[PATCH gpa] Load the secret keyring before the public one.

Damien Goutte-Gattat dgouttegattat at incenp.org
Thu Mar 29 14:52:57 CEST 2018

Hi GnuPG folks,

I sent the patch below a few weeks ago to tentatively fix bug 3748,
which affects GPA when using a TOFU trust model.

Any follow-up on this?

I am not sure this is the best way to fix 3748, but for what it's
worth, I am using GPA with this patch applied since I first posted
it and never ran into the bug again, nor into any other problem.

-- >8 --
Subject: [PATCH gpa] Load the secret keyring before the public one.

* src/keylist.c (gpa_keylist_init): Forcefully load the secret
keyring before attempting to load the public keys.

Gpa loads the private keyring in a kind of "lazy mode", in that
the private keyring is only loaded the first time Gpa needs to
lookup a private key. This normally happens during the loading
of the public keyring, since for each public key Gpa must lookup
in the private keyring to check whether a private counterpart is

The result is that a Gpg process is spawn to list the secret keys
while another Gpg process is still listing the public keys. If
the trust model happens to be TOFU or TOFU+PGP, this can cause
some problems with regard to the locking of the TOFU database.

To avoid that, this patch makes sure the private keyring is
actively and synchronously loaded before we fetch the public keys
(no more lazy loading).

GnuPG-bug-id: 3748
Signed-off-by: Damien Goutte-Gattat <dgouttegattat at incenp.org>
 src/keylist.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/keylist.c b/src/keylist.c
index 442da08..2c8e7e8 100644
--- a/src/keylist.c
+++ b/src/keylist.c
@@ -231,7 +231,16 @@ gpa_keylist_init (GTypeInstance *instance, void *class_ptr)
-      /* Initialize from the global keytable.  */
+      /* Initialize from the global keytable.
+       *
+       * We must forcefully load the secret keytable first to
+       * prevent concurrent access to the TOFU database. */
+      gpa_keytable_force_reload (gpa_keytable_get_secret_instance (),
+                                 NULL, (GpaKeyTableEndFunc) gtk_main_quit,
+                                 NULL);
+      gtk_main ();
+      /* Now we can load the public keyring. */
       gpa_keytable_list_keys (gpa_keytable_get_public_instance(),
                               gpa_keylist_next, gpa_keylist_end, list);

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180329/f9244718/attachment.sig>

More information about the Gnupg-devel mailing list