I'm trying to deploy a project which uses GPG to encrypt data being sent to a SOAP WebService. When I tried to encrypt the file, I found that python-gnupg was trying to put a lock file into my gnupghome directory, which is not writable by the user Apache is run under. I'd rather not give write access to "nobody", so is there a way to change the location python-gnupg uses to store lock files?
Clarification:
It was pointed out to me that I may not have made it clear that I am currently setting gnupghome when I initialize the object, but I do not want the lock files to be placed there, because I do not want "nobody" to have write access to that location.
The lock file is created by gnupg, not the python wrapper, and it is always created in the GNUPGHOME path, defaulting to ~/.gnupghome.
You cannot prevent the lockfile, but you can set the directory to a temporary one. The disadvantage is that it'll not be able to load the default keyring so you'll need to pass it in explicitly, telling GNUPG to ignore the default file (it'll complain bitterly if you do not):
import tempfile
import shutil
home = tempfile.mkdtemp()
try:
gpg = gnupg.GPG(gnupghome=home, keyring='/path/to/keyring/file',
options=['--no-default-keyring'])
finally:
shutil.rmtree(home)
In fact, I've gone a far as using a temporary file for the keyring as well; use the tempfile.mkstemp() function to create an empty file in the temporary directory generated above, import the key (drawn from a database) into that keyring (using .import_keys()) then use the imported key to do the encryption, before cleaning up the whole temporary home.