[Popcon-developers] Bug#714917: encrypting submissions creates /root/.gnupg/*

Ansgar Burchardt ansgar at debian.org
Fri Jul 5 13:03:27 UTC 2013 

On 07/05/2013 14:44, Bill Allombert wrote:
> On Thu, Jul 04, 2013 at 11:22:29AM +0200, Ansgar Burchardt wrote:
>> Enabling the encryption of submissions will result in creating a /root/.gnupg
>> directory including a gpg.conf, secring.gpg, trustdb.gpg, random_seed.
>>
>> Just using popularity-contest shouldn't do this. Maybe passing --no-config or
>> --homedir /some/temporary/directory to gpg would be a good idea. It would also
>> result in not using (maybe unwanted) settings from root's gpg.conf.
> 
> Jakub Wilk in http://lists.debian.org/debian-devel/2013/06/msg00681.html
> suggest to use --no-options:
> 
>    --no-options
>           Shortcut  for  --options /dev/null. This option is detected before an attempt to
>           open an option file.  Using this option will also  prevent  the  creation  of  a
>           ‘~/.gnupg’ homedir.
> 
> Could you check whether this would address this bug ?

No, doesn't work:

/etc/cron.daily # diff -u popularity-contest.ori popularity-contest
--- popularity-contest.ori	2013-07-05 14:53:57.009406485 +0200
+++ popularity-contest	2013-07-05 14:55:42.583330879 +0200
@@ -71,7 +71,7 @@
 if [ "$ENCRYPT" = "yes" ] && [ -x "$GPG" ]; then
   POPCONGPG="$POPCON.gpg"
   rm -f "$POPCONGPG"
-  $GPG --no-default-keyring --keyring "$KEYRING" --trust-model=always \
+  $GPG --batch --no-tty --no-options --no-default-keyring --keyring
"$KEYRING" --trust-model=always \
        --armor -o "$POPCONGPG" -r "$POPCONKEY" --encrypt "$POPCON"
   POPCON="$POPCONGPG"
 fi

/etc/cron.daily # ./popularity-contest
gpg: keyblock resource `/root/.gnupg/secring.gpg': file open error
gpg: fatal: /root/.gnupg: directory does not exist!
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768
cat: /var/log/popularity-contest.gpg: No such file or directory

Same with only --no-options (and without --batch --no-tty). No idea why
gpg wants to access the secret keyring if it's not used, but using an
empty (temporary) directory with --homedir might work.

It also looks like the script continues even though calling gpg failed.
Maybe you want to use "set -e"?

Ansgar

More information about the Popcon-developers mailing list