FS#42850 - [gnupg] [pacman] sudo pacman-key --import /home/[user]/.gnupg can create duplicate public key
Attached to Project:
Arch Linux
Opened by Colin Keenan (colinkeenan) - Wednesday, 19 November 2014, 18:16 GMT
Last edited by Gaetan Bisson (vesath) - Wednesday, 19 November 2014, 23:34 GMT
Opened by Colin Keenan (colinkeenan) - Wednesday, 19 November 2014, 18:16 GMT
Last edited by Gaetan Bisson (vesath) - Wednesday, 19 November 2014, 23:34 GMT
|
Details
Description:
Following advice from 3 wiki pages to create a gnupg key ends up making a duplicate entry in ~/.gnupg/pubring.gpg Additional info: * pacman-key (pacman) 4.1.2 * gpg (GnuPG) 2.0.26 libgcrypt 1.6.2 Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA, RSA, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 * modified default ~/.gnupg/gpg.conf with the following at the end: # From https://wiki.archlinux.org/index.php/GnuPG#Create_key personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES # From https://wiki.archlinux.org/index.php/Makepkg#Signature_checking keyring /etc/pacman.d/gnupg/pubring.gpg Steps to reproduce (using my name throughout, but another user would of course use their name): 1. gpg -k colin (there isn't any, but this creates ~/.gnupg and default files) 2. edit ~/.gnupg/gpg.conf and add recommended stuff as documented in https://wiki.archlinux.org/index.php/GnuPG#Create_key and https://wiki.archlinux.org/index.php/Makepkg#Signature_checking I suspect the troublesome line is: keyring /etc/pacman.d/gnupg/pubring.gpg recommended in the makepkg wiki 3. gpg --gen-key 4. sudo pacman-key --import /home/colin/.gnupg Now there will be a duplicate listing given by: gpg -k colin (where 'colin' matches my email part of the uid, and -k is short for --list-public-keys) When it first happened, I didn't know why, but backed up my ~/.gnupg, deleted ~/.gnupg, and followed these steps exactly, and the same thing happened again. This can easily be reproduced. Before repeating the steps, I had managed to remove the duplicate following these steps: cd cp -r .gnupg .gnupg-backup gpg --edit-key colin gpg> adduid (added Colin N Keenan, original was Colin Keenan) gpg> save gpg --edit-key "Colin N Keenan" gpg> 2 (because "Colin Keenan" was the 2nd uid) gpg> deluid gpg> save gpg --delete-secret-key "Colin N Keenan" gpg --delete-key "Colin N Keenan" cp .gnupg/pubring.gpg .gnupg-backup rm -r .gnupg cp -r .gnupg-backup .gnupg After removing the duplicate, and reproducing the duplicate by generating a 2nd key, then restoring the backup with only one key, I ended up with both public keys still listed. The 2nd public key was still in /etc/pacman.d/gnupg/pubring.gpg which is listed as the keyring in my gpg.conf. After experimenting, I discovered the only way to remove the 2nd generated key was to do the following: sudo gpg --homedir /home/colin/.gnupg --delete-key colinkeenan I had to specify --homedir because sudo didn't have the same home directory, I guess. I had to use sudo because of the keyring being in /etc/pacman.d/gnupg/pubring.gpg. By the way, I first tried to set --homedir to /etc/..., but that complained about unsafe permissions on homedir `/etc/pacman.d/gnupg'. Setting --homedir to my home directory worked though, and this might be the root of the issue with what's wrong with pacman-key. |
This task depends upon
Closed by Gaetan Bisson (vesath)
Wednesday, 19 November 2014, 23:34 GMT
Reason for closing: Not a bug
Wednesday, 19 November 2014, 23:34 GMT
Reason for closing: Not a bug
https://bugs.g10code.com/gnupg/issue1763
So, the reason I got the key duplicated in gpg -k before is because it was first listing the one key in ~/.gnupg/pubring.gpg, then listing all the keys in /etc/pacman.d/gnupg/pubring.gpg, including mine since I had done sudo pacman-key --import /home/colin/.gnupg
Now I'm thinking it was supposed to list my key twice and that I've screwed things up by making ~/.gnupg/pubring.gpg empty.
Can anyone confirm it is normal to get a double listing of your public key if you do sudo pacman-key --import /home/colin/.gnupg and also have keyring /etc/pacman.d/gnupg/pubring.gpg in gpg.conf?
keyring /etc/pacman.d/gnupg/pubring.gpg
in gpg.conf, is it safe to just delete ~/.gnupg/pubring.gpg after importing it into the pacman pubring.gpg?
All the complicated steps I took to "fix" the duplicate entry ended up being equivalent to simply deleting ~/.gnupg/pubring.gpg. Is that safe though?
Please refrain from adding "recommended stuff" to your configuration file unless you fully understand them and are ready to support them yourself. Blindly copy-pasting random commands from the wiki into your terminal is an easy way to mess with your system.
Packages from our official repositories should work out-of-the-box with no such modifications. Otherwise, please report unexptected behaviors as bugs.