When I try to list my gpg keys I'm getting an error:
gpg --list-keys
gpg: NOTE: trustdb not writable
gpg: checking the trustdb
gpg: trustdb rec 56: write failed (n=-1): Bad file descriptor
gpg: trustdb: sync failed: Bad file descriptor
I tried doing a recursive chown on my user directory. But that didn't seem to solve the problem.
The volume is not read only:
[web1:~] bluethundr% touch test
[web1:~] bluethundr% echo hi > test
[web1:~] bluethundr% cat test
hi
So I'm wondering why the trustdb is not writable.
How can I solve this?
That seems to have been reported in bug 771976
I found this when running the command apt-key list on a machine where
the root filesystem is normally mounted read-only.
This results in running gpg with "--trustdb-name", "/etc/apt//trustdb.gpg", "--list-keys".
gpg in turn attempts to create "/etc/apt//trustdb.gpg.lock" in order to lock the trustdb, which fails.
Seeing how --list-keys is an operation which shouldn't require writing
to anything, having it fail in this situation is bad.
Even though the volume is not read-only, check (with an strace) where gpg --list-key is attempting to create its trustdb.gpg.lock file.
strace gpg --list-key | grep trustdb.gpg.lock
The OP bluethundr adds in the comments:
I changed to the .gnupg directory and did a list.
I saw that the files in there were owned by root! So I did a sudo chown -R myuser:myuser *.
Then I ran gpg --list-keys again and it worked!
The problem was that the files in .gnupg were owned by root for some reason.
I granted the permissions on the trustdb.gpg file present in the installation directory in C Drive, to the user I had logged on with. It worked thereafter.
Related
I'm trying to run gpg from a Bash script designed to backup a website. The command that fails is
gpg --homedir /home/backupuser/.gnupg --verbose --no-tty --recipient {group-name} --trust-model always --output /home/backupuser/backup/{tar-file}.gpg --encrypt /mnt/ramdir/site-backup-backupuser/{tar-file}
It fails with return code 127. The gpg home directory exists, as does the {tar-file}. The output directory exists but the output file does not.
If I repeat the gpg command in the script it fails in exactly the same way. But if I execute it in shell immediately after it has failed in the script it works as expected. The output is:
gpg: using subkey {hhhhhhhhhhhhhhhh} instead of primary key {hhhhhhhhhhhhhhhh}
gpg: automatically retrieved '{email address1}' via Local
gpg: No trust check due to '--trust-model always' option
gpg: using subkey {hhhhhhhhhhhhhhhh} instead of primary key {hhhhhhhhhhhhhhhh}
gpg: automatically retrieved '{email address2}' via Local
gpg: No trust check due to '--trust-model always' option
gpg: reading from '/mnt/ramdir/site-backup-backupuser/{tar-file}'
gpg: writing to '/home/backupuser/backup/{tar-file}.gpg'
gpg: '/mnt/ramdir/site-backup-backupuser/{tar-file}' already compressed
gpg: RSA/AES256 encrypted for: "{hhhhhhhhhhhhhhhh} {Comment} <{email address1}>"
gpg: RSA/AES256 encrypted for: "{hhhhhhhhhhhhhhhh} {Comment} <{email address2}>"
This is Debian "bullseye" 11.6, gpg 2.2.27 and libgcrypt 1.8.8.
I have tried numerous combinations of parameters, always with the above result. With or without --homedir, with or without sudo (I was getting desperate), from a file on disk rather than in RAM, with or without --verbose and several others.
After domain migration, I am unable to load my public keys at all. I tried deleting them, recreating them but always getting same error as below
PS D:\Personal\OpenSSH-Win32> .\ssh-keygen.exe
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\raja/.ssh/id_rsa):
C:\Users\raja/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\raja/.ssh/id_rsa.
fopen C:\\Users\\raja/.ssh/id_rsa.pub failed: Permission denied
PS D:\Personal\OpenSSH-Win32>
I have tried fixing permissions
chmod 600 ~/.ssh/id_rsa.*
chmod: cannot access '/c/Users/raja/.ssh/id_rsa.*': No such file or directory
But seems failed. Please help.
Since you are in windows, try to specify a valid path to store the file (it is, using backslash instead of slash):
Change from
C:\Users\raja/.ssh/id_rsa
to
C:\Users\raja\.ssh\id_rsa
I try to decrypt file using following command:
gpg --batch --no-tty --yes --always-trust --primary-keyring /root/.gnupg/secring.gpg -o file.csv --passphrase -d file.csv.asc
It work fine, But when I run it in cron I get following error message:
gpg: expected public key but found secret key - must stop
What can I do to get it running in cron?
