Gentoo's Portage: Best ways to keep binary package signing key unlