security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

Use the keyboxd for a fresh install

Browse Source 
* common/homedir.c (gnupg_maybe_make_homedir): Also create a
common.conf.
* g10/keydb.c: Include comopt.h.
(maybe_create_keyring_or_box): Detect the creation of a common.conf.
* g10/gpg.c (main): Avoid adding more resources in this case.
* sm/keydb.c:  Include comopt.h.
(maybe_create_keybox): Detect the creation of a common.conf.

* common/comopt.h (comopt): Remove the conditional "extern".
This commit is contained in:
Werner Koch 2023-04-04 16:39:59 +02:00
parent db6ae6f6f8
commit d9e7488b17
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
8 changed files with 110 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@ -1,6 +1,9 @@
Noteworthy changes in version 2.4.1 (unreleased) Noteworthy changes in version 2.4.1 (unreleased)
------------------------------------------------ ------------------------------------------------
* If the ~/.gnupg home directory does not exist, the keyboxd is now
automagically enabled.
* gpg: New option --add-desig-revoker. [rG3d094e2bcf] * gpg: New option --add-desig-revoker. [rG3d094e2bcf]
* gpg: New list-option "show-unusable-sigs". Also show * gpg: New list-option "show-unusable-sigs". Also show

3
README
View File

@ -128,6 +128,9 @@
Only public keys and X.509 certificates are managed by the keyboxd; Only public keys and X.509 certificates are managed by the keyboxd;
private keys are still stored as separate files. private keys are still stored as separate files.
Since version 2.4.1 the keyboxd will be used by default for a fresh
install; i.e. if a ~/.gnupg directory did not yet exist.
Note that there is no automatic migration; if the use-keyboxd option Note that there is no automatic migration; if the use-keyboxd option
is enabled keys are not taken from pubring.kbx. To migrate existing is enabled keys are not taken from pubring.kbx. To migrate existing
keys to the keyboxd do this: keys to the keyboxd do this:

1
common/comopt.h
View File

@ -35,7 +35,6 @@
/* Common options for all GnuPG components. */ /* Common options for all GnuPG components. */
EXTERN_UNLESS_MAIN_MODULE
struct struct
{ {
char *logfile; /* Socket used by daemons for logging. */ char *logfile; /* Socket used by daemons for logging. */

38
common/homedir.c
View File

@ -789,8 +789,42 @@ gnupg_maybe_make_homedir (const char *fname, int quiet)
if (gnupg_mkdir (fname, "-rwx")) if (gnupg_mkdir (fname, "-rwx"))
log_fatal ( _("can't create directory '%s': %s\n"), log_fatal ( _("can't create directory '%s': %s\n"),
fname, strerror(errno) ); fname, strerror(errno) );
else if (!quiet ) else
log_info ( _("directory '%s' created\n"), fname ); {
estream_t fp;
char *fcommon;
if (!quiet )
log_info ( _("directory '%s' created\n"), fname );
#ifdef BUILD_WITH_KEYBOXD
/* A new default homedir has been created. Now create a
* common.conf. */
fcommon = make_filename (fname, "common.conf", NULL);
fp = es_fopen (fcommon, "wx,mode=-rw-r");
if (!fp)
{
log_info (_("error creating '%s': %s\n"), fcommon,
gpg_strerror (gpg_error_from_syserror ()));
}
else
{
if (es_fputs ("use-keyboxd\n", fp) == EOF)
{
log_info (_("error writing to '%s': %s\n"), fcommon,
gpg_strerror (es_ferror (fp)
? gpg_error_from_syserror ()
: gpg_error (GPG_ERR_EOF)));
es_fclose (fp);
}
else if (es_fclose (fp))
{
log_info (_("error closing '%s': %s\n"), fcommon,
gpg_strerror (gpg_error_from_syserror ()));
}
}
#endif /* BUILD_WITH_KEYBOXD */
}
} }
} }

4
doc/gpg.texi
View File

@ -3915,7 +3915,9 @@ current home directory (@pxref{option --homedir}).
@efindex common.conf @efindex common.conf
This is an optional configuration file read by @command{@gpgname} on This is an optional configuration file read by @command{@gpgname} on
startup. It may contain options pertaining to all components of startup. It may contain options pertaining to all components of
GnuPG. Its current main use is for the "use-keyboxd" option. GnuPG. Its current main use is for the "use-keyboxd" option. If
the default home directory @file{~/.gnupg} does not exist, GnuPG creates
this directory and a @file{common.conf} file with "use_keyboxd".
@end table @end table

20
g10/gpg.c
View File

@ -4187,17 +4187,27 @@ main (int argc, char **argv)
* need to add the keyrings if we are running under SELinux, this * need to add the keyrings if we are running under SELinux, this
* is so that the rings are added to the list of secured files. * is so that the rings are added to the list of secured files.
* We do not add any keyring if --no-keyring or --use-keyboxd has * We do not add any keyring if --no-keyring or --use-keyboxd has
* been used. */ * been used. Note that keydb_add_resource may create a new
* homedir and also tries to write a common.conf to enable the use
* of the keyboxd - in this case a special error code is returned
* and use_keyboxd is then also set. */
if (!opt.use_keyboxd if (!opt.use_keyboxd
&& default_keyring >= 0 && default_keyring >= 0
&& (ALWAYS_ADD_KEYRINGS && (ALWAYS_ADD_KEYRINGS
|| (cmd != aDeArmor && cmd != aEnArmor && cmd != aGPGConfTest))) || (cmd != aDeArmor && cmd != aEnArmor && cmd != aGPGConfTest)))
{ {
gpg_error_t tmperr = 0;
if (!nrings || default_keyring > 0) /* Add default ring. */ if (!nrings || default_keyring > 0) /* Add default ring. */
keydb_add_resource ("pubring" EXTSEP_S GPGEXT_GPG, tmperr = keydb_add_resource ("pubring" EXTSEP_S GPGEXT_GPG,
KEYDB_RESOURCE_FLAG_DEFAULT); KEYDB_RESOURCE_FLAG_DEFAULT);
for (sl = nrings; sl; sl = sl->next ) if (gpg_err_code (tmperr) == GPG_ERR_TRUE && opt.use_keyboxd)
keydb_add_resource (sl->d, sl->flags); ; /* The keyboxd has been enabled. */
else
{
for (sl = nrings; sl; sl = sl->next )
keydb_add_resource (sl->d, sl->flags);
}
} }
FREE_STRLIST(nrings); FREE_STRLIST(nrings);

31
g10/keydb.c
View File

@ -37,6 +37,7 @@
#include "../kbx/keybox.h" #include "../kbx/keybox.h"
#include "keydb.h" #include "keydb.h"
#include "../common/i18n.h" #include "../common/i18n.h"
#include "../common/comopt.h"
#include "keydb-private.h" /* For struct keydb_handle_s */ #include "keydb-private.h" /* For struct keydb_handle_s */
@ -265,8 +266,24 @@ maybe_create_keyring_or_box (char *filename, int is_box, int force_create)
*last_slash_in_filename = save_slash; *last_slash_in_filename = save_slash;
goto leave; goto leave;
} }
*last_slash_in_filename = save_slash;
if (!opt.use_keyboxd
&& !parse_comopt (GNUPG_MODULE_NAME_GPG, 0)
&& comopt.use_keyboxd)
{
/* The above try_make_homedir created a new default hoemdir
* and also wrote a new common.conf. Thus we now see that
* use-keyboxd has been set. Let's set this option and
* return a dedicated error code. */
opt.use_keyboxd = comopt.use_keyboxd;
rc = gpg_error (GPG_ERR_TRUE);
goto leave;
}
} }
*last_slash_in_filename = save_slash; else
*last_slash_in_filename = save_slash;
/* To avoid races with other instances of gpg trying to create or /* To avoid races with other instances of gpg trying to create or
update the keyring (it is removed during an update for a short update the keyring (it is removed during an update for a short
@ -555,7 +572,8 @@ keydb_search_desc_dump (struct keydb_search_desc *desc)
* If KEYDB_RESOURCE_FLAG_READONLY is set and the resource is a * If KEYDB_RESOURCE_FLAG_READONLY is set and the resource is a
* keyring (not a keybox), then the keyring is marked as read only and * keyring (not a keybox), then the keyring is marked as read only and
* operations just as keyring_insert_keyblock will return * operations just as keyring_insert_keyblock will return
* GPG_ERR_ACCESS. */ * GPG_ERR_ACCESS.
*/
gpg_error_t gpg_error_t
keydb_add_resource (const char *url, unsigned int flags) keydb_add_resource (const char *url, unsigned int flags)
{ {
@ -774,9 +792,12 @@ keydb_add_resource (const char *url, unsigned int flags)
leave: leave:
if (err) if (err)
{ {
log_error (_("keyblock resource '%s': %s\n"), if (gpg_err_code (err) != GPG_ERR_TRUE)
filename, gpg_strerror (err)); {
write_status_error ("add_keyblock_resource", err); log_error (_("keyblock resource '%s': %s\n"),
filename, gpg_strerror (err));
write_status_error ("add_keyblock_resource", err);
}
} }
else else
any_registered = 1; any_registered = 1;

28
sm/keydb.c
View File

@ -33,6 +33,7 @@
#include "keydb.h" #include "keydb.h"
#include "../common/i18n.h" #include "../common/i18n.h"
#include "../common/asshelp.h" #include "../common/asshelp.h"
#include "../common/comopt.h"
#include "../kbx/kbx-client-util.h" #include "../kbx/kbx-client-util.h"
@ -242,8 +243,23 @@ maybe_create_keybox (char *filename, int force, int *r_created)
*last_slash_in_filename = save_slash; *last_slash_in_filename = save_slash;
goto leave; goto leave;
} }
*last_slash_in_filename = save_slash;
if (!opt.use_keyboxd
&& !parse_comopt (GNUPG_MODULE_NAME_GPG, 0)
&& comopt.use_keyboxd)
{
/* The above try_make_homedir created a new default hoemdir
* and also wrote a new common.conf. Thus we now see that
* use-keyboxd has been set. Let's set this option and
* return a dedicated error code. */
opt.use_keyboxd = comopt.use_keyboxd;
rc = gpg_error (GPG_ERR_TRUE);
goto leave;
}
} }
*last_slash_in_filename = save_slash; else
*last_slash_in_filename = save_slash;
/* To avoid races with other instances of gpg trying to create or /* To avoid races with other instances of gpg trying to create or
update the keybox (it is removed during an update for a short update the keybox (it is removed during an update for a short
@ -459,9 +475,13 @@ keydb_add_resource (ctrl_t ctrl, const char *url, int force, int *auto_created)
leave: leave:
if (err) if (err)
{ {
log_error ("keyblock resource '%s': %s\n", filename, gpg_strerror (err)); if (gpg_err_code (err) != GPG_ERR_TRUE)
gpgsm_status_with_error (ctrl, STATUS_ERROR, {
"add_keyblock_resource", err); log_error ("keyblock resource '%s': %s\n",
filename, gpg_strerror (err));
gpgsm_status_with_error (ctrl, STATUS_ERROR,
"add_keyblock_resource", err);
}
} }
else else
any_registered = 1; any_registered = 1;