Will gpg 1.x remain supported for the foreseeable future?
Dan Kegel
dank at kegel.com
Sun Jan 21 00:40:19 CET 2018
On Thu, Jan 18, 2018 at 7:58 PM, Dan Kegel <dank at kegel.com> wrote:
>> The keys referred to via signed-by are the only acceptable keys for the
>> associated apt repo.
>>
>> does that make sense?
>
> That'd be great if it worked. Since it's hard to explain what's broken
> without a simple script showing exactly what I'm doing, let's just
> hold that thought until I post one.
I spent a little while cleaning up my script and found the problem, whew!
Here's part of the log:
+ gpg2 -q --pinentry-mode loopback --passphrase
--personal-digest-preferences SHA256 --gen-key gpg.in.tmp
+ gpg2 --armor --export temp-repo at example.com
...
+ sudo GNUPGHOME=/tmp/obs_localbuild_gpghome_dank.tmp
APT_CONFIG=/home/dank/src/obs/foo.tmp/etc/apt.conf apt-get update
...
Preparing to exec: /usr/bin/apt-key --quiet --readonly --keyring
/tmp/obs_localbuild_keyrings_dank.tmp/keyrings/localhost.gpg verify
--status-fd 3 /tmp/apt.sig.nD3tum /tmp/apt.data.OVJLiX
Read: [GNUPG:] ERRSIG 505A301EE37484C6 1 8 01 1516484740 9
Got ERRSIG
Read: [GNUPG:] NO_PUBKEY 505A301EE37484C6
Even with apt debug logging on, that wasn't enough to make the problem
obvious. I had to add
exec 2> /tmp/apt-key.log.$$
set -x
to the top of /usr/bin/apt-key. Grepping for that key in /tmp/apt-key*, I found
+ gpgv --homedir /tmp/tmp.oM7RZ707db --keyring
/tmp/obs_localbuild_keyrings_dank.tmp/keyrings/localhost.gpg
--ignore-time-conflict --status-fd 3 /tmp/apt.sig.nD3tum
/tmp/apt.data.OVJLiX
gpgv: Signature made Sat Jan 20 13:45:40 2018 PST using RSA key ID E37484C6
gpgv: [don't know]: invalid packet (ctb=2d)
gpgv: keydb_search failed: invalid packet
gpgv: Can't check signature: public key not found
Well, well. That 'invalid packet' appears to be a telltale sign of
using --armor where one shouldn't, and looking at my first log, you
can see a --armor. Removing it made everything happy.
So this was a case of a) dumb user and b) poor diagnostics from apt.
Also, now that I've ripped out all gpg1 support from my script, I
realize that gpg-agent is nearly well behaved.
Only possible rough spots I ran into were:
- having to enable pinentry (ubuntu 16.04's gpg is old)
- not knowing a clean way to tidy up an old gnupghome and its agent
without hanging if the agent is missing
- the gpg man page says --dearmor isn't very useful. I beg to differ :-)
- might save time and anguish if apt-key (and thus gpg[v]?) accepted
armored keyrings even if filename ends in .gpg
Thanks for the encouragement.
All's well that ends well.
I'm sure I'll trip over my shoelaces again soon enough!
- Dan
More information about the Gnupg-users
mailing list