gpg:警告:主目录 /home/USER/.gnupg 的所有权不安全

gpg:警告:主目录 /home/USER/.gnupg 的所有权不安全

我收到关于不安全所有权的警告~/.gnupg

curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg
  gpg: WARNING: unsafe ownership on homedir '/home/USER/.gnupg'
  • 我尝试了以下方法但没有任何效果:
    chown -R $(USER) ~/.gnupg/
    
    find ~/.gnupg -type f -exec chmod 600 {} \;
    find ~/.gnupg -type d -exec chmod 700 {} \;
    
    sudo gpgconf --kill dirmngr
    sudo chown -R USER:USER /home/USER/.gnupg
    chmod 700 /home/USER/.gnupg
    chmod 600 ~/.gnupg/*
    
  • ls -al /home/elias/.gnupg
    
      drwx------  4 USER USER  4096 Jul  1 19:33 .
      drwxr-xr-x 96 USER USER 20480 Jul 10 11:19 ..
      drw-------  2 USER USER  4096 Feb 13  2019 crls.d
      drw-------  2 USER USER  4096 Aug 13  2018 private-keys-v1.d
      -rw-------  1 USER USER  2305 Feb 13  2019 pubring.kbx
      -rw-------  1 USER USER   584 Feb 13  2019 pubring.kbx~
      -rw-------  1 USER USER  1200 Aug 13  2018 trustdb.gpg
    


可能相关:

error:45 http://ppa.launchpad.net/hugin/hugin-builds/ubuntu bionic Release    
  404  Not Found [IP: 91.189.95.85 80]

Hit:32 https://www.icesi.edu.co/CRAN/bin/linux/ubuntu xenial-cran35/ InRelease

error:25 https://repo.skype.com/deb stable InRelease
  The following signatures were not valid: EXPKEYSIG 1F3045A5DF7587C3 Skype Linux Client Repository <[email protected]>

error:30 http://apt.insynchq.com/ubuntu bionic InRelease
  The following signatures were not valid: EXPKEYSIG A684470CACCAF35C Insynchq Inc <[email protected]>

E: The repository 'https://packages.sury.org/php bionic Release' does not have a Release file.
   N: Updating from such a repository cant be done securely, and is therefore disabled by default.
   N: See apt-secure(8) manpage for repository creation and user configuration details.

E: The repository 'http://ppa.launchpad.net/hugin/hugin-builds/ubuntu bionic Release' does not have a Release file.
   N: Updating from such a repository cant be done securely, and is therefore disabled by default.
   N: See apt-secure(8) manpage for repository creation and user configuration details.

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used.
   GPG error: https://repo.skype.com/deb stable InRelease: The following signatures were not valid: EXPKEYSIG 1F3045A5DF7587C3 Skype Linux Client Repository <[email protected]>

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used.
   GPG error: http://apt.insynchq.com/ubuntu bionic InRelease: The following signatures were not valid: EXPKEYSIG A684470CACCAF35C Insynchq Inc <[email protected]>

询问的额外信息:

ls -al /usr/share/keyrings/

结果:

drwxr-xr-x   2 root root  4096 Jul 10 11:13 .
drwxr-xr-x 621 root root 20480 Jul 10 13:50 ..
-rw-r--r--   1 root root  1795 Jul 10 11:52 githubcli-archive-keyring.gpg
-rw-r--r--   1 root root  2274 May 11 13:19 ubuntu-advantage-cis.gpg
-rw-r--r--   1 root root  2236 May 11 13:19 ubuntu-advantage-esm-apps.gpg
-rw-r--r--   1 root root  2264 May 11 13:19 ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r--   1 root root  2275 May 11 13:19 ubuntu-advantage-fips.gpg
-rw-r--r--   1 root root  7399 Sep 18  2018 ubuntu-archive-keyring.gpg
-rw-r--r--   1 root root  6713 Oct 27  2016 ubuntu-archive-removed-keys.gpg
-rw-r--r--   1 root root  4097 Feb  6  2018 ubuntu-cloudimage-keyring.gpg
-rw-r--r--   1 root root     0 Jan 17  2018 ubuntu-cloudimage-removed-keys.gpg
-rw-r--r--   1 root root  1227 May 27  2010 ubuntu-master-keyring.gpg

额外信息2:

sudo env | grep '^HOME='

结果:

HOME=/home/elias

答案1

让我们看一下这个命令的作用(为了便于说明,已简化)

curl … | sudo gpg … -o /usr/share/keyrings/githubcli-archive-keyring.gpg

curl零件脱落并得到了我们要给予的东西gpg;没有问题。

sudo gpg命令gpg以 身份运行root,但目录不变HOMEgpg运行时,它会检查$HOME/.gpg所有权和权限。在这种情况下,它以 身份运行,root但发现root目录的所有者不是 ,而是USER。它适当地大声抱怨

gpg: WARNING: unsafe ownership on homedir '/home/USER/.gnupg'

您提到不能省略sudo,我认为这是因为您需要 root 权限才能写入/usr/share/keyrings/。在这种情况下,解决方案可能是告诉sudo更改HOME目录值以匹配root用户

sudo -H gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg

文档(man sudo)解释道,

-H--set-home请求安全策略将HOME环境变量设置为目标用户的密码数据库条目指定的主目录。

gpg另一种选择是在不使用的情况下运行sudo并将密钥写入您自己的HOME目录,然后使用sudo它将其移动到目标目录

gpg --dearmor -o githubcli-archive-keyring.gpg &&
    sudo mv -f githubcli-archive-keyring.gpg /usr/share/keyrings/

相关内容