several questions about gnupg

Leigh S. Jones kr6x@kr6x.com
Tue May 28 03:18:02 2002


GnuPG will do this for you, but you must create the
key database directory with empty databases first.

First, create the ~/.gnupg_alternative directory,
then "touch ~/.gnupg_alternative/pubring.gpg", "touch 
~/.gnupg_alternative/secring.gpg", and just for good 
measure "touch ~/.gnupg_alternative/trustdb.gpg", and 
"touch ~/.gnupg_alternative/groupdb.gpg".

Now go ahead and type your command.

Oh, gpg can create the basic database files for you 
also:
gpg --homedir ~/.gnupg_alternative --list-keys 
(error messages follow)
gpg --homedir ~/.gnupg_alternative --list-keys 
(no error messages follow, just an empty listing)

----- Original Message ----- 
From: "Daniel Mettler" <mettlerd@icu.unizh.ch>
To: <gnupg-users@gnupg.org>
Sent: Monday, May 27, 2002 1:36 PM
Subject: several questions about gnupg


> hi folks,
> 
> i use gnupg (v1.06) from within python for a program i code. now 
> i have several questions regarding gpg (i already read the faq 
> and did not find the answers there).
> 
> *****************************************************************
> --homedir does not seem to work on my box (linux 2.4.19 pre 
> something). i tried to generate a new keypair with
> 
> gpg --gen-key --homedir ~/.gnupg_alternative
> 
> the following error occured:
> 
> gpg: keyblock resource `/home/testuser/.gnupg_alternative': file 
> open error
> gpg: can add keyblock file 
> `/home/testuser/.gnupg_alternative/pubring.gpg'
> Key generation failed: file create error
> gpg: can't create 
> `/home/testuser/.gnupg_alternative/random_seed': No such file or 
> directory
> 
> /home/testuser exists and is writable by this user (the same 
> error occurs if i do the same for root)
> *****************************************************************
> among others i use --recv-keys to automatically retreive missing 
> public keys from a public key server.
> 
> this feature does not seem to work reliably as the fetching often 
> hangs.
> 
> is there an undocumented command line option to set a timeout 
> for this (e.g. stop automatic fetching after 30s if it does not 
> succeed)? is there any timeout at all? and is there an option to 
> make gpg retry it for a specified number of times if it fails? 
> can you recommend a reliable keyserver (currently i use 
> wwwkeys.pgp.net)?
> *****************************************************************
> gpg returns an exit code of 0 if verification "succeeds" no 
> matter of the key trust (e.g. even if the trust is "unknown") 
> etc. thus i parse the output of "--status-fd 1" to see whether 
> the signature is really valid, whether the public key is trusted 
> and not expired or revoked etc.
> 
> i have read the DETAILS documentation, but some flag explanations 
> seem to be missing. is there a complete list of all flags 
> somewhere? and i do not know which flag is necessary/sufficient 
> for what state (is there any formal documentation regarding 
> this?). basically i want to check for valid && not expired 
> signatures which were signed by trusted && not expired && not 
> revoked keys, and reject everything else. what combination of 
> flags is necessary/sufficient (in a mathematical sense) for 
> this? currently i use a long if-chain which only accepts the 
> signatures that
> 
> have (GOODSIG && a sufficient TRUST_*) && do not have (EXPSIG || 
> EXPKEYSIG || NODATA || UNEXPECTED || SIGEXPIRED || KEYEXPIRED || 
> KEYREVOKED || RSA_OR_IDEA || NO_SECKEY || BADSIG || ERRSIG || 
> NO_PUBKEY)
> 
> this seems to be a safe (estimated, as i have not found any 
> formal information about this) but not efficient solution. which 
> flags would do it? can i safely omit checks for not existing 
> NODATA, UNEXPECTED, RSA_OR_IDEA, NO_SECKEY, BADSIG, ERRSIG, 
> NO_PUBKEY flags?
> *****************************************************************
> what really happens when a signature is made with --throw-keyid? 
> i tested this and somehow the keyid seems to be still embedded 
> in the signature.
> *****************************************************************
> what steps are needed to make a public key fully trusted? 
> currently, i "--lsign-key" it. is this sufficient or do i need 
> "--edit-key name trust" to set an appropriate trust level too? 
> can a public key made fully trusted just with "--edit-key name 
> trust"?
> *****************************************************************
> as i use gpg from within a python program i would like to skip 
> all interactive dialogs when i "--edit-key" except for the 
> indispensable password prompts. for other questions i would like 
> to set the answers from within the python program. thus is there 
> something between "--batch" (no interaction at all) and fully 
> interactive dialogs? how could i implement something like this?
> *****************************************************************
> how does gnupg recognize revoked keys? does it check a public key 
> server for revocation certificates or how does this work?
> *****************************************************************
> is there an irc channel of gnupg developers/users?
> *****************************************************************
> 
> i hope you can answer these questions, thanks!
> 
> regards
> 
> dan
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users