Open agconti opened 3 years ago
I'm having the same issue after re-importing my secret key.
@agconti I was working on something similar today, and I got it to work. A few ideas that might help:
--verbose
when you restart gpg-agent, that gave me a few extra hints that helped with debugginggpg-connect-agent "PRESET_PASSPHRASE...
I used gpg-preset-passphrase. Some extra benefits to using it are that you can pipe the passphrase in stdin, and that you don't have to convert it to hex.echo "GET_PASSPHRASE --no-ask $GPG_KEYGRIP a a a" | gpg-connect-agent
to confirm that the passphrase was cached after presetting it.@somesocks thanks for the tips, I'll try them! 💖
Summary
I'm trying to unlock my repository but git-crypt fails because it believes there's no secret key. However,
gpg -K
shows my secret key is there.The error I'm getting:
Questions:
Background
I'm trying to unlock my repository in our CI pipeline. The script below installs git-crypt and gpg, before configuring itself for an unattended lock. You can use it to reproduce this issue. You can also verify from the included logs of the script running that the keys were successfully imported and found on the gpg key chain before the unlock fails.
Script to reproduce
```bash #!/usr/bin/env bash # https://medium.com/@ahmed.kamel/git-crypt-unattended-unlock-with-gpg-passphrase-in-docker-f0aa39b85a # # Expected env vars: # GPG_PUBLIC_KEY: the gpg public key # GPG_SECRET_KEY: the gpg secret key # GPG_PASSPHRASE: the gpg key's passphrase # GPG_KEY_FINGERPRINT: the gpg key's fingerprint. # GPG_KEYGRIP: the key's keygrip. set -eo pipefail export GPG_TTY=$(tty) # 1. Install dependencies. (gpg/git-crypt) WORKING_DIR=${PWD##*/} sudo su echo "🤖: Installing git-crypt" cd .. mkdir tmp cd tmp git clone https://github.com/AGWA/git-crypt.git cd git-crypt echo "🤖: making" sudo make echo "🤖: make install" sudo make install PREFIX=/usr/local cd ../../$WORKING_DIR # Install gnupg and gnupg-agent, gnupg-agent is used to keep and # release the passphrase to git-crypt when the time comes echo "🤖: apt-get update" sudo apt-get update echo "🤖: apt-get install -y gnupg" sudo apt-get install -y gnupg echo "🤖: apt-get install -y gnupg-agent" sudo apt-get install -y gnupg-agent # 2. import the key into the gpg keyring # https://discuss.circleci.com/t/gpg-keys-as-environment-variables/28641/4 # https://discuss.circleci.com/t/error-sending-to-agent-inappropriate-ioctl-for-device/17465/6 echo "🤖: Importing public key." echo -e "${GPG_PUBLIC_KEY}" | gpg --import --no-tty --batch --yes echo "🤖: Importing secret key." echo -e "${GPG_SECRET_KEY}" | gpg --import --no-tty --batch --yes echo "🤖: Trusting key" FPR=`gpg --with-colons --fingerprint $GPG_KEY_FINGERPRINT | awk -F: '$1 == "fpr" {print$10; exit}'` # replace trust level with ultimate echo "FPR" echo $FPR gpg --with-colons --fingerprint $GPG_KEY_FINGERPRINT gpg --export-ownertrust && echo $FPR:6: | gpg --import-ownertrust # 3. Setup GPG for automated remove # Adapted from: https://medium.com/@ahmed.kamel/git-crypt-unattended-unlock-with-gpg-passphrase-in-docker-f0aa39b85a echo "Configuring git-crypt for automated unlock..." gpgconf --kill gpg-agent eval `gpg-agent --daemon --allow-preset-passphrase` GPG_PASSPHRASE_HEX=`echo -n "$GPG_PASSPHRASE" | od -A n -t x1 | sed 's/ *//g'` gpg-connect-agent "PRESET_PASSPHRASE $GPG_KEYGRIP -1 $GPG_PASSPHRASE_HEX" /bye # 4. Unlock echo "🤖: listing keys" gpg --list-keys gpg --list-secret-keys gpg --export-ownertrust echo "🤖: Unlocking" git-crypt unlock ``` cc: #94, #182 - here's an example of how I'm doing an unattended unlock.Script output
