gnupg problems

Peter Gillett
Fri Aug 2 03:35:02 2002

> i did a simply script which reads a
> file "cleartext" saved by a cgi script
> my script just reads this text files
> encrypts it and send its via mail to
> rcpt.
> --few line of this script---
> open(GPG, "cat $file |gpg --batch
> --quiet --output - --encrypt --textmode
> --armor --always-trust -r domi|");
> while(<GPG>) {
>         print MALI;
> }
> close(GPG);
> ---end----
> as far this is working _fine_ if i
> start this script via shell!!!
> But   if i start this script from my
> cgi everything running as "www-data" id
> 33  i just get a error entry  to
> apache-ssl error.log:gpg: fatal: ~/.gnupg:
>  can't create directory: No such file
> or directory
> secmem usage: 0/0 bytes in 0/0 blocks
> of pool 0/16384


I had similar problems when I was getting a cgi
script on a web site to encrypt a text file to be
emailed, and found (using gpg 1.0.6 or 1.0.7 for

1) gpg.exe wants to be able to write to
trustdb.gpg (in the default directory or the one
specified in --homedir a_good_directory), even
though you specify "--always-trust -r
your_emailaddress". If trustdb.gpg does not exist,
gpg.exe will create one and insert the fact that
you always trust key 12345678.xy into trustdb.gpg.
If trustdb.gpg is read only, I got a secmem usage
error. Maybe there is an option to tell gpg.exe
not to write to the trustdb.gpg file? But I
couldn't find one.

2) gpg.exe will also create a file random_seed
(again in the default directory or the one
specified in --homedir a_good_directory), unless I
specify the --no-random-seed option. However, when
I do specify the --no-random-seed option, I get a
warning message "gpg: NOTE: you should run
'diskperf -y' to enable the disk statistics". I
tried giving the --batch --no-tty --quiet options,
but still got the warning message.

3) if secring.gpg does not exist in the default
directory or the one specified in --homedir
a_good_directory, gpg.exe creates one with a
length of zero bytes. I found that this
secring.gpg can be set to read only, and
everything still worked. This secring.gpg does not
have to be your real one, and it can also be 0
bytes long. I guess putting a real secring.gpg on
a webserver for everyone to possibly see would be
a bad thing!

4) To make it all work, I...

a) put gpg.exe in an execute only directory on the
b) created a homedir called xxxxxxx/gpg where I
put pubring.gpg (read only) and a zero byte length
secring.gpg (read only), as well as a trustdb.gpg
(read/write) and a file called random_seed
c) used the command....

--homedir a_good_directory
--always-trust -ear my_emailaddress

where fred.txt is the file to be encrypted into a
file called fred.asc. The -ear is for e=encrypt,
a=armor and r specifies the recipient.

And it all worked fine.
Hope this helps