gpg-agent and rpm --addsign

Discussion:

Brian Long

2004-01-10 00:51:34 UTC

Hello,

I would like to use gpg-agent to be able to automate signing of RPMs.
Has anyone successfully accomplished this?

My .rpmmacros has this:
%_signature gpg
%_gpg_name <My GPG Key Name>
%_gpg_path <Path to my special .gnupg directory>

If I start gpg-agent --daemon and save that info to .gpg-agent-info, I
want to read that file in a cron job and use the gpg-agent to sign an
auto-created RPM.

I can run rpm --addsign /path/to/rpm and manually enter the passphrase
without problems. I want that passphrase "cached" in gpg-agent so a
cron job can do this.

Any ideas would be appreciated.

/Brian/

--
Brian Long | | |
Americas IT Hosting Sys Admin | .|||. .|||.
Cisco Linux Developer | ..:|||||||:...:|||||||:..
Phone: (919) 392-7363 | C i s c o S y s t e m s

Werner Koch

2004-01-11 20:47:17 UTC

Permalink

Post by Brian Long
If I start gpg-agent --daemon and save that info to .gpg-agent-info, I
want to read that file in a cron job and use the gpg-agent to sign an
auto-created RPM.

You need to make sure that the environment variable GPG_AGENT_INFO is
set correctly or its contents passed via the option --gpg-agent-info.
gpg does not know about a .gpg-agent-info file.

--
Werner Koch <***@gnupg.org>
The GnuPG Experts http://g10code.com
Free Software Foundation Europe http://fsfeurope.org

Brian Long

2004-01-12 21:51:03 UTC

Permalink

Werner,

Thanks for your response. I've tried following other threads in this
mailing list to no avail. I have an init script start gpg-agent
--daemon as root and save the .gpg-agent-info to /root. I then want
root cron jobs to set GPG_AGENT_INFO per this file and talk to the
agent. It has not been successful.

A portion of my init script:
eval `gpg-agent -v -v -v -v -v --daemon --log-file
/var/log/gpg-agent 2>/dev/null`
if [ -n "$GPG_AGENT_INFO" ]; then
echo "$GPG_AGENT_INFO" > /root/.gpg-agent-info
RETVAL=0
else
echo "Unable to set \$GPG_AGENT_INFO."
RETVAL=1
fi

When I run a simple gpg --clearsign on a file, it complains it cannot
talk to the agent (and the /var/log/gpg-agent sees the connection).

[***@oxiclean root]# gpg --use-agent --gpg-agent-info
/tmp/gpg-QI764C/S.gpg-agent:26216:1 --homedir /path/to/.gnupg
--clearsign /tmp/blah

You need a passphrase to unlock the secret key for
user: "<MY USER>"
1024-bit DSA key, ID 665B9872, created 2003-12-08

gpg: cancelled by user
gpg: no default secret key: bad passphrase
gpg: /tmp/blah: clearsign failed: bad passphrase

gpg-agent log:
-------------
2004-01-12 06:45:21 gpg-agent[26216] handler for fd 2 started
2004-01-12 06:45:21 gpg-agent[26216] starting a new PIN Entry
2004-01-12 06:45:21 gpg-agent[26216] command get_passphrase failed:
canceled
2004-01-12 06:45:21 gpg-agent[26216] handler for fd 2 terminated
2004-01-12 06:45:21 gpg-agent[26216] handler for fd 2 started
2004-01-12 06:45:21 gpg-agent[26216] handler for fd 2 terminated

The above is using pinentry-curses. When I try pinentry-gtk (with
DISPLAY=""), I get the following in gpg:
gpg: problem with the agent - disabling agent use

And gpg-agent log:
2004-01-12 06:48:13 gpg-agent[26216] handler for fd 2 started
2004-01-12 06:48:13 gpg-agent[26216] handler for fd 2 terminated

When I go back to pinentry-curses and set GPG_TTY properly, it works the
same as pinentry-gtk (worse).

I'm running pinentry-0.6.8-0.fdr.1.rh73 from the
http://kde-redhat.sf.net project.

Thanks for any additional thoughts on how I can get this working.

/Brian/

Post by Werner Koch

Post by Brian Long
If I start gpg-agent --daemon and save that info to .gpg-agent-info, I
want to read that file in a cron job and use the gpg-agent to sign an
auto-created RPM.

You need to make sure that the environment variable GPG_AGENT_INFO is
set correctly or its contents passed via the option --gpg-agent-info.
gpg does not know about a .gpg-agent-info file.

--
Brian Long | | |
Americas IT Hosting Sys Admin | .|||. .|||.
Cisco Linux Developer | ..:|||||||:...:|||||||:..
Phone: (919) 392-7363 | C i s c o S y s t e m s

Brian Long

2004-01-19 21:28:39 UTC

Permalink

FYI for anyone else that cares. I found out rpm --addsign actually
prompts for your password and then passes it to gpg. This means I
cannot use gpg-agent to automatically sign RPMs because rpm is not
gpg-agent aware. :(

Oh well.

/Brian/

--
Brian Long | | |
Americas IT Hosting Sys Admin | .|||. .|||.
Cisco Linux Developer | ..:|||||||:...:|||||||:..
Phone: (919) 392-7363 | C i s c o S y s t e m s