gnupg doesn't like empty trustdb file
Closed, ResolvedPublic

Description

I'm creating two empty files which shall serve as primary keyring and trustdb:

echo -n > /tmp/gpgpyjOTOJX
echo -n > /tmp/gpgpy-tdbN200eB

I then try to import a key into this keyring:

'gpg2' '--command-fd' '0' '--with-fingerprint' '--list-options'
'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire'
'--no-default-keyring' '--trustdb-name' '/tmp/gpgpy-tdbN200eB' '--status-fd' '2'
'--quiet' '--batch' '--primary-keyring' '/tmp/gpgpyjOTOJX' '--fixed-list-mode'
'--no-tty' '--with-colons' '--use-agent' '--import' < /tmp/k.asc

gpg, however fails:

gpg: Fatal: /tmp/gpgpy-tdbN200eB: invalid trustdb

Funnily enough: If run a second time, it doesn't complain.

On a related note: I realise that gpg doesn't like an empty trustdb file. It
works fine if I give a non-existing filename. Then gpg happily creates that file
for me. That behaviour is obviously different from the primary keyring file.
I expected gpg to be more coherent there.

I wished gpg would accept that empty file for its trustdb because then I can
have the file managed by, say, Python's NamedTempFile. Now I need to implement
logic for cleaning up myself.

Details

Version
2.1
4tmuelle set Version to 2.1.
4tmuelle added a subscriber: 4tmuelle.
werner added a subscriber: werner.Jul 14 2016, 2:08 PM

Please do not mess around with file managed by GnuPG. It is not your business ;-).

I'd strongly suggest to use a temporary home directory and use --import and
--import-ownertrust to add keys.

The only messing I want to do is to a) not tamper with the user's homedir and b)
not leak any files after I'm done.

For a) a homedir sounds fine. But then I can't use the user's secret keys to
sign other keys.
For b) I tried to rely on existing infrastructure to make my life easier. I
expected it to work because it did for the primary keyring. But GnuPG behaves
inconsistently regarding the primary keyring and the trustdb file. Even more
so, because running gpg a second time just appears to work. That makes gpg not
intuitive to use, I think.

And this is, I guess, the main issue I'm seeing.

justus closed this task as Resolved.Aug 10 2016, 4:54 PM
justus claimed this task.
justus added a subscriber: justus.

Actually, I'd argue that tdbio_set_dbname did not handle this case correctly. In
any case, if you must create some temporary gnupghomes, deleting the whole
directory might be both easier and more robust.

Fixed in a27410a2.