```bash 🤖: Installing git-crypt Cloning into 'git-crypt'... 🤖: making g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o git-crypt.o git-crypt.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o commands.o commands.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o crypto.o crypto.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o gpg.o gpg.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o key.o key.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o util.o util.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o parse_options.o parse_options.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o coprocess.o coprocess.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o fhstream.o fhstream.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o crypto-openssl-10.o crypto-openssl-10.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -c -o crypto-openssl-11.o crypto-openssl-11.cpp g++ -Wall -pedantic -Wno-long-long -O2 -std=c++11 -o git-crypt git-crypt.o commands.o crypto.o gpg.o key.o util.o parse_options.o coprocess.o fhstream.o crypto-openssl-10.o crypto-openssl-11.o -lcrypto 🤖: make install install -d /usr/local/bin install -m 755 git-crypt /usr/local/bin/ 🤖: apt-get update Hit:1 http://azure.archive.ubuntu.com/ubuntu focal InRelease Get:2 http://azure.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB] Get:3 http://azure.archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB] Get:4 https://packages.microsoft.com/ubuntu/20.04/prod focal InRelease [10.5 kB] Get:5 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB] Get:6 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1033 kB] Hit:7 http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal InRelease Get:8 http://azure.archive.ubuntu.com/ubuntu focal-updates/main Translation-en [230 kB] Get:9 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 c-n-f Metadata [13.5 kB] Get:10 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [785 kB] Get:11 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [171 kB] Get:12 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [17.7 kB] Get:13 http://azure.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [23.6 kB] Get:14 http://azure.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 c-n-f Metadata [648 B] Get:15 https://packages.microsoft.com/ubuntu/20.04/prod focal/main amd64 Packages [78.2 kB] Get:16 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [708 kB] Get:17 http://security.ubuntu.com/ubuntu focal-security/main Translation-en [142 kB] Get:18 http://security.ubuntu.com/ubuntu focal-security/main amd64 c-n-f Metadata [7900 B] Get:19 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [590 kB] Get:20 http://security.ubuntu.com/ubuntu focal-security/universe Translation-en [95.7 kB] Get:21 http://security.ubuntu.com/ubuntu focal-security/universe amd64 c-n-f Metadata [11.6 kB] Fetched 4246 kB in 1s (4213 kB/s) Reading package lists... 🤖: apt-get install -y gnupg Reading package lists... Building dependency tree... Reading state information... gnupg is already the newest version (2.2.19-3ubuntu2.1). 0 upgraded, 0 newly installed, 0 to remove and 46 not upgraded. 🤖: apt-get install -y gnupg-agent Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: gnupg-agent 0 upgraded, 1 newly installed, 0 to remove and 46 not upgraded. Need to get 5232 B of archives. After this operation, 46.1 kB of additional disk space will be used. Get:1 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe amd64 gnupg-agent all 2.2.19-3ubuntu2.1 [5232 B] Fetched 5232 B in 0s (307 kB/s) Selecting previously unselected package gnupg-agent. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 257522 files and directories currently installed.) Preparing to unpack .../gnupg-agent_2.2.19-3ubuntu2.1_all.deb ... Unpacking gnupg-agent (2.2.19-3ubuntu2.1) ... Setting up gnupg-agent (2.2.19-3ubuntu2.1) ... 🤖: Importing public key. gpg: directory '/home/runner/.gnupg' created gpg: keybox '/home/runner/.gnupg/pubring.kbx' created gpg: /home/runner/.gnupg/trustdb.gpg: trustdb created gpg: key E87A5B406112EA99: public key "Firstname Lastname