Don't point to a keyring, but a complete GnuPG home directory using --homedir /root/.gnupg. --homedir sets the directory GnuPG is searching all other files inside.
--primary-keyring file can only be used for public keyrings, which will not help you with decryption. From man gpg:
--primary-keyring file
Designate file as the primary public keyring. This means that newly
imported keys (via --import or keyserver --recv-from) will go to this
keyring.
Alternatively, you can use --secret-keyring file:
--secret-keyring file
Same as --keyring but for the secret keyrings.
I'm not sure whether you need this parameter anyway: if you're running this cron job as root user, $HOME should already be set to /root and GnuPG will find its home folder without further configuration. If you're not running the cron job as root, put the keys in another location (ie., the user's home directory); giving other users read- and possibly write access to /root is a potential security issue.
I tried to create a ssh key by doing following command:
ssh-keygen -t dsa
then it prompts me to enter store path:
Enter file in which to save the key (/Users/KesongXie/.ssh/id_dsa): id_dsa
after I entering my passphrase, i got the following result
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
Then i tried to load my private ssh key using the followibg command
ssh-add /Users/KesongXie/.ssh/id_dsa
It shows the result:
-bash: ssh-add/Users/KesongXie/.ssh/id_dsa: No such file or directory
When I navigate to my local diretory, Users/KesongXie, and I can not find the .ssh file(as expected , doc files are hidden ), but when I tried to view it in my terminal, I type
cd ~
pwd
I got Users/KesongXie
and i tired to ls and expect to see my .ssh, but it's still invisible. then i tried to
cd .ssh
I found out i then entered the .ssh directory, use ls , i can see the following result:
github_rsa github_rsa.pub id_dsa id_dsa.pub known_hosts
the keys do store in the .ssh folder , but i wonder why i can not load the private key using
ssh-add /Users/KesongXie/.ssh/id_dsa
If I read this correctly, you did:
Enter file in which to save the key (/Users/KesongXie/.ssh/id_dsa): id_dsa
This tells the ssh-keygen command to make an id_dsa file in the current directory. To make one in the .ssh directory, you have to simply press enter.
So now you have key files in your home directory, and you don't have a .ssh directory (at least that is what I suspect is happening)
The "cd .ssh" command will do nothing because you don't have a .ssh directory. That's why other programs complain the file does not exits.
By the way, the ls command will not show you any files that start with a dot, like ".ssh", because those files are hidden. Use "ls -a" to see hidden files.
Problem: to copy a directory tree from the "me" master user to the encrypted harddrive of the "cs"-user:
su cs
bash-3.2$ cp -R /Users/me/cs_project /Users/cs/
cp: /Users/cs/cs_project: Permission denied
cp: /Users/me/cs_project/h_mark: unable to copy extended attributes to /Users/cs/: Permission denied
cp: /Users/cs/: No such file or directory
...
Question: How can I copy my project of the master user "me" to my other user "cs"?
New information about the Encryption
I got the suggestions working with other users, but not with the origal users. The problem is that the 'cs' user has Mac's SafeVault encryption.
Is the "me" user an administrator? If so, you can log in as me, then manually mount cs's home image with:
sudo hdiutil mount /Users/cs/cs.sparsebundle
cp -R /Users/me/cs_project /Volumes/cs/
Notes: the sudo command will ask for me's password, and then hdiutil might pop up a GUI dialog asking for the FileVault master password; you can either supply this (if you know it), or hit the cancel button and enter the encryption password (i.e. cs's password) in the CLI when it prompts for that. Also, the image should mount with file ownership ignored, meaning that you don't have to sudo the cp command (OTOH, the permissions may come out a little weird on the copied files, so expect to clean them up afterward).
Alternately, you could take the easy way: log in as me, copy/move the files to some public location, set the permissions on them to grant cs read access, then log in as me and copy them.
You need to set permissions. The easiest thing is probably:
$ su me
$ chmod -R o+r /Users/cs/cs_project
Whatever user you're running this command under needs permission to read (and search dirs, i.e. the x permisison bit) throughout the tree rooted at /Users/me/cs_project and for course permission to write in /Users/cs. You can change permissions as needed with command chmod.
try sudo cp -R /Users/me/cs_project /Users/cs/