Sign key with externalized master key

Daniel Kahn Gillmor dkg at
Wed Feb 11 15:19:11 CET 2015

On Wed 2015-02-11 00:41:18 -0500, Xavier Maillard wrote:
> May I ask how one would sign public keys when a "master key" is
> stored onto an USB stick ?
> I followed instructions from [1]. Now I am in the process of
> announcing my key transition to all old signers *but*, as a last
> test, I just tested public signature with my "master key" and this is
> where troubles occur:
> LANG=C gpg --home /Volumes/FSF/.gnupg --recv-keys <A KEYID>
> gpg: WARNING: unsafe permissions on homedir `/Volumes/FSF/.gnupg'
> gpg: external program calls are disabled due to unsafe options file permissions
> gpg: keyserver communications error: General error
> gpg: keyserver receive failed: General error
> So what ? My USB stick is formated using extFat so permissions are
> something unknown.

The fact that you're using a FAT volume is the root cause here; FAT
filesystems do not have ownership or permissions, so when a modern OS
mounts them, it has to fake permissions for these files.

If you mount the filesystem manually, you can usually specify tighter
permissions.  I don't know the exact syntax for OS X, but on GNU/Linux
systems, that would be:

 mount -t vfat -ouid=$USERNAME,umask=077 /dev/sdx1 /Volumes/FSF

umask is the relevant option here to set the default permissions.
Alternately, if your umask is set properly before mounting the
filesystem, i think mount(8) will just default to it.



More information about the Gnupg-users mailing list