GPG 2.4.7 locking problem

Max Allan max.allan at chainguard.dev
Fri Nov 7 11:08:16 CET 2025 

Hi,
I wanted to report this as a bug but it says I need to get permission to
raise bugs from a mailing list. So here I am.

When using GPG 2.4.7 or 2.4.8 in a Docker build process to add a key, the
gpg command will start keyboxd and gpg-agent. And keyboxd creates a lock
file. ( I tried going back to a 2.2 version and it works without creating a
keyboxd or a lockfile)

When those processes are killed the lock file remains. EVEN if you ran the
import with "--lock-never"

When the image is used, any gpg commands will fail because the hostname is
different and there is no longer a process 8.

You can see this problem without Docker:

/ # ps -ef

PID   USER     TIME  COMMAND

    1 root      0:00 /bin/sh

   41 root      0:00 ps -ef

/ # ls -l ~/.gnupg

ls: /root/.gnupg: No such file or directory

/ # gpg --import --lock-never me.gpg

gpg: directory '/root/.gnupg' created

gpg: /root/.gnupg/trustdb.gpg: trustdb created

gpg: key CECCAAB88A9758B4: public key "argo <argo at example.com>" imported

gpg: Total number processed: 1

gpg:               imported: 1

/ # ls -l ~/.gnupg/public-keys.d/pubring.db.lock

-rw-r--r--    2 root     root            24 Nov  7 09:56
/root/.gnupg/public-keys.d/pubring.db.lock

/ # ps -ef

PID   USER     TIME  COMMAND

    1 root      0:00 /bin/sh

   45 root      0:00 keyboxd --homedir /root/.gnupg --daemon

   49 root      0:00 gpg-agent --homedir /root/.gnupg --use-standard-socket
--daemon

   53 root      0:00 ps -ef

/ # kill -9 45 49

/ # ls -l ~/.gnupg/public-keys.d/pubring.db.lock

-rw-r--r--    2 root     root            24 Nov  7 09:56
/root/.gnupg/public-keys.d/pubring.db.lock



If you were in an "image build" process the keyboxd and gpg-agent processes
would be killed. And they don't remove the lockfile. And when the image is
used the hostname could be anything so it can't break the lock.

This feels like 2 bugs to me.
First: --lock-never still creates a lock.
Second: Terminating the process (without using gpgconf) does not remove the
unwanted lockfile.

I did ask on Stackoverflow  with a full example in Alpine, but didn't get
any responses yet.
https://stackoverflow.com/questions/79811273/using-gpg-in-docker-build-step-is-there-an-easier-way-or-option-to-autokill-the/79811281#79811281


Thanks,
Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20251107/a5ce0f5a/attachment.html>

More information about the Gnupg-devel mailing list