双操作系统机器上的 gnupg 权限问题

双操作系统机器上的 gnupg 权限问题

我在双操作系统机器(Ubuntu 14.04 和 Windows 8.1)上运行带有 GnuPG 的 Thunderbird。我使用符号链接将 Ubuntu 的 GnuPG 转发到 Windows GnuPG(根据https://superuser.com/questions/852229/gnupg-in-thunderbird-w-enigmail-on-dual-os-machinedefaults,windows_names,rw,auto,user,exec)。我使用自动挂载 Windows 分区fstab,这将授予 Windows 部分 GnuPG 配置文件的完整权限:-rwxrwxrwx 1 root root

据我所知“配置文件“/home/david/.gnupg/gpg.conf”的权限不安全”这是什么意思以及如何修复?,GnuPG 抱怨配置文件的权限太多,例如当我导入密钥时。下面是一条警告消息。

理想情况下,它应该只有-rw-------。为了对配置文件拥有那么少的权限,我应该使用其他参数进行挂载。但这样我就拥有了对整个分区的读写访问权限 - 我不想要,因为我确实执行了一些文件。

另一种方法是仅在 Windows 中导入密钥。这两种方法都很不方便。

还有其他方法可以阻止 GnuPG 抱怨吗?例如,我可以忽略 GnuPG 的警告吗?

以下是 GnuPG 的警告信息:

Importing the keys failed

gpg: WARNING: unsafe permissions on configuration file `/home/michael/.gnupg/gpg.conf'
gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/michael/.gnupg/gpg.conf'
gpg: invalid size of lockfile `/home/michael/.gnupg/pubring.gpg.lock'
gpg: cannot read lockfile
gpg: can't lock `/home/michael/.gnupg/pubring.gpg'
gpg: invalid size of lockfile `/home/michael/.gnupg/secring.gpg.lock'
gpg: cannot read lockfile
gpg: can't lock `/home/michael/.gnupg/secring.gpg'
gpg: error writing keyring `/home/michael/.gnupg/pubring.gpg': general error
gpg: key B5CECC76: public key "[User ID not found]" imported
gpg: error reading `/tmp/0xB5CECC76.asc': general error
gpg: import from `/tmp/0xB5CECC76.asc' failed: general error
gpg: Total number processed: 0
gpg:               imported: 1  (RSA: 1)

答案1

也许共享整个配置文件/目录会导致问题,另一种方法可能会更好。

  • 也许“共享密钥环方案”会更好,请参阅man gpg以下一些可能有用的选项:

    --keyring file
          Add  file to the current list of keyrings. If file begins with
          a tilde and a slash, these are replaced by  the  $HOME  direc‐
          tory.  If the filename does not contain a slash, it is assumed
          to be in the GnuPG home directory ("~/.gnupg" if --homedir  or
          $GNUPGHOME is not used).
    
          Note  that  this  adds  a  keyring to the current list. If the
          intent is to use the specified keyring  alone,  use  --keyring
          along with --no-default-keyring.
    
    --secret-keyring file
          Same as --keyring but for the secret keyrings.
    
    --primary-keyring file
          Designate  file as the primary public keyring. This means that
          newly imported keys (via --import  or  keyserver  --recv-from)
          will go to this keyring.
    
    --no-default-keyring
          Do  not add the default keyrings to the list of keyrings. Note
          that GnuPG will not operate without any keyrings,  so  if  you
          use  this  option  and  do  not provide alternate keyrings via
          --keyring or --secret-keyring, then GnuPG will still  use  the
          default public or secret keyrings.
    
  • 使用不同子密钥的可能选项

相关内容