world readable, as are all the files within. There will never be private key information in this location. So my questions are: 1. Does anyone else have experience with a shared among users keyring? 2. What is best/secure practice when it comes to this? Outside of --lock-never, yum does something that seems silly, but works- make a user-owned copy of the entire keyring directory and then uses that. 3. gpgme doesn't allow us to bypass the trustdb.gpg locking; is there any possibility of allowing gpgme to run with --lock-never in a read-only mode? Any feedback is welcome, thanks in advance! -Dan $ sudo gpg --homedir /etc/pacman.d/gnupg --verify /home/makepkg/packages/libmysqlclient-5.5.12-1-x86_64.pkg.tar.xz.sig gpg: WARNING: unsafe permissions on homedir `/etc/pacman.d/gnupg' gpg: Signature made Tue 17 May 2011 09:13:06 AM CDT using DSA key ID F53A76ED gpg: Good signature from "Dan McGee <dpmc...@gmail.com>" gpg: aka "Dan McGee (Developer) <d...@archlinux.org>" gpg: aka "Dan McGee (Jabber) <toofis...@toofishes.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A5CA 9D55 15DC 2CA7 3DF7 48CA 5C2E 46A0 F53A 76ED $ gpg --homedir /etc/pacman.d/gnupg --verify /home/makepkg/packages/libmysqlclient-5.5.12-1-x86_64.pkg.tar.xz.sig gpg: WARNING: unsafe ownership on homedir `/etc/pacman.d/gnupg' gpg: Signature made Tue 17 May 2011 09:13:06 AM CDT using DSA key ID F53A76ED gpg: failed to create temporary file `/etc/pacman.d/gnupg/.#lk0x149f680.galway.5260': Permission denied gpg: fatal: can't create lock for `/etc/pacman.d/gnupg/trustdb.gpg' secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 $ gpg --lock-never --homedir /etc/pacman.d/gnupg --verify /home/makepkg/packages/libmysqlclient-5.5.12-1-x86_64.pkg.tar.xz.sig gpg: WARNING: unsafe ownership on homedir `/etc/pacman.d/gnupg' gpg: Signature made Tue 17 May 2011 09:13:06 AM CDT using DSA key ID F53A76ED gpg: NOTE: trustdb not writable gpg: Good signature from "Dan McGee <dpmc...@gmail.com>" gpg: aka "Dan McGee (Developer) <d...@archlinux.org>" gpg: aka "Dan McGee (Jabber) <toofis...@toofishes.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A5CA 9D55 15DC 2CA7 3DF7 48CA 5C2E 46A0 F53A 76ED _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users