search

freight-team / freight

A modern take on the Debian archive.
Other
107 stars 37 forks source link

GPG signing fails with GnuPG 2.x #72

Closed mattock closed 7 years ago

mattock commented 7 years ago

Running freight-cache fails on Debian 9 which comes with GnuPG 2.1.18 installed:

$ freight-cache -c /etc/freight.conf
gpg: signing failed: Inappropriate ioctl for device
gpg: signing failed: Inappropriate ioctl for device
# [freight] couldn't sign the repository, perhaps you need to run
# [freight] gpg --gen-key and update the GPG setting in /etc/freight.conf
# [freight] (see freight(5) for more information)

When I run the same with "set -x" in /usr/bin/freight-cache the offending command-line is conveniently shown:

+ gpg -abs --use-agent -uuser@domain.com --batch --passphrase-fd 1 --passphrase-file /etc/freight.pass --personal-digest-preferences SHA512 -o/var/www/html/debian/repo/work.28782.fFKwq5V0mt/release_last_signature.gpg /var/www/html/debian/repo/dists/xenial-20170905111739900168706/Release
gpg: signing failed: Inappropriate ioctl for device
gpg: signing failed: Inappropriate ioctl for device

The problem seems to be that GnuPG 2.x by default requires gpg-agent and expects the user to enter the password via some pinentry mechanims (e.g. pinentry-curses, pinentry-gnome3). A fix / workaround is to append --pinentry-mode loopback to the gpg command-line in lib/freight/apt.sh. However, the --pinentry-mode parameter is unknown to GnuPG 1.x, so it would have to be added conditionally.

Another way to fix this would be to ensure that freight can actually use a running gpg-agent. In my case it does, except that it does not pop up any pinentry GUI. If I run an essentially identical command manually outside freight the pinentry GUI does show up:

$ gpg -abs --use-agent -uuser@domain.com --batch --passphrase-fd 1 --passphrase-file /etc/freight.pass --personal-digest-preferences SHA512 -otestfile.sig testfile

Once gpg-agent has cached the password entered via pinentry, freight-cache is able to use the cached credentials. So the only problem is that something in freight-cache / apt.sh prevents it from showing the pinentry prompt.

EDIT: fix a small typo.

mmoll commented 7 years ago

could you run export GPG_TTY=$(tty) and test again in that shell env?

mattock commented 7 years ago

Indeed, that does the trick:

$ export GPG_TTY=$(tty)
$ freight-cache -c /etc/freight.conf

...and the pinentry screen pops up.

mattock commented 7 years ago

@mmoll : I guess this is something we should document, then. Shall I provide a documentation PR?

mmoll commented 7 years ago

Yes, please. At least if there's no possibility to handle this automatically (I didn't dig deeper on that).