ownertrust database cleared on gpg 2.1 key import

Werner Koch wk at gnupg.org
Wed Nov 12 08:59:41 CET 2014


On Sat,  8 Nov 2014 00:24, dkg at fifthhorseman.net said:

> It looks to me like gpg 2.1.0 is clearing parts of the ownertrust
> database when used with the same homedir as 1.4.x.  There may be other
> circumstances where ownertrust is cleared as well.

>  * is it intentional for gpg2 to clear the trustdb entry for a key that
>    it didn't have a copy of, but which was mentioned in the trustdb?


Yes.  AFAICS we implemented that back in 2002.  There are 3 places where
we clear the ownertrust values (cf. clear_ownertrusts()):

1. Deleting a public key.

   We can assume that there is a reason for deleting a key.  For example
   it is known that the key has been compromised and the user simply
   deletes it from the keyring.  It would be surprising if ownertrust
   values persist and would be used the next time the key gets
   accidentally imported.

   This is in particular troublesome for an ultimately trusted key.

2. Importing a key

   /* This should not be possible since we delete the
      ownertrust when a key is deleted, but it can happen if
      the keyring and trustdb are out of sync.  It can also
      be made to happen with the trusted-key command. */
   clear_ownertrusts (pk);

   Thus it is closely related to deleting a key.

3. Importing a revocation certificate

   /* If the key we just revoked was ultimately trusted, remove its
      ultimate trust.  This doesn't stop the user from putting the
      ultimate trust back, but is a reasonable solution for now. */
   if(get_ownertrust(pk)==TRUST_ULTIMATE)
      clear_ownertrusts(pk);


The simplest solution would be to use a different trustdb for keys
stored in a keybox (pubring.kbx).  However, this conflicts with the goal
of allow several keyrings and the user would have the burden to maintain
two sets of ownertrust.

The actual problem is the use of this command

  gpg --export | gpg2.1 --import

As described above --import will clear the ownertrust values which in
this case is not desirable.  The only solution I see is an import option
which inhibits the trustdb updates or a separate command for this case
(--migrate-import).  Or to use

  gpg --export-ownertrust >ownertrust
  gpg --export | gpg2.1 --import
  gpg --import-ownertrust ownertrust

I tend to implement an import options to make this easier.  Maybe even a
command to do that.  As a first step I will change the introductions on
how to use the faster keyring format.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list