Multiple Keyrings WAS Signing multiple keys

brian m. carlson sandals at crustytoothpaste.net
Sat Aug 27 00:46:36 CEST 2011


On Fri, Aug 26, 2011 at 10:29:04PM +0100, Nicholas Cole wrote:
> I *do* see the uses for them.  The debian keyring, for example is
> huge, and it is useful to be able to selectively include it or not in
> the gpg.conf file.  But there more I've thought about this, the more I
> think that it would be better just to have entirely separate gpg home
> directories for this sort of purpose.

There is a lot of infrastructure in Debian that depends on the ability
to have read-only keyrings using a command-line option.  If that
functionality were to disappear, somebody would patch it in because the
breakage would be too great (and needless).  If an additional option
were required to use multiple keyrings, I would submit a patch to make
it the default because otherwise it would break existing functionality.

Besides the several different programs that handle key signing parties,
dpkg-source would lose the ability to verify packages before unpacking
them.  apt's archive verification would break.  That doesn't include
dak, the Debian Archive Kit, which also uses GnuPG and would also break.

I expect that most GNU/Linux distributions would also use those patches
for the same reasons.  Removing the capability from GnuPG would not have
the effect of removing the functionality, but only on shifting the
maintenance burden.

> For the case in question, there would be nothing to stop you having a
> home directory made specifically for a key-signing party, for example,
> importing your signing key into it and using it as your working
> directory.  '--homedir', not multiple keyrings, seems to me to solve
> the problem addressed by multiple keyrings for almost all real-world
> cases.

Creating a separate directory and populating it seems silly and
wasteful, plus it prevents the storage of multiple, separate keyrings in
one directory (like /usr/share/keyrings).  If you would like to use the
--homedir method, nothing is preventing you from doing that.  But
breaking existing infrastructure will go over like a lead balloon.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/attachments/20110826/590164ed/attachment.pgp>


More information about the Gnupg-users mailing list