verifying signatures when GNUPGHOME is on a read-only filesystem
Bryce Nichols
bryce at bnichols.org
Mon Jul 11 20:08:53 CEST 2005
I would like to use gnupg to verify signatures when $GNUPGHOME is on a
read-only filesystem. Using --lock-never and --no-auto-check-trustdb
allows this except that the code that opens the trust database (in the
file ${GNUPGHOME}/trustdb.gpg typically) will conclude it's a fatal error
if the file cannot be opened read-write, unless the errorcode was only
EACCES. Therefore, to make this work for my situation (where the
errorcode is EROFS), I've applied the following patch to the 1.4.1 version
of GnuPG:
diff -ur gnupg-1.4.1/g10/tdbio.c gnupg-1.4.1.new/g10/tdbio.c
--- gnupg-1.4.1/g10/tdbio.c 2004-10-14 03:11:56.000000000 -0400
+++ gnupg-1.4.1.new/g10/tdbio.c 2005-07-11 13:24:57.000000000 -0400
@@ -591,7 +591,7 @@
log_fatal( _("can't lock `%s'\n"), db_name );
#endif /* __riscos__ */
db_fd = open (db_name, O_RDWR | MY_O_BINARY );
- if (db_fd == -1 && errno == EACCES) {
+ if (db_fd == -1 && (errno == EACCES || errno == EROFS)) {
db_fd = open (db_name, O_RDONLY | MY_O_BINARY );
if (db_fd != -1)
log_info (_("NOTE: trustdb not writable\n"));
This may not be the "right" solution to the problem, but it works for me.
Perhaps a better way to do this is to add a flag that is explicitly for
working with a strictly read-only $GNUPGHOME. Or maybe
--no-auto-check-trustdb should enable the behavior (it's still needed
anyways for the verification to succeed on a read-only mounted
filesystem).
Thank you,
Bryce
More information about the Gnupg-devel
mailing list