gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory

[adamwinn]

What version of Cloud Foundry and CF CLI are you using? (i.e. What is the output of running cf curl /v2/info && cf version?

{
   "name": "",
   "build": "",
   "support": "https://support.run.pivotal.io",
   "version": 0,
   "description": "Cloud Foundry sponsored by Pivotal",
   "authorization_endpoint": "https://login.run.pivotal.io",
   "token_endpoint": "https://uaa.run.pivotal.io",
   "min_cli_version": "6.22.0",
   "min_recommended_cli_version": "latest",
   "app_ssh_endpoint": "ssh.run.pivotal.io:2222",
   "app_ssh_host_key_fingerprint": "e7:13:4e:32:ee:39:62:df:54:41:d7:f7:8b:b2:a7:6b",
   "app_ssh_oauth_client": "ssh-proxy",
   "doppler_logging_endpoint": "wss://doppler.run.pivotal.io:443",
   "api_version": "2.142.0",
   "osbapi_version": "2.15",
   "routing_endpoint": "https://api.run.pivotal.io/routing",
   "user": "2e77339e-007e-4323-b086-dcbf38d8a7d5"
}
cf version 6.47.2+d526c2cb3.2019-11-05

What version of the buildpack you are using? Apt Buildpack version 0.2.1

If you were attempting to accomplish a task, what was it you were attempting to do? Run /home/vcap/deps/0/bin/gpg --import /home/vcap/app/xxx.asc

What did you expect to happen? gpg to not throw an error

What was the actual behavior? There was an error because gpg was looking for /usr/bin/gpg-agent instead of /home/vcap/deps/0/bin/gpg-agent

2019-11-19T00:34:33.805-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | command failed
2019-11-19T00:34:33.805-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | command = /home/vcap/deps/0/bin/gpg --import /home/vcap/app/xxx.asc
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | Array
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | (
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | [0] => gpg: directory '/home/vcap/app/.gnupg' created
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | [1] => gpg: keybox '/home/vcap/app/.gnupg/pubring.kbx' created
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | [2] => gpg: /home/vcap/app/.gnupg/trustdb.gpg: trustdb created
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | [3] => gpg: key xxx: public key "xxx <xxx@xxx.com>" imported
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | [4] => gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | [5] => gpg: can't connect to the agent: No such file or directory
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | [6] => gpg: Total number processed: 1
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | [7] => gpg: imported: 1
2019-11-19T00:34:33.806-07:00 [APP/PROC/WEB/0] [OUT] 07:34:33 php-app | )

The error happens even if I run /home/vcap/deps/0/bin/gpg-agent --daemon before running the import command

apt.yml

---
packages:
- gpg
- gpg-agent

composer.json

{
    "minimum-stability": "stable",
    "require": {
        "guzzlehttp/guzzle": "*",
        "phpseclib/phpseclib": "*"
    },
    "scripts": {
        "post-root-package-install": [
            "/tmp/lifecycle/shell"
        ]
    }
}

manifest.yml

---
applications:
- name: xxx
  memory: 128M
  instances: 1
  path: .
  buildpacks:
    - https://github.com/cloudfoundry/apt-buildpack.git
    - php_buildpack
  health-check-type: none
  no-route: true
  disk_quota: 2G
  stack: cflinuxfs3

Please confirm where necessary:

• [x] I have included a log output
• [x] My log includes an error message
• [x] I have included steps for reproduction

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/169834560

The labels on this github issue will be updated when the story is started.

[dfreilich]

@adamwinn Thanks for the error report! Were you able to find a workaround? Would symlinking /home/vcap/deps/0/bin/gpg-agent to /usr/bin/gpg-agent prior to running gpg ---import help?

@sclevine Have you ever seen anything similar with gpg?

[adamwinn]

@dfreilich I wasn't able to find a workaround. I started the /home/vcap/deps/0/bin/gpg-agent in daemon mode beforehand but it still wanted to call /usr/bin/gpg-agent. I'm pretty sure I tried to symlink /home/vcap/deps/0/bin/gpg-agent to /usr/bin/gpg-agent but I dont have permission since I'm the vcap user and not root

[adamwinn]

Any update on this? I have clients waiting on a fix

[zmackie]

@adamwinn To set expectations a bit better: this buildpack is not really part of our officially supported work, as the behavior of apt is often too hard to reliably manage all cases for. We do a best effort to support it, but not generally at top priority. The team will do our best to get to this issue in a reasonable time, but it's not currently prioritized. We would certainly be open to a pull-request, which would get things moving more quickly. I've been looking around docs for configuration and ideally you could find some way to configure the binddir See:

vcap@ef70b70c-eedb-4537-790b-b3cd:~$ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/x86_64-linux-gnu/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
socketdir:/tmp/uiux
dirmngr-socket:/tmp/uiux/S.dirmngr
agent-ssh-socket:/tmp/uiux/S.gpg-agent.ssh
agent-extra-socket:/tmp/uiux/S.gpg-agent.extra
agent-browser-socket:/tmp/uiux/S.gpg-agent.browser
agent-socket:/tmp/uiux/S.gpg-agent
homedir:/tmp/uiux

[adamwinn]

@Zanadar To set expectations a bit better: I was happily using gpg until I was forced to upgrade to cflinuxfs3, which has no gpg. That's not a very good user experience for people that depend on cf's buildpacks.

[zmackie]

@adamwinn I agree that upgrades here have been painful and for that I apologize. The forced nature of the upgrade really had to do with our upstream vendor stopping even the most basic patching of ubunutu 14.04, the operating system fs2 was based on. But I ultimately agree that it was far from ideal; we try to make tradeoffs all the time between compatibility and security patching (when those two are in tension) and in the case of fs2 -> fs3, the tradeoff was overwhelmingly in the camp of doing the upgrade. But we don't have to litigate that here! I'm sorry it broke you apps.

[zmackie]

I've filed https://github.com/cloudfoundry/cflinuxfs3/issues/17 to explore whether we can rectifiy this incompatibility

[michalc]

I'm pretty sure I tried to symlink /home/vcap/deps/0/bin/gpg-agent to /usr/bin/gpg-agent but I dont have permission since I'm the vcap user and not root

In case anyone stumbles on this, I found that if you start gpg-agent manually before gpg, then gpg doesn't try to find the binary of gpg-agent at all, and it works around the whole issue.

I'm working in Python, and I needed a way to decrypt using a private key stored in a variable. This is my code that starts gpg-agent, imports the key into a temporary gpg keyring, and then decrypts the data using the private key.

from subprocess import Popen, PIPE
from tempfile import NamedTemporaryFile

def decrypt_gpg(gpg_private_key, cyphertext):
    with Popen(['gpg-agent', '--daemon']), NamedTemporaryFile() as f:
        gpg = ['gpg', '--no-default-keyring', '--keyring', f.name]

        with Popen(
            gpg + ['--import'],
            stdin=PIPE, stdout=PIPE, stderr=PIPE,
        ) as proc:
            stdout, stderr = proc.communicate(input=gpg_private_key)
            if proc.returncode != 0:
                raise Exception(stderr)

        with Popen(
            gpg + ['--decrypt', '--skip-verify'],
            stdin=PIPE, stdout=PIPE, stderr=PIPE,
        ) as proc:
            plaintext, stderr = proc.communicate(input=cyphertext)
            if proc.returncode != 0:
                raise Exception(stderr)
            return plaintext