brad's life - gpg hates me now [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

gpg hates me now [Sep. 21st, 2006|07:15 pm]
Previous Entry Share Next Entry
[Tags|, ]

I went to hack on brackup after a long break, and it bitches at me now. Or rather, gpg does:
sammy:trunk $ ./brackup --from=brackup --to=amazon \
            --output=brad-to-amazon.meta
  .
  .brackup-digest.db
gpg: 92FDF929: There is no assurance this key belongs to the named user

pub  4096g/92FDF929 2006-03-20 Brad Fitzpatrick <brad@danga.com>
 Primary key fingerprint: E5C8 295F D1AB 7DE1 C5DF  7F68 FB52 E360 5E1B 3EC5
      Subkey fingerprint: B269 19C9 1BAD 3458 7B9A  B888 B9C6 667B 92FD F929

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) 
What?

That's new. I must've upgraded.

Where's the --just-do-what-i-fucking-say option?

I'm doing:
    system($self->root->gpg_path, $self->root->gpg_args,
       "--recipient", $gpg_rcpt, "--encrypt", "--output=$etmpfn", "--yes", $tmpfn)
        and die "Failed to run gpg: $!\n";

Note the --yes. Apparently that means --unless-you-feel-bitchy-in-this-new-version.

Hate.

Context switch time. No love for Brackup because gpg is full of hate.
LinkReply

Comments:
[User Picture]From: kvance
2006-09-22 02:52 am (UTC)

(Link)

I just checked my current amazon statement. No transfer this month, so mine hasn't been running either. It's not the gpg error though. Instead, I get this gem:

Error: Error: DBD::SQLite::db do failed: not an error(21) at dbdimp.c line 398 at /home/kvance/src/brackup/lib/Brackup/DigestDatabase.pm line 14.

Not an error, yeah.
[User Picture]From: brad
2006-09-22 04:22 am (UTC)

(Link)

Yay SQLite.
[User Picture]From: scsi
2006-09-22 04:43 am (UTC)

(Link)

try --batch and --trust-model always
[User Picture]From: grumpy_sysadmin
2006-09-22 05:05 am (UTC)

(Link)

Oh, right. That does say "no, I really meant --yes". I stand by the ideal that it shouldn't, but it does.
[User Picture]From: grumpy_sysadmin
2006-09-22 05:04 am (UTC)

(Link)

Er, well.

In GnuPG's defense... you are trying to encipher to a key that you haven't signed. So, um, sign the key and move on? Do that as part of "install" or "configure"? Or just pass the terminal through?

Honestly, I don't think that --yes should exist at all. This ain't Windows. This is something that people actually trust to provide security/privacy to a somewhat real degree. It's got a pretty good reason to do so when it asks if you're sure.

(Am I missing something?)
[User Picture]From: grumpy_sysadmin
2006-09-22 05:09 am (UTC)

(Link)

waitaminute

You're trying to encipher to your own key?

Okay, so I should actually go look at your code.

It sounds, though, like you're trying to use gpg in a session-specific context. It's not made for that... not even from a code-design point of view, from a cryptology point of view. There are cipher models that are made for that (I hear SSL is popular...) ... but their key models generally suck.

Maybe what you actually want for this job is one of the various gpg-agent thingies?
[User Picture]From: brad
2006-09-22 04:23 pm (UTC)

(Link)

I have no clue what I want.

I want to encrypt chunks of files before I spray them across to untrusted parties on the net. Then when I get them back later, I want to be the only person to decrypt the chunks. (assuming I have my private key on a USB stick, a CD, and written down on paper in a vault)
[User Picture]From: grumpy_sysadmin
2006-09-24 04:52 am (UTC)

(Link)

Okay, and ... for that, I just do gpg -e -r <my keyID>, and I don't get whining. I do also have "encrypt-to <my keyID>" in ~/gnupg/gpg.conf (so that I encrypt outgoing email to both me and the recipient by default, so I can read it later). I get whining that my key ID is already on the list, but it's non-fatal. It's possible that they've just changed the behavior... but the fact that the error output says that your trying to encipher to an untrusted key suggests to me that you've somehow dropped session awareness and are, for instance, using a functionally blank keychain in which your key's really not trusted.

If you're doing that on purpose... ie, doing this somewhere without your Real keychain (including, ie, self-sigs), then you really Should move your keychain over, and the encryption won't break. That'd be a "but that's how it's supposed to work" problem.

If you did that, and this is whinging at you despite it, then something's broke, but I'd be glad to take a few sober (hey, it's Saturday night, and I was working until ten minutes ago) moments to figure out what.
[User Picture]From: bsdguru
2006-09-27 09:05 pm (UTC)

(Link)

You're making me wonder if you are going to seriously spend hours typing your private key back from your printout.
[User Picture]From: brad
2006-09-27 09:09 pm (UTC)

(Link)

I'd also have it on CD, USB stick, etc.

But yes, if that was the only way to recover my data, I'd type it in. Or try and OCR it. etc.
[User Picture]From: scosol
2006-09-22 05:39 am (UTC)

(Link)

that reminds me of when i blindly did a ports upgrade, upgrading wget in the process, and then wondering why my big "competitor monitoring" app was no longer working as well-

the authors of wget removed the "ignore robots.txt" option, in some holy gift to Internet goodwill or something...
[User Picture]From: robbat2
2006-09-22 07:55 am (UTC)

(Link)

check that your key is cross-signed with your own keyid.
it sounds like it isn't.

if not:
'gpg --edit-key 92FDF929'
this will take you into the key editing mode.
'cross-certify'
- this will fix your key up
'trust'
- enter that you 'ultimate'ly trust your own key
'save'
- save changes and exit.

I tried to check that keyid of yours, but it doesn't seem to be on the keyservers I use.
[User Picture]From: grumpy_sysadmin
2006-09-24 04:53 am (UTC)

(Link)

Oh yeah, or that. But I don't know how you'd have managed to create a key absent a self-signature without having an inkling you were doing so...
[User Picture]From: robbat2
2006-09-24 09:10 pm (UTC)

(Link)

There was an advisory about it a while ago, and the cross-certify option was added.
In specific, some older versions of GnuPG didn't add the self-signature when they were supposed to.