From d9e7488b17fdc617eec735e2c0485b69285ba511 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 4 Apr 2023 16:39:59 +0200 Subject: [PATCH] Use the keyboxd for a fresh install * common/homedir.c (gnupg_maybe_make_homedir): Also create a common.conf. * g10/keydb.c: Include comopt.h. (maybe_create_keyring_or_box): Detect the creation of a common.conf. * g10/gpg.c (main): Avoid adding more resources in this case. * sm/keydb.c: Include comopt.h. (maybe_create_keybox): Detect the creation of a common.conf. * common/comopt.h (comopt): Remove the conditional "extern". --- NEWS | 3 +++ README | 3 +++ common/comopt.h | 1 - common/homedir.c | 38 ++++++++++++++++++++++++++++++++++++-- doc/gpg.texi | 4 +++- g10/gpg.c | 20 +++++++++++++++----- g10/keydb.c | 31 ++++++++++++++++++++++++++----- sm/keydb.c | 28 ++++++++++++++++++++++++---- 8 files changed, 110 insertions(+), 18 deletions(-) diff --git a/NEWS b/NEWS index 6d46e1d34..7ca5b1335 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,9 @@ Noteworthy changes in version 2.4.1 (unreleased) ------------------------------------------------ + * If the ~/.gnupg home directory does not exist, the keyboxd is now + automagically enabled. + * gpg: New option --add-desig-revoker. [rG3d094e2bcf] * gpg: New list-option "show-unusable-sigs". Also show diff --git a/README b/README index b9bf7805e..84a8bacfd 100644 --- a/README +++ b/README @@ -128,6 +128,9 @@ Only public keys and X.509 certificates are managed by the keyboxd; private keys are still stored as separate files. + Since version 2.4.1 the keyboxd will be used by default for a fresh + install; i.e. if a ~/.gnupg directory did not yet exist. + Note that there is no automatic migration; if the use-keyboxd option is enabled keys are not taken from pubring.kbx. To migrate existing keys to the keyboxd do this: diff --git a/common/comopt.h b/common/comopt.h index 7947f35b3..2a27fddac 100644 --- a/common/comopt.h +++ b/common/comopt.h @@ -35,7 +35,6 @@ /* Common options for all GnuPG components. */ -EXTERN_UNLESS_MAIN_MODULE struct { char *logfile; /* Socket used by daemons for logging. */ diff --git a/common/homedir.c b/common/homedir.c index 67bbde8f1..091964fc1 100644 --- a/common/homedir.c +++ b/common/homedir.c @@ -789,8 +789,42 @@ gnupg_maybe_make_homedir (const char *fname, int quiet) if (gnupg_mkdir (fname, "-rwx")) log_fatal ( _("can't create directory '%s': %s\n"), fname, strerror(errno) ); - else if (!quiet ) - log_info ( _("directory '%s' created\n"), fname ); + else + { + estream_t fp; + char *fcommon; + + if (!quiet ) + log_info ( _("directory '%s' created\n"), fname ); + +#ifdef BUILD_WITH_KEYBOXD + /* A new default homedir has been created. Now create a + * common.conf. */ + fcommon = make_filename (fname, "common.conf", NULL); + fp = es_fopen (fcommon, "wx,mode=-rw-r"); + if (!fp) + { + log_info (_("error creating '%s': %s\n"), fcommon, + gpg_strerror (gpg_error_from_syserror ())); + } + else + { + if (es_fputs ("use-keyboxd\n", fp) == EOF) + { + log_info (_("error writing to '%s': %s\n"), fcommon, + gpg_strerror (es_ferror (fp) + ? gpg_error_from_syserror () + : gpg_error (GPG_ERR_EOF))); + es_fclose (fp); + } + else if (es_fclose (fp)) + { + log_info (_("error closing '%s': %s\n"), fcommon, + gpg_strerror (gpg_error_from_syserror ())); + } + } +#endif /* BUILD_WITH_KEYBOXD */ + } } } diff --git a/doc/gpg.texi b/doc/gpg.texi index 393267858..b526deeca 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -3915,7 +3915,9 @@ current home directory (@pxref{option --homedir}). @efindex common.conf This is an optional configuration file read by @command{@gpgname} on startup. It may contain options pertaining to all components of - GnuPG. Its current main use is for the "use-keyboxd" option. + GnuPG. Its current main use is for the "use-keyboxd" option. If + the default home directory @file{~/.gnupg} does not exist, GnuPG creates + this directory and a @file{common.conf} file with "use_keyboxd". @end table diff --git a/g10/gpg.c b/g10/gpg.c index 84706ca6b..f52d13a76 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -4187,17 +4187,27 @@ main (int argc, char **argv) * need to add the keyrings if we are running under SELinux, this * is so that the rings are added to the list of secured files. * We do not add any keyring if --no-keyring or --use-keyboxd has - * been used. */ + * been used. Note that keydb_add_resource may