gnupg & pgpverify trouble

Christoph Biedl cbiedl at gmx.de
Tue Feb 8 19:35:11 UTC 2005


Christoph Biedl wrote...

> Russ Allbery wrote...
> 
> >   * pgpverify will now correctly verify signatures generated by GnuPG and
> >     better supports GnuPG as the PGP implementation.
> 
> Upgrading my system (Debian sarge) I and others found pgpverify fails if

To be more precise: This happened on a Debian system with a self-compiled
INN while the INN from the Debian distribution does fine.

> using gpg for verification of signed control messages. The reason for
> this is appearently gpg which now looks for ~/.gnupg/trustedkeys.gpg
> instead of ~/.gnupg/pubring.gpg. However, gpg was not changed so I
> assume a different gpgv invocation in the new pgpverify version.
> 
> Copying or linking the two key files is at least a workaround, but: Has
> this been documented anywhere?

Intensive look into pgpverify reveals a problem mit $keyring:

line 130:
| # $keyring = '/path/to/your/pgp/config';
keeps undefined in general.

line 211ff:
| if (! $keyring && $inn::newsetc) {
|   $keyring = $inn::newsetc . '/pgp' if -d $inn::newsetc . '/pgp';
| }

will define $keyring only if "$inn::newsetc . '/pgp'" exists - which
does in Debian (/etc/news/pgp is created somewhen during installation)
but is missing in my self-compiled installation.

Therefore

line 430ff:
|   if ($keyring && $pgpstyle eq 'GPG') {
|     push (@command, "--keyring=$keyring/pubring.gpg");
|   }

adds the --keyring parameter in the Debian setup only - on other systems
gpgv will fall back to trustedkey.gpg which is missing => verification
fails.

Comparing to the old version:
gpgverify 1.15 was quite different in this. The string ' --keyring=pubring.gpg'
was added to $opts in case of doubt (line 403) which was expanded to
~/.gnupg/pubring.gpg internally by gpg and everything worked.


If this change is a desired behaviour it should be documented in the
changes.

Otherwise:
Solution 0 (already written): symlink trustedkey.gpg to pubring.gpg.
Solution 1: create a symlink "ln -s ~/.gnupg (pathetc)/pgp"
Solution 2: change pgpverify to check that location, too

--- pgpverify.OLD       2005-01-29 02:12:12.000000000 +0100
+++ pgpverify   2005-02-08 20:23:48.000000000 +0100
@@ -209,7 +209,11 @@
 $lockdir = $inn::locks if $inn::locks;
 $syslog_facility = $inn::syslog_facility if $inn::syslog_facility;
 if (! $keyring && $inn::newsetc) {
-  $keyring = $inn::newsetc . '/pgp' if -d $inn::newsetc . '/pgp';
+  if (-d $inn::newsetc . '/pgp') {
+    $keyring = $inn::newsetc . '/pgp';
+  } elsif ($gpgv) {
+    $keyring = $ENV{'HOME'} . '/.gnupg' if -d $ENV{'HOME'} . '/.gnupg';
+  }
 }
 
 # Trim /path/to/prog to prog for error messages.



    Christoph


More information about the inn-workers mailing list