search

mojohaus / rpm-maven-plugin

http://www.mojohaus.org/rpm-maven-plugin/
Other
56 stars 48 forks source link

rpm signing is broken with gpg-agent 2.1 #44

Closed danielmitterdorfer closed 6 years ago

danielmitterdorfer commented 8 years ago

Problem Description

We have spotted Jenkins build failures when signing RPM packages on systems with gpg-agent 2.1+ (i.e. Fedora 22 and Fedora 23). Here is the relevant part of the build output:

[INFO] spawn rpm --define _gpg_name 16E55242 --define _gpg_path /tmp/shortGpg --addsign elasticsearch-2.3.0-SNAPSHOT20160314103051.noarch.rpm
[INFO] elasticsearch-2.3.0-SNAPSHOT20160314103051.noarch.rpm:
[INFO] gpg: WARNING: unsafe permissions on homedir '/tmp/shortGpg'
[INFO] gpg: starting migration from earlier GnuPG versions
[INFO] gpg: porting secret keys from '/tmp/shortGpg/secring.gpg' to gpg-agent
[INFO] gpg: key 16E55242: secret key imported
[INFO] gpg: migration succeeded
[INFO] gpg: signing failed: Line passed to IPC too long
[INFO] gpg: signing failed: Line passed to IPC too long
[INFO] error: gpg exec failed (2)
[WARNING] send: spawn id exp5 not open
[WARNING]     while executing
[WARNING] "send -- "dummy
[WARNING] ""

(for all details, please see the build logs).

If I run this command manually on Fedora 22:

rpm --define "_gpg_name 16E55242" --define "_gpg_path /tmp/shortGpg" --addsign elasticsearch-2.3.0-SNAPSHOT20160314103051.noarch.rpm

I can see an ncurses-based password prompt. gpg provides a helper program called pinentry to change the appearance of the password prompt but only ncurses, QT and GTK are supported. So with pinentry it is not possible to get the old password prompt.

However, we can add two config options:

gpg-agent.conf:

allow-loopback-pinentry

gpg.conf:

pinentry-mode loopback

Now we're at least able to get the password prompt again. However, RPMSigner expects the output "Pass phrase is good." which is not shown anymore in newer gpg-agent versions (in gpg-agent version 2.1+, the invoking rpm command exits either with exit code 0 on success or a non-zero exit code if the password was incorrect).

Environment information

# Fedora 21 (working):
[vagrant@localhost]$ gpg-agent --version
gpg-agent (GnuPG) 2.0.29
libgcrypt 1.6.3

# Fedora 22 (broken):
[vagrant@localhost ~]$ gpg-agent --version
gpg-agent (GnuPG) 2.1.9
libgcrypt 1.6.3

Tested with rpm-maven-plugin version 2.1.3 and 2.1.5.

I think it boils down to modifying the expect script in RPMSigner but I don't see an easy option to support multiple versions of gpg. Another option seems to be to use gpg-preset-passphrase to set the passphrase in gpg-agent before it is used.

lpenet commented 7 years ago

rpm 4.12 is getting mainstream... It is even in Debian. We should really go forward with a patch for the next version.

I created a pull request for this : https://github.com/mojohaus/rpm-maven-plugin/pull/78

dantran commented 6 years ago

fixed by #78