gnupg permissions warning is mysterious and misleading

Binary package hint: gnupg

Technically this is the bad behavior in (invalid) bug 414812, but it should be fixed.

Using the GPG it will frequently say:
gpg: WARNING: unsafe ownership on configuration file...

The problem is it doesn't specify what is wrong, which apparently can be from several sources including running gpg as root (sudo or a sudo shell), or not having something right, but guessing is hard, particularly when "ls -l" and "ls -ld" show correct results. Running gpg as root is NOT unsafe ownership, it is the fact it is being run as root.

There are a lot of google hits without any specific answer including some marked [SOLVED].

gpg should explain, WARNING unsafe permissions ...

user running gpg does is not owner (group) of file XXX
.gnupg directory permissions should be
.gnupg/XXX permissions should be 400 or 200

or whatever else can cause the message to appear.

I am marking this as a security vulnerability because after the 6th fruitless attempt to figure out what is causing the message, the typical response would be to alias in the --no-permission-warning option.

False alarms lead to disabling the alarm. An alarm which cannot be traced back to the cause easily (it took me over 20 minutes since I really, really wanted to find the cause) will be considered a false alarm.

A virus scanner that reports "there may be a virus somewhere on your system" is useless - it needs to say which file or at least some information where it can be traced back.

If GPG detects a real vulnerability it needs to be specific and clear so it can be corrected and not ignored.

I don't know if running it as root would be considered one - in which case it should warn about being run as root which would put the other warnings in context if they aren't canceled by detecting root.