search

vmware-archive / salt-pack

Salt Package Builder
Apache License 2.0
55 stars 23 forks source link

gpg-agent on clean Debian 9.5 not functioning, issue with Standard Socket availability if root on AWS #611

Closed dmurphy18 closed 5 years ago

dmurphy18 commented 5 years ago

Was able to duplicate on VirtualBox with clean install of Debian 9.5. Note a clean install of Debian 9.2 did not show the same issue, even after upgrade to 9.5.

Tried to upload and install the VirtualBox Raw Image for Debian 9.2 but it failed as follows: david@david-XPS-15-9530:~/isos/debian/deb92_ova$ aws ec2 describe-import-image-tasks { "ImportImageTasks": [ { "Description": "Debian 9.2 AMD64 Raw Image", "ImportTaskId": "import-ami-084a939fa7f50ff32", "LicenseType": "BYOL", "SnapshotDetails": [ { "Description": "Debian 9.2 AMD64 Raw Image", "DiskImageSize": 32212254720.0, "Format": "RAW", "Status": "completed", "UserBucket": { "S3Bucket": "dgm-gen-bkt", "S3Key": "deb921t.raw" } } ], "Status": "deleting", "StatusMessage": "ClientError: Unsupported kernel version 4.9.0-4-amd64" } ] } david@david-XPS-15-9530:~/isos/debian/deb92_ova$

dmurphy18 commented 5 years ago

Attempted using AMI images for Debian 9.0 and 9.1 but suffered the same issue:

non-root: admin@ip-10-27-41-150:~$ gpg-agent --homedir ~/.gnupg --allow-preset-passphrase --max-cache-ttl 300 -vvvv --daemon gpg-agent[632]: directory '/home/admin/.gnupg' created gpg-agent[632]: directory '/home/admin/.gnupg/private-keys-v1.d' created gpg-agent: a gpg-agent is already running - not starting a new one admin@ip-10-27-41-150:~$ ps -ef | grep -v grep | grep gpg-agent admin 633 608 0 21:37 ? 00:00:00 /usr/bin/gpg-agent --supervised

root: root@ip-10-27-41-150:/home/admin# gpg-agent --homedir ~/.gnupg --allow-preset-passphrase --max-cache-ttl 300 -vvvv --daemon gpg-agent[646]: directory '/root/.gnupg' created gpg-agent[646]: directory '/root/.gnupg/private-keys-v1.d' created gpg-agent[646]: listening on socket '/root/.gnupg/S.gpg-agent' gpg-agent[646]: listening on socket '/root/.gnupg/S.gpg-agent.extra' gpg-agent[646]: listening on socket '/root/.gnupg/S.gpg-agent.browser' gpg-agent[646]: listening on socket '/root/.gnupg/S.gpg-agent.ssh' root@ip-10-27-41-150:/home/admin# gpg-agent[647]: gpg-agent (GnuPG) 2.1.18 started

root@ip-10-27-41-150:/home/admin# ps -ef | grep -v grep | grep gpg-agent root 647 1 0 21:37 ? 00:00:00 gpg-agent --homedir /root/.gnupg --allow-preset-passphrase --max-cache-ttl 300 -vvvv --daemon

Signing doesn't work since the gpg-agent is not accessible from the Standard Socket which appears to fail when root launches gpg-agent.

Given the Debian 9.5 and now 9.6 showing this issue, I can but assume that this will be an issue with the forthcoming Buster (Debian 10) point release, and hence need to develop non-root gpg-agent/ signing at a minimum, and full non-root building if possible.