Wed Oct 14 23:07:13 CEST 2009

Thank you very much for the very informative information.  I have locked down some of the permissions.  

I attempted key signing but was not successful.  I received the following output:

[lawhr at lsftest1/usr/local/bin # ./gpg --edit-key REWARD
pub  1024D/C2126D6D  created: 2009-02-23  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/4D5AFE2E  created: 2009-02-23  expires: never       usage: E
[ unknown] (1). REWARD data interchange 2009

Command> sign
gpg: no default secret key: secret key not available


Any help is appreciated!

Thank you,
Connie Rodriguez 

>>> Daniel Kahn Gillmor <dkg at> 10/14/2009 3:17 PM >>>
Hi Connie--

On 10/14/2009 01:55 PM, CONNIE RODRIGUEZ wrote:
>  + /usr/local/bin/gpg -e -r REWARD /law/test/law/test/interface/watsonwyatt/data/epay.txt
>                 gpg: WARNING: unsafe permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'

This suggests that your configuration file may be readable or writable
by other users.  You can view the permissions on that file with:

  ls -l /home/lawbr/.gnupg/gpg.conf

You can lock it down with:

  chmod go-rwx /home/lawbr/.gnupg/gpg.conf

(note here that "go-rwx" means "remove (-) read (r), write (w), and
execute (x) from group (g) and all other users (o)" )

If you're not sure about the concept of filesystem permissions, it's
worthwhile to think about them a bit.  they'll come up fairly often on
unix systems.  wikipedia has a good start: 

>                 gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'

This is due to a directory being potentially readable or writable by
other users.  You can lock down the "enclosing directory" with:

chmod go-rwx`/home/lawhr/.gnupg/

>                 gpg: WARNING: using insecure memory!

Search for "insecure memory" in the gpg manual page (try "man gpg") for
more information about this error under the BUGS section.  You may
either want to make gpg setuid root (if secure memory is important to
you) or to tell gpg to ignore this particular error by adding the
relvant option to your gpg.conf file.

>                 gpg: please see for more information

have you read this?  It's worth reading!  You might be interested in
section 6.1 in particular: 

>                 gpg: 4D5AFE2E: There is no assurance this key belongs to the named user

this is likely because you've imported the "REWARD" key into your remote
system without indicating any particular "ultimate" ownertrust.

gpg does a fair amount of work to make sure that keys belong to who you
think they should belong to -- it doesn't make any sense to encrypt data
to a key if you aren't sure whose key it is.

Presumably, there is someone who is making reasonable assertions about
which keys belong to which entities, and signing those keys.  You
probably want to designate "ultimate" ownertrust for that certifier on
your server.  For example, if you hold key DECAFBAD privately
(off-server), but you use that key to sign the REWARD key, you could
import the DECAFBAD public key on the server, and then (still on the
server) do:

gpg --edit-key DECAFBAD

and then choose "ultimate" ownertrust.  Make sense?

>                 gpg: cannot open `/dev/tty': There is a request to a device or address that does not exist.

i dunno why this is coming up; what operating system are you running
this on?  what version of gpg?  did you build it yourself, or is it the
version provided by your OS?



Please consider the environment before printing this e-mail.

This e-mail, facsimile, or letter and any files or attachments transmitted with it contains
information that is confidential and privileged. This information is intended only for the
use of the individual(s) and entity(ies) to whom it is addressed. If you are the intended
recipient, further disclosures are prohibited without proper authorization. If you are not
the intended recipient, any disclosure, copying, printing, or use of this information is
strictly prohibited and possibly a violation of federal or state law and regulations. If you
have received this information in error, please notify Children's Medical Center Dallas 
immediately at 214-456-4444 or via e-mail at privacy at Children's Medical
Center Dallas and its affiliates hereby claim all applicable privileges related to this

More information about the Gnupg-users mailing list