Bug#1099760: cryptsetup: Cryptsetup provided keyscript 'decrypt_gnupg' uses obsolete gnupg option --secret-keyring

Fri, 07 Mar 2025 09:48:25 -0800 

Package: cryptsetup
Version: 2:2.7.5-1
Severity: minor
X-Debbugs-Cc: debianbts-20230827181...@racbu.de

Dear Maintainer,

I use the cryptsetup provided keyscript 'decrypt_gnupg' to open my
type=plain root disk in the initram-stage. I provide the key via gnupg.

Each time the disk is opened in initram I get the warning:
,---- [ Warning ]
| gpg: WARNING: "--secret-keyring" is an obsolete option - it has no effect
`----

The gpg man page confirms this:
,---- [ man gpg ]
| --secret-keyring file
|     This is an obsolete option and ignored.  All secret keys are stored
|     in the ‘private-keys-v1.d’ directory below the GnuPG home directory.
`----

I can't see any impact on the system. It's only an annoying warning.

It would be nice to remove the option '--secret-keyring /dev/null' from
the script 'decrypt_gnupg' when there is time. Thanks.



-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.12.12-amd64 root=/dev/mapper/rey_root ro 
intel_iommu=on,igfx_off

-- /etc/crypttab
# <target name> <source device>         <key file>                      
<options>
cswap1          PARTUUID=34cdd6fc-01    /dev/random                     
cipher=aes-xts-plain64,size=512,hash=sha512,plain,swap
rey_root        PARTUUID=34cdd6fc-02    /boot/keys/rey_key.gpg  
cipher=aes-xts-plain64,size=512,hash=sha512,plain,sector-size=512,keyscript=decrypt_gnupg


-- /etc/fstab
/dev/mapper/cswap1      none            swap    defaults        0       0
/dev/mapper/rey_root    /               ext4    defaults        0       1


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cryptsetup depends on:
ii  cryptsetup-bin         2:2.7.5-1
ii  debconf [debconf-2.0]  1.5.89
ii  dmsetup                2:1.02.201-1
ii  libc6                  2.40-7

cryptsetup recommends no packages.

Versions of packages cryptsetup suggests:
ii  cryptsetup-initramfs    2:2.7.5-1
ii  dosfstools              4.2-1.1
pn  keyutils                <none>
ii  liblocale-gettext-perl  1.07-7+b1

-- debconf information:
  cryptsetup/prerm_active_mappings: true

Reply via email to