create a new + * homedir and also tries to write a common.conf to enable the use + * of the keyboxd - in this case a special error code is returned + * and use_keyboxd is then also set. */ if (!opt.use_keyboxd && default_keyring >= 0 && (ALWAYS_ADD_KEYRINGS || (cmd != aDeArmor && cmd != aEnArmor && cmd != aGPGConfTest))) { + gpg_error_t tmperr = 0; + if (!nrings || default_keyring > 0) /* Add default ring. */ - keydb_add_resource ("pubring" EXTSEP_S GPGEXT_GPG, - KEYDB_RESOURCE_FLAG_DEFAULT); - for (sl = nrings; sl; sl = sl->next ) - keydb_add_resource (sl->d, sl->flags); + tmperr = keydb_add_resource ("pubring" EXTSEP_S GPGEXT_GPG, + KEYDB_RESOURCE_FLAG_DEFAULT); + if (gpg_err_code (tmperr) == GPG_ERR_TRUE && opt.use_keyboxd) + ; /* The keyboxd has been enabled. */ + else + { + for (sl = nrings; sl; sl = sl->next ) + keydb_add_resource (sl->d, sl->flags); + } } FREE_STRLIST(nrings); diff --git a/g10/keydb.c b/g10/keydb.c index 3938d7e16..d2d085291 100644 --- a/g10/keydb.c +++ b/g10/keydb.c @@ -37,6 +37,7 @@ #include "../kbx/keybox.h" #include "keydb.h" #include "../common/i18n.h" +#include "../common/comopt.h" #include "keydb-private.h" /* For struct keydb_handle_s */ @@ -265,8 +266,24 @@ maybe_create_keyring_or_box (char *filename, int is_box, int force_create) *last_slash_in_filename = save_slash; goto leave; } + + *last_slash_in_filename = save_slash; + + if (!opt.use_keyboxd + && !parse_comopt (GNUPG_MODULE_NAME_GPG, 0) + && comopt.use_keyboxd) + { + /* The above try_make_homedir created a new default hoemdir + * and also wrote a new common.conf. Thus we now see that + * use-keyboxd has been set. Let's set this option and + * return a dedicated error code. */ + opt.use_keyboxd = comopt.use_keyboxd; + rc = gpg_error (GPG_ERR_TRUE); + goto leave; + } } - *last_slash_in_filename = save_slash; + else + *last_slash_in_filename = save_slash; /* To avoid races with other instances of gpg trying to create or update the keyring (it is removed during an update for a short @@ -555,7 +572,8 @@ keydb_search_desc_dump (struct keydb_search_desc *desc) * If KEYDB_RESOURCE_FLAG_READONLY is set and the resource is a * keyring (not a keybox), then the keyring is marked as read only and * operations just as keyring_insert_keyblock will return - * GPG_ERR_ACCESS. */ + * GPG_ERR_ACCESS. + */ gpg_error_t keydb_add_resource (const char *url, unsigned int flags) { @@ -774,9 +792,12 @@ keydb_add_resource (const char *url, unsigned int flags) leave: if (err) { - log_error (_("keyblock resource '%s': %s\n"), - filename, gpg_strerror (err)); - write_status_error ("add_keyblock_resource", err); + if (gpg_err_code (err) != GPG_ERR_TRUE) + { + log_error (_("keyblock resource '%s': %s\n"), + filename, gpg_strerror (err)); + write_status_error ("add_keyblock_resource", err); + } } else any_registered = 1; diff --git a/sm/keydb.c b/sm/keydb.c index fbe28f2b9..a12dba19f 100644 --- a/sm/keydb.c +++ b/sm/keydb.c @@ -33,6 +33,7 @@ #include "keydb.h" #include "../common/i18n.h" #include "../common/asshelp.h" +#include "../common/comopt.h" #include "../kbx/kbx-client-util.h" @@ -242,8 +243,23 @@ maybe_create_keybox (char *filename, int force, int *r_created) *last_slash_in_filename = save_slash; goto leave; } + *last_slash_in_filename = save_slash; + + if (!opt.use_keyboxd + && !parse_comopt (GNUPG_MODULE_NAME_GPG, 0) + && comopt.use_keyboxd) + { + /* The above try_make_homedir created a new default hoemdir + * and also wrote a new common.conf. Thus we now see that + * use-keyboxd has been set. Let's set this option and + * return a dedicated error code. */ + opt.use_keyboxd = comopt.use_keyboxd; + rc = gpg_error (GPG_ERR_TRUE); + goto leave; + } } - *last_slash_in_filename = save_slash; + else + *last_slash_in_filename = save_slash; /* To avoid races with other instances of gpg trying to create or update the keybox (it is removed during an update for a short @@ -459,9 +475,13 @@ keydb_add_resource (ctrl_t ctrl, const char *url, int force, int *auto_created) leave: if (err) { - log_error ("keyblock resource '%s': %s\n", filename, gpg_strerror (err)); - gpgsm_status_with_error (ctrl, STATUS_ERROR, - "add_keyblock_resource", err); + if (gpg_err_code (err) != GPG_ERR_TRUE) + { + log_error ("keyblock resource '%s': %s\n", + filename, gpg_strerror (err)); + gpgsm_status_with_error (ctrl, STATUS_ERROR, + "add_keyblock_resource", err); + } } else any_registered = 1;