several questions about gnupg
Daniel Mettler
mettlerd@icu.unizh.ch
Mon May 27 22:42:02 2002
hi folks,
i use gnupg (v1.06) from within python for a program i code. now
i have several questions regarding gpg (i already read the faq
and did not find the answers there).
*****************************************************************
--homedir does not seem to work on my box (linux 2.4.19 pre
something). i tried to generate a new keypair with
gpg --gen-key --homedir ~/.gnupg_alternative
the following error occured:
gpg: keyblock resource `/home/testuser/.gnupg_alternative': file
open error
gpg: can add keyblock file
`/home/testuser/.gnupg_alternative/pubring.gpg'
Key generation failed: file create error
gpg: can't create
`/home/testuser/.gnupg_alternative/random_seed': No such file or
directory
/home/testuser exists and is writable by this user (the same
error occurs if i do the same for root)
*****************************************************************
among others i use --recv-keys to automatically retreive missing
public keys from a public key server.
this feature does not seem to work reliably as the fetching often
hangs.
is there an undocumented command line option to set a timeout
for this (e.g. stop automatic fetching after 30s if it does not
succeed)? is there any timeout at all? and is there an option to
make gpg retry it for a specified number of times if it fails?
can you recommend a reliable keyserver (currently i use
wwwkeys.pgp.net)?
*****************************************************************
gpg returns an exit code of 0 if verification "succeeds" no
matter of the key trust (e.g. even if the trust is "unknown")
etc. thus i parse the output of "--status-fd 1" to see whether
the signature is really valid, whether the public key is trusted
and not expired or revoked etc.
i have read the DETAILS documentation, but some flag explanations
seem to be missing. is there a complete list of all flags
somewhere? and i do not know which flag is necessary/sufficient
for what state (is there any formal documentation regarding
this?). basically i want to check for valid && not expired
signatures which were signed by trusted && not expired && not
revoked keys, and reject everything else. what combination of
flags is necessary/sufficient (in a mathematical sense) for
this? currently i use a long if-chain which only accepts the
signatures that
have (GOODSIG && a sufficient TRUST_*) && do not have (EXPSIG ||
EXPKEYSIG || NODATA || UNEXPECTED || SIGEXPIRED || KEYEXPIRED ||
KEYREVOKED || RSA_OR_IDEA || NO_SECKEY || BADSIG || ERRSIG ||
NO_PUBKEY)
this seems to be a safe (estimated, as i have not found any
formal information about this) but not efficient solution. which
flags would do it? can i safely omit checks for not existing
NODATA, UNEXPECTED, RSA_OR_IDEA, NO_SECKEY, BADSIG, ERRSIG,
NO_PUBKEY flags?
*****************************************************************
what really happens when a signature is made with --throw-keyid?
i tested this and somehow the keyid seems to be still embedded
in the signature.
*****************************************************************
what steps are needed to make a public key fully trusted?
currently, i "--lsign-key" it. is this sufficient or do i need
"--edit-key name trust" to set an appropriate trust level too?
can a public key made fully trusted just with "--edit-key name
trust"?
*****************************************************************
as i use gpg from within a python program i would like to skip
all interactive dialogs when i "--edit-key" except for the
indispensable password prompts. for other questions i would like
to set the answers from within the python program. thus is there
something between "--batch" (no interaction at all) and fully
interactive dialogs? how could i implement something like this?
*****************************************************************
how does gnupg recognize revoked keys? does it check a public key
server for revocation certificates or how does this work?
*****************************************************************
is there an irc channel of gnupg developers/users?
*****************************************************************
i hope you can answer these questions, thanks!
regards
dan