gpg failure if /root/.gnupg doesn't exist and /var/lib/smart is empty

This is how smart calls gpg:

root@nsn2:~# gpg --keyring /etc/apt/trusted.gpg --status-fd 1 --no-default-keyring --no-secmem-warning --batch --verify Release.gpg Release
gpg: Signature made Tue 13 Apr 2010 09:25:39 AM BRT using DSA key ID 437D05B5
[GNUPG:] SIG_ID mIKaw5+pk677fzgzZBFIUb9ehSs 2010-04-13 1271161539
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: fatal: /root/.gnupg: directory does not exist!
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768
root@nsn2:~# echo $?
2

If I drop "--no-default-keyring", then it seems to work:

root@nsn2:~# gpg --keyring /etc/apt/trusted.gpg --status-fd 1 --no-secmem-warning --batch --verify Release.gpg Release
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Tue 13 Apr 2010 09:25:39 AM BRT using DSA key ID 437D05B5
[GNUPG:] SIG_ID mIKaw5+pk677fzgzZBFIUb9ehSs 2010-04-13 1271161539
gpg: /root/.gnupg/trustdb.gpg: trustdb created
[GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <email address hidden>"
[GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2010-04-13 1271161539 0 3 0 17 2 00 630239CC130E1A7FD81A27B140976EAF437D05B5
[GNUPG:] TRUST_UNDEFINED
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5
root@nsn2:~# echo $?
0

With smart tweaked to not include --no-default-keyring:

root@nsn2:~# rm -rf .gnupg /var/lib/smart/*
root@nsn2:~# smart update
Updating cache... ################################################################################################################### [100%]

Fetching information for 'lucid - partner'...
-> http://archive.canonical.com/ubuntu/dists/lucid/Release.gpg
Release.gpg ################################################################################################################### [ 1%]
-> http://archive.canonical.com/ubuntu/dists/lucid/Release
Release ################################################################################################################### [ 3%]
-> http://archive.canonical....

The problem is that there are *two* files created:
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created

So even if the --keyring is set, it'll still try to create
the config directory unless setting --trustdb-name too:
gpg --keyring /etc/apt/trusted.gpg --no-default-keyring --trustdb-name /etc/apt/trustdb.gpg --verify Release.gpg Release

So it probably needs to grow another setting ?

i.e. apt-deb "trustdb", right next to the "keyring"

Or work around it by "mkdir /root/.gnupg", sure... (above)
But it will still create a new empty trustdb.gpg in that case.

Hi Anders,

creating "/root/.gnupg" is indeed the workaround we opted for, while waiting for a better alternative. I'm not sure to understand your comment #2.. I'm wondering if this is actually a bug of gpg, that should create whatever directory is necessary to perform the requested operation. I'm on #smart whenever you feel like talking about it.

Added some non-pseudo code in "trustdb" branch.

Anders, your suggestion sounds very sane. Did you try smart, or the full gnupg command line, with the added trustdb option? Does it work then the first time and without a /root/.gnupg directory?

I guess it does work:

root@nsn2:~# rm -rf .gnupg
root@nsn2:~# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg --no-default-keyring --status-fd 1 --no-secmem-warning --batch --verify Release.gpg Release
gpg: Signature made Tue 13 Apr 2010 09:25:39 AM BRT using DSA key ID 437D05B5
[GNUPG:] SIG_ID mIKaw5+pk677fzgzZBFIUb9ehSs 2010-04-13 1271161539
[GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <email address hidden>"
[GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2010-04-13 1271161539 0 3 0 17 2 00 630239CC130E1A7FD81A27B140976EAF437D05B5
[GNUPG:] TRUST_UNDEFINED
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5
root@nsn2:~# ls -la .gnupg
ls: cannot access .gnupg: No such file or directory
root@nsn2:~#

This bug was fixed in the package landscape-client - 1.5.0.1-0ubuntu0.10.04.0

---------------
landscape-client (1.5.0.1-0ubuntu0.10.04.0) lucid; urgency=low

  * New upstream version
    - Fix smart-update failing its very first run (LP: #562496)
    - Depend on pythonX.Y-dbus and pythonX.Y-pycurl (LP: #563063)
    - Make only one request at a time to retrieve EC2 instances (LP: #567515)
 -- Free Ekanayaka <email address hidden> Wed, 21 Apr 2010 12:31:28 +0200

Accepted landscape-client into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Accepted landscape-client into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

This bug was fixed in the package landscape-client - 1.5.0.1-0ubuntu0.9.04.0

---------------
landscape-client (1.5.0.1-0ubuntu0.9.04.0) jaunty-proposed; urgency=low

  * New upstream version
    - Fix smart-update failing its very first run (LP: #562496)
    - Depend on pythonX.Y-dbus and pythonX.Y-pycurl (LP: #563063)
    - Make only one request at a time to retrieve EC2 instances (LP: #567515)

  * New upstream version (LP: #557244)
    - Fix package-changer running before smart-update has completed (LP: #542215)
    - Report the version of Eucalyptus used to generate topology data (LP: #554007)
    - Enable the Eucalyptus plugin by default, if supported (LP: #546531)
    - Use a whitelist of allowed filesystem types to instead of a blacklist (LP: #351927)
    - Report the update-manager logs to the server (LP: #503384)
    - Turn off Curl's DNS caching for requests. (LP: #522668)
 -- Free Ekanayaka <email address hidden> Wed, 21 Apr 2010 12:31:28 +0200

This bug was fixed in the package landscape-client - 1.5.0.1-0ubuntu0.9.10.0

---------------
landscape-client (1.5.0.1-0ubuntu0.9.10.0) karmic-proposed; urgency=low

  * New upstream version
    - Fix smart-update failing its very first run (LP: #562496)
    - Depend on pythonX.Y-dbus and pythonX.Y-pycurl (LP: #563063)
    - Make only one request at a time to retrieve EC2 instances (LP: #567515)

  * New upstream version (LP: #557244)
    - Fix package-changer running before smart-update has completed (LP: #542215)
    - Report the version of Eucalyptus used to generate topology data (LP: #554007)
    - Enable the Eucalyptus plugin by default, if supported (LP: #546531)
    - Use a whitelist of allowed filesystem types to instead of a blacklist (LP: #351927)
    - Report the update-manager logs to the server (LP: #503384)
    - Turn off Curl's DNS caching for requests. (LP: #522668)
 -- Free Ekanayaka <email address hidden> Wed, 21 Apr 2010 12:31:28 +0200