Page MenuHome GnuPG
Create Task
Maniphest T7265

When "use_keyboxd" is configured --keyring option is ignored?
Closed, ResolvedPublic
Actions

Description

We have a tool for password management that uses the --keyring option to access the tools own keyring.

When a new team member installed gnupg and generated his keys gnugp wrote a common.conf with use_keyboxd. As long as this line is in the common.conf file this command will only list the public keys in the keybox and not in the specified .keyringy file:

gpg --no-default-keyring --keyring=./.keyring -k

which is a bit surprising. I think that when --keyring is specified it should (also?) list the public keys in the .keyring no matter if use_keyboxd is specified.

gpg 2.4.5 installed with brew on a mac.

gpg (GnuPG) 2.4.5
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/elvin.baloku@schibsted.com/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Thanks!

Details

Version
2.4.5

Revisions and Commits

rG GnuPG
rG92667aa8c208 gpg: Warn if a keyring is specified along with --use-keyboxd.
rG3171ca9b949b gpg: Warn if a keyring is specified along with --use-keyboxd.

Event Timeline

janl created this task.Aug 22 2024, 10:12 AM
werner edited projects, added Support, FAQ, gnupg, keyboxd; removed Bug Report.Aug 22 2024, 10:29 AM
werner added a subscriber: werner.

The --keyring option is deprecated and does not work at all if the keyboxd is used. This is the default for a new GnuPG 2.4 installation.

The long standing suggestion for using a separate set of keys is to use a different GNUPGHOME. The problem with adding and removing a keyring is that other meta information are hold in other files and things get messed up if parts of the GNUPGHOME are modified. Thus use

GNUPGHOME=/mytools/home/gnupg  gpg foo

and you have full control over everything. In case you are concerned about stopping the gpg-agent or otehr background prosesses you may shut them down with

GNUPGHOME=/mytools/home/gnupg gpgconf -K all

Obviously you should export GNUPGHOME or you can start your software like this

GNUPGHOME=/mytools/home/gnupg gpg-agent --daemon /foo/bar/myownshell

which has the advantage that when myownshell terminates gpg-agent and other dameons are shutdown as weel after a couple of seconds.

janl added a comment.Aug 22 2024, 10:55 AM

Right, thanks for the information. Might I suggest printing a warning when --keyring is given?

Thanks again!

werner added a commit: rG3171ca9b949b: gpg: Warn if a keyring is specified along with --use-keyboxd..Aug 23 2024, 9:19 AM
werner closed this task as Resolved.Aug 23 2024, 9:19 AM
werner claimed this task.

Good idea. Done for master and gnupg24

werner added a commit: rG92667aa8c208: gpg: Warn if a keyring is specified along with --use-keyboxd..Aug 23 2024, 9:21 AM