several questions about gnupg

Daniel Mettler
Mon May 27 22:42:02 2002

hi folks,

i use gnupg (v1.06) from within python for a program i code. now 
i have several questions regarding gpg (i already read the faq 
and did not find the answers there).

--homedir does not seem to work on my box (linux 2.4.19 pre 
something). i tried to generate a new keypair with

gpg --gen-key --homedir ~/.gnupg_alternative

the following error occured:

gpg: keyblock resource `/home/testuser/.gnupg_alternative': file 
open error
gpg: can add keyblock file 
Key generation failed: file create error
gpg: can't create 
`/home/testuser/.gnupg_alternative/random_seed': No such file or 

/home/testuser exists and is writable by this user (the same 
error occurs if i do the same for root)
among others i use --recv-keys to automatically retreive missing 
public keys from a public key server.

this feature does not seem to work reliably as the fetching often 

is there an undocumented command line option to set a timeout 
for this (e.g. stop automatic fetching after 30s if it does not 
succeed)? is there any timeout at all? and is there an option to 
make gpg retry it for a specified number of times if it fails? 
can you recommend a reliable keyserver (currently i use
gpg returns an exit code of 0 if verification "succeeds" no 
matter of the key trust (e.g. even if the trust is "unknown") 
etc. thus i parse the output of "--status-fd 1" to see whether 
the signature is really valid, whether the public key is trusted 
and not expired or revoked etc.

i have read the DETAILS documentation, but some flag explanations 
seem to be missing. is there a complete list of all flags 
somewhere? and i do not know which flag is necessary/sufficient 
for what state (is there any formal documentation regarding 
this?). basically i want to check for valid && not expired 
signatures which were signed by trusted && not expired && not 
revoked keys, and reject everything else. what combination of 
flags is necessary/sufficient (in a mathematical sense) for 
this? currently i use a long if-chain which only accepts the 
signatures that

have (GOODSIG && a sufficient TRUST_*) && do not have (EXPSIG || 

this seems to be a safe (estimated, as i have not found any 
formal information about this) but not efficient solution. which 
flags would do it? can i safely omit checks for not existing 
NO_PUBKEY flags?
what really happens when a signature is made with --throw-keyid? 
i tested this and somehow the keyid seems to be still embedded 
in the signature.
what steps are needed to make a public key fully trusted? 
currently, i "--lsign-key" it. is this sufficient or do i need 
"--edit-key name trust" to set an appropriate trust level too? 
can a public key made fully trusted just with "--edit-key name 
as i use gpg from within a python program i would like to skip 
all interactive dialogs when i "--edit-key" except for the 
indispensable password prompts. for other questions i would like 
to set the answers from within the python program. thus is there 
something between "--batch" (no interaction at all) and fully 
interactive dialogs? how could i implement something like this?
how does gnupg recognize revoked keys? does it check a public key 
server for revocation certificates or how does this work?
is there an irc channel of gnupg developers/users?

i hope you can answer these questions, thanks!