Mailing List Archive

[PATCH gnupg] wks-client: Allow use with the keybox daemon.
* tools/gpg-wks.h (struct opt): New member use_keyboxd.
* tools/gpg-wks-client.c (opts): New option --use-keyboxd.
(add_user_id): Call gpg with --use-keyboxd if needed.
(decrypt_stream): Likewise.
(encrypt_response): Likewise.
* tools/wks-util.c (wks_get_key): Likewise.
(wks_list_key): Likewise.
(wks_filter_uid): Likewise.
--

The gpg-wks-client always calls gpg with --no-options to ignore
whatever options are in the user's gpg.conf. This makes the client
unusable if gpg is normally configured to use the keybox daemon,
as the 'use-keyboxd' directive in gpg.conf will be ignored as well
and the gpg process called from gpg-wks-client will then attempt
to find the public keys in pubring.kbx.

The quick workaround here is to add a --use-keyboxd option to
gpg-wks-client as well. Maybe a better long-term fix would be to
enquire the status of gpg's --use-keyboxd option from gpgconf.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
---
doc/wks.texi | 6 ++++++
tools/gpg-wks-client.c | 11 +++++++++++
tools/gpg-wks.h | 1 +
tools/wks-util.c | 6 ++++++
4 files changed, 24 insertions(+)

diff --git a/doc/wks.texi b/doc/wks.texi
index ad239f132..68492ef63 100644
--- a/doc/wks.texi
+++ b/doc/wks.texi
@@ -178,6 +178,12 @@ Use @var{dir} as top level directory for the commands
@option{--install-key} and @option{--remove-key}. The default is
@file{openpgpkey}.

+@item --use-keyboxd
+@opindex use-keyboxd
+Get the public keys from the keybox daemon. This is necessary if gpg
+is itself configured to use the daemon instead of the old pubring.kbx
+file.
+
@item --verbose
@opindex verbose
Enable extra informational output.
diff --git a/tools/gpg-wks-client.c b/tools/gpg-wks-client.c
index b56343232..8294047c3 100644
--- a/tools/gpg-wks-client.c
+++ b/tools/gpg-wks-client.c
@@ -72,6 +72,7 @@ enum cmd_and_opt_values
oFakeSubmissionAddr,
oStatusFD,
oWithColons,
+ oUseKeyboxd,

oDummy
};
@@ -111,6 +112,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_i (oStatusFD, "status-fd", N_("|FD|write status info to this FD")),
ARGPARSE_s_n (oWithColons, "with-colons", "@"),
ARGPARSE_s_s (oDirectory, "directory", "@"),
+ ARGPARSE_s_n (oUseKeyboxd, "use-keyboxd", ("get the keys from keyboxd")),

ARGPARSE_s_s (oFakeSubmissionAddr, "fake-submission-addr", "@"),

@@ -236,6 +238,9 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
case oWithColons:
opt.with_colons = 1;
break;
+ case oUseKeyboxd:
+ opt.use_keyboxd = 1;
+ break;

case aSupported:
case aCreate:
@@ -509,6 +514,8 @@ add_user_id (const char *fingerprint, const char *uid)
ccparray_init (&ccp, 0);

ccparray_put (&ccp, "--no-options");
+ if (opt.use_keyboxd)
+ ccparray_put (&ccp, "--use-keyboxd");
if (!opt.verbose)
ccparray_put (&ccp, "--quiet");
else if (opt.verbose > 1)
@@ -594,6 +601,8 @@ decrypt_stream (estream_t *r_output, struct decrypt_stream_parm_s *decinfo,
ccparray_init (&ccp, 0);

ccparray_put (&ccp, "--no-options");
+ if (opt.use_keyboxd)
+ ccparray_put (&ccp, "--use-keyboxd");
/* We limit the output to 64 KiB to avoid DoS using compression
* tricks. A regular client will anyway only send a minimal key;
* that is one w/o key signatures and attribute packets. */
@@ -1245,6 +1254,8 @@ encrypt_response (estream_t *r_output, estream_t input, const char *addrspec,
ccparray_init (&ccp, 0);

ccparray_put (&ccp, "--no-options");
+ if (opt.use_keyboxd)
+ ccparray_put (&ccp, "--use-keyboxd");
if (!opt.verbose)
ccparray_put (&ccp, "--quiet");
else if (opt.verbose > 1)
diff --git a/tools/gpg-wks.h b/tools/gpg-wks.h
index 6c5dc8b17..941b54614 100644
--- a/tools/gpg-wks.h
+++ b/tools/gpg-wks.h
@@ -38,6 +38,7 @@ struct
int quiet;
int use_sendmail;
int with_colons;
+ int use_keyboxd;
const char *output;
const char *gpg_program;
const char *directory;
diff --git a/tools/wks-util.c b/tools/wks-util.c
index 516c7fe00..e1d5437b1 100644
--- a/tools/wks-util.c
+++ b/tools/wks-util.c
@@ -204,6 +204,8 @@ wks_get_key (estream_t *r_key, const char *fingerprint, const char *addrspec,
ccparray_init (&ccp, 0);

ccparray_put (&ccp, "--no-options");
+ if (opt.use_keyboxd)
+ ccparray_put (&ccp, "--use-keyboxd");
if (!opt.verbose)
ccparray_put (&ccp, "--quiet");
else if (opt.verbose > 1)
@@ -301,6 +303,8 @@ wks_list_key (estream_t key, char **r_fpr, uidinfo_list_t *r_mboxes)
ccparray_init (&ccp, 0);

ccparray_put (&ccp, "--no-options");
+ if (opt.use_keyboxd)
+ ccparray_put (&ccp, "--use-keyboxd");
if (!opt.verbose)
ccparray_put (&ccp, "--quiet");
else if (opt.verbose > 1)
@@ -478,6 +482,8 @@ wks_filter_uid (estream_t *r_newkey, estream_t key, const char *uid,
ccparray_init (&ccp, 0);

ccparray_put (&ccp, "--no-options");
+ if (opt.use_keyboxd)
+ ccparray_put (&ccp, "--use-keyboxd");
if (!opt.verbose)
ccparray_put (&ccp, "--quiet");
else if (opt.verbose > 1)
--
2.27.0


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: [PATCH gnupg] wks-client: Allow use with the keybox daemon. [ In reply to ]
On Sun, 11 Apr 2021 13:06, Damien Goutte-Gattat said:

> unusable if gpg is normally configured to use the keybox daemon,
> as the 'use-keyboxd' directive in gpg.conf will be ignored as well
> and the gpg process called from gpg-wks-client will then attempt

Right, that is obvious. Actually I am not very happy with the
use-keybox option because this needs to be set into gpg.conf and
gpgsm.conf. And in other as you noted. This is quite confusing and it
can be expected to be a common issue in bug reports.

I have two ideas on how to fix that:

1. Add an option "enable" to keyboxd.conf and let all other tools read
this config file too.

2. Provide a gnupg.conf file which can be used for such system wide
options. log-file socket:// would also be a canditate for such a
file.

The former would be the quick way to handle things, the latter the more
universal solution.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: [PATCH gnupg] wks-client: Allow use with the keybox daemon. [ In reply to ]
Werner Koch via Gnupg-devel wrote:
> 2. Provide a gnupg.conf file which can be used for such system wide
> options. log-file socket:// would also be a canditate for such a
> file.
>
> The former would be the quick way to handle things, the latter the more
> universal solution.
>


For whatever it is worth, I advocate for the more universal solution and
suggest also adding [section] headers for tool-specific configuration in
gnupg.conf. Allowing [TOOL:TAG] with TAG given using a command-line
option could enable users to group common settings for different uses.

If this approach is taken, I suggest that options set before any
[section] is reached would be global, applying to all tools in GPG; the
log-file and keyboxd options would go in that unnamed first section.


-- Jacob

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: [PATCH gnupg] wks-client: Allow use with the keybox daemon. [ In reply to ]
On Tue, 13 Apr 2021 20:40, Jacob Bachmeyer said:

> and suggest also adding [section] headers for tool-specific

Nope, we can't do that due to backward compatibility. Instead we have
an advanced system to handle global options inclusive a way to ignore
options set by a user. It is not weel documented, I should finish my
draft blog entry for this.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: [PATCH gnupg] wks-client: Allow use with the keybox daemon. [ In reply to ]
Werner Koch wrote:
> On Tue, 13 Apr 2021 20:40, Jacob Bachmeyer said:
>
>> and suggest also adding [section] headers for tool-specific
>>
>
> Nope, we can't do that due to backward compatibility. Instead we have
> an advanced system to handle global options inclusive a way to ignore
> options set by a user. It is not weel documented, I should finish my
> draft blog entry for this.

How would this break backwards compatibility? As I understand,
"[SECTION]" is currently invalid syntax, so no existing files would
become invalid.

It may be necessary for GPG to continue to recognize GPG-specific
options in the global section, but adding section headers provides a
migration path forwards.

-- Jacob


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: [PATCH gnupg] wks-client: Allow use with the keybox daemon. [ In reply to ]
On Wed, 14 Apr 2021 20:37, Jacob Bachmeyer said:

> How would this break backwards compatibility? As I understand,
> "[SECTION]" is currently invalid syntax, so no existing files would
> become invalid.

For example because you can't use the same config files anymore with the
2.2 version. GnuPG has always used component specific configuration
file and such section lines would change that.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: [PATCH gnupg] wks-client: Allow use with the keybox daemon. [ In reply to ]
Hi!

I got another solution to this. use-keyboxd is now an option for the
new common.conf file. The existing use-keyboxd options will be kept for
the next release but print a diagnostic.

The common.conf is always read even if gpg is called with --no-options
so things should now work automagically. See
gnupg/doc/example/common.conf.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.