On 2025-02-08 Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > Package: gpg > Version: 2.4.7-3 > Severity: normal
> The 2.4 series of GnuPG introduces keyboxd, but doesn't force migration > to it for existing users. > For new users, however, running without an explicitly set $GNUPGHOME, > /usr/bin/gpg creates ~/.gnupg and populates it with a single file, > common.conf, which contains a single line: > use-keyboxd > This means that while an existing user of gpg can upgrade to gpg 2.4.x > and see things mostly work, a new user who has avoided installing the > keyboxd package (e.g, by installing "gpg" but not "gnupg") will see the > following kind of misbehavior: > ``` > 0 dkg@bob:~$ gpg --import < /usr/share/keyrings/debian-archive-keyring.gpg > gpg: directory '/home/dkg/.gnupg' created > gpg: error running '/usr/lib/gnupg/keyboxd': probably not installed [...] Hello, Andreas Klode gave us a heads-up about this in https://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/2024-March/009235.html | after a report of gnupg 2.4 breaking some tooling in Ubuntu[1], we | analysed it and found out that if `use-keyboxd` is set, gpg just | silently ignores any keyring arguments, as it only takes public | keys stored in keyboxd. | | On new installs, aka. if ~/.gnupg does not exist, gnupg automatically | enables keyboxd by writing `use-keyboxd` to common.conf. | | I just patched Ubuntu's GnuPG to not do that, I think this may be | the right call for Debian as well. https://git.launchpad.net/ubuntu/+source/gnupg2/tree/debian/patches/no-keyboxd.patch?h=ubuntu/plucky-devel This was/is for 2.4.4, 2.4.7 does not ignore keyring arguments *silently*: (sid)ametzler@argenau:/tmp/GNUPG2$ gpg --keyring /tmp/GNUPG2/blah.gpg --verify gnupg2_2.4.7.orig.tar.bz2.asc gpg: Note: Specified keyrings are ignored due to option "use-keyboxd" [...] How important/important is the usecase of --keyring without --homedir and without a custom gpg configuration in ~/.gnupg? > I'm not sure what the right solution is here; perhaps the simplest thing > would be to just ship the keyboxd binary (and socket activation, etc) > directly in the gpg package, and have that package Provides: keyboxd. If there is no strong reason to divert from upstream keyboxd preference we shoud follow it. And if we do your proposal sounds good. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
