Gpgtools MacGPG2

User report

While importing keys into my GPG Keychain, I noticed that the application keeps saving files with group- and world- readable permissions. For example, here are permissions for my keyring after a simple save operation:

-rw-r--r-- 1 user staff - 235K 28 Jul 21:58 pubring.kbx

This strikes me as a security issue. Making a keyring readable by every member of the "staff" group on a shared machine seems like it could lead to unwanted leaks, especially as it is at a well-known location. Resetting the permissions to 700 does not help, as GPG Keychain will reset the permissions each and every time.

Furthermore, I notice that GPG Keychain actually overwrites the files: if I replace any of the files in the ~/.gnupg directory with a link to another (possibly safer) filesystem location, using GPG Keychain will cause the link to be overwritten and replaced by a fresh new file. This is not true when using gpg from the command line or other tools like SSH. This could lead to configurations not being honoured and I see no reason why the app should so agressively overwrite symlinks.

Findings

I’ve just had a quick test run and can confirm both of your findings. As suspected however GnuPG is doing this itself, not our tools which are running calls against the gpg binary.

In order to verify your statements I first changed the permissions of pubring.kbx to 600. After running an import via Terminal, the permissions were reset to 644.
For the test to work, it is necessary to import a key which does not already exist, otherwise GnuPG doesn’t have to update the file and it won’t work.

It appears that this problem occurs due to GnuPG creating a backup of pubring.kbx before updating it. You can verify that by checking the permissions of pubring.kbx~ which shows the proper permissions of 600.

The same seems to be the case for symlinks. If you create a symlink for pubring.kbx and import a key afterwards (again, has to be a key not yet in the keyring), GnuPG will move your symlink to pubring.kbx~ and create an actual file for the updated database.

Werner from GnuPG seems to be aware of the permission issue, it’s unclear however if it’s planned to fix it: https://dev.gnupg.org/T2925
This is the closest I could find in regards to symlinks and pubring.kbx: https://dev.gnupg.org/T1426
Generally we advice to symlink the entire .gnupg folder if for example you want to store it on a thumb drive.