Page MenuHome GnuPG
Create Task
Maniphest T5927

gpg: quick-gen-key and quick-add-uid require --check-trustdb to make trust in user ids "ultimate"
Open, LowPublic
Actions

Description

How to reproduce:

$ export GNUPGHOME=$(mktemp -d)

$ echo "no-auto-check-trustdb" >${GNUPGHOME}/gpg.conf

$ gpg --version
gpg (GnuPG) 2.3.5-beta100
libgcrypt 1.11.0
NOTE: THIS IS A DEVELOPMENT VERSION!
It is only intended for test purposes and should NOT be
used in a production environment or with production keys!
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /tmp/tmp.IhTQQai7D1
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

$ gpg --yes --quick-gen-key foo@bar.baz
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: keybox '/tmp/tmp.IhTQQai7D1/pubring.kbx' created
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /tmp/tmp.IhTQQai7D1/trustdb.gpg: trustdb created
gpg: directory '/tmp/tmp.IhTQQai7D1/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/tmp.IhTQQai7D1/openpgp-revocs.d/B2D4C44C519DBE7F2F11945A6CB61A4817A770B0.rev'
public and secret key created and signed.

pub   ed25519 2022-04-08 [SC] [expires: 2024-04-07]
      B2D4C44C519DBE7F2F11945A6CB61A4817A770B0
uid                      foo@bar.baz
sub   cv25519 2022-04-08 [E]

$ gpg -k
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: please do a --check-trustdb
/tmp/tmp.IhTQQai7D1/pubring.kbx
-------------------------------
pub   ed25519 2022-04-08 [SC] [expires: 2024-04-07]
      B2D4C44C519DBE7F2F11945A6CB61A4817A770B0
uid           [ unknown] foo@bar.baz
sub   cv25519 2022-04-08 [E]

$ gpg --check-trustdb 
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2024-04-07

$ gpg -k
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
/tmp/tmp.IhTQQai7D1/pubring.kbx
-------------------------------
pub   ed25519 2022-04-08 [SC] [expires: 2024-04-07]
      B2D4C44C519DBE7F2F11945A6CB61A4817A770B0
uid           [ultimate] foo@bar.baz
sub   cv25519 2022-04-08 [E]

$ gpg --quick-add-uid foo@bar.baz bar@baz.foo
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!

$ gpg -k
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
/tmp/tmp.IhTQQai7D1/pubring.kbx
-------------------------------
pub   ed25519 2022-04-08 [SC] [expires: 2024-04-07]
      B2D4C44C519DBE7F2F11945A6CB61A4817A770B0
uid           [ unknown] bar@baz.foo
uid           [ultimate] foo@bar.baz
sub   cv25519 2022-04-08 [E]

$ gpg --check-trustdb 
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2024-04-07

$ gpg -k
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
/tmp/tmp.IhTQQai7D1/pubring.kbx
-------------------------------
pub   ed25519 2022-04-08 [SC] [expires: 2024-04-07]
      B2D4C44C519DBE7F2F11945A6CB61A4817A770B0
uid           [ultimate] bar@baz.foo
uid           [ultimate] foo@bar.baz
sub   cv25519 2022-04-08 [E]

I think it's confusing that an explicit --check-trustdb is required after generating a new key or adding another user id if the automatic check of the trustdb is disabled.

Additionally, after adding another user id gpg doesn't even warn "please do a --check-trustdb". This could mean that even "auto-check-trustdb" wouldn't work because I guess/hope that the code printing the warning and the code doing the automatic trustdb check use the same heuristic for determing whether a "check-trustdb" is needed.

Event Timeline

ikloecker created this task.Apr 8 2022, 4:50 PM
werner added a subscriber: werner.Apr 9 2022, 3:11 PM

The reason for this is probably that we expect that several UIDs are added and running a check-trustdb for eachleads to some extra waiting time.

werner triaged this task as Low priority.Apr 14 2022, 1:44 PM
werner added a project: Feature Request.

Printing a note as we do in --edit-key is a good idea.

thesamesam added a subscriber: thesamesam.Sep 1 2023, 5:32 AM