Page MenuHome GnuPG
Create Task
Maniphest T1028

GnuPG accessed from > 1 PC sumultaneously
Closed, ResolvedPublic
Actions

Description

GPG keys are stored under C:\Documents and Settings\<user>\Application
Data\gnupg. If you have a roving profile, this area may become corrupted if you
try accessing the keys (e.g. using GPA) from >1 PC simultaneously. I've had to
move gnupg to gnupg.old and import my keys from backups to get round this
corruption.

It would be nice if GnuPG could handle > 1 PC accessing the keys simultaneously.

Details

Version
1.4.9

Related Objects

Event Timeline

jonomcc set Version to 1.4.9.Apr 21 2009, 9:27 AM
jonomcc added projects: gnupg, Bug Report.
jonomcc added a subscriber: jonomcc.
werner added projects: In Progress, backport.Apr 23 2009, 9:15 AM
werner added a subscriber: werner.

You are the first one to report this, despite that GnupG for Windows is 9 years
or so old. It is not only a problem with several PCs but if you run several
several GPG processes on one box. The file locking is simply missing.

We have fixed this problem in GnuPG 2.0.10 - you may use that version or wait
until we have backported it to GnuPG 1.4. We recommend the use of GnuPG 2.x on
Windows anyway; it is available in the Gpg4win installer (http://www.gpg4win.org).

werner claimed this task.Apr 23 2009, 10:46 AM
jonomcc added a comment.Apr 23 2009, 11:18 AM

Thanks for the info. This may be related to:
T1008
...where GnuPG2 doesn't get installed sometimes.

I notice you can't unselect the older GnuPG, so gpg v1.4.9 still gets installed.
Anyway, I reinstalled GPG4Win (1.1.4) and ensured I installed GnuPG2 (2.0.10).

However, GPA still seems to be using gpg (1.1.4) instead of gpg2 (2.0.10), as I
still have the problem

  • gpg commands work fine on primary PC
  • gpg commands not working on secondary, e.g...

C:\>gpg --list-keys
gpg: using character set `CP850'
gpg: using PGP trust model
gpg: key <KEY-ID>: accepted as trusted key
gpg: key <KEY-ID>: accepted as trusted key
gpg: checking the trustdb
Assertion failed: keyblock->pkt->pkttype == PKT_PUBLIC_KEY, file /home/wk/src/gp
g4win11/build/gpg4win-1.1.4/src/playground/build/gnupg-1.4.9/g10/keyring.c, line
1387
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

Any tips on where I've gone wrong..? Thanks.

werner added a comment.Apr 27 2009, 10:12 AM

There are two problems: The first is that GPA uses GnuPG-1, I need to check
this but it should not matter because the problem in T1008 is that the
gpgconf tool from GnuPG-2 is missing. There is no problem using both versions
of GnuPG at the same time.

The second problem is that your pubring.gpg is corrupted on the second box. Are
you really sure that this is a shared directory?

jonomcc added a comment.May 5 2009, 2:25 PM

The problem for me is that I'm using a Windows Roaming profile. That means I'm
using a COPY of my profile on 2 separate machines. Any changes on one machine
are not detected by the other. On logout, any changes are synched backl to the
Profile Server.
To get round this, I need to stop using the Windows Profile area to store keys.
I stumbled on this...
http://lists.gnupg.org/pipermail/gnupg-users/2008-April/033224.html
...and set my gpg.conf to the following...

+++--- GPGConf ---+++

utf8-strings
keyserver hkp://keyserver.ubuntu.com

+++--- GPGConf ---+++### 04/21/09 15:15:20 GMT Daylight Time

  1. GPGConf edited this configuration file.
  2. It will disable options before this marked block, but it will
  3. never change anything below these lines.

no-default-keyring
primary-keyring U:\gnupg\pubring.gpg
secret-keyring U:\gnupg\secring.gpg
trustdb-name U:\gnupg\trustdb.gpg
keyring U:\gnupg\pubring.gpg

...where U: is my network home area. This now works properly, at command line
AND GPA level - changes to keyring reflected immediately on both PCs.

werner added a comment.May 5 2009, 4:36 PM

File locking is now implemented for W32 (svn rev 4992).

werner removed a project: backport.May 5 2009, 4:36 PM
werner added a comment.May 5 2009, 4:49 PM

Does the roaming mean that windows constantly syncs the two directories? If
that is the case, the missing locking was indeed a problem. However, depending
on how Windows does it, the new locking code won't help, because gpg does not
take a FileLock on the actual file but on FILE.lock.

The corruption indicated by the assertion failure seems to happen due to the
sync process changing the files behind the back of gpg. This syncing needs more
investigation.

werner removed a project: In Progress.May 5 2009, 4:49 PM
jonomcc added a comment.May 5 2009, 5:30 PM

The roaming causes each PC to take a copy of the "C:\Documents and
Settings\<user>\Application Data\gnupg" directory at login. If 2 PC's login
simultaneously, they'll each get a COPY. They can then make separate changes,
but don't see updates made by the other user. When they logout, their changes
are uploaded back to the Profile server. The last person to logout overwrites
the changes made by the 1st user to logout.

I got round this by specifying a simple network share that each user can access
simultaneously. This works fine as file locking works properly in GNUPG2.

It would be nice to have a GUI option in future that makes it easy to specify
where to put the keystore, rather than the default Application Data directory.
This can be done anyway using the gpg.conf changes shown below.

werner added a comment.Jul 9 2009, 4:34 PM

You can change the location of the keystore by cetting the environment variable
GNUPGHOME.

Another way to change it is by using the registry entry:
HKCU\Software\\GNU\\GnuPG:HomeDir

werner closed this task as Resolved.Jul 22 2009, 11:21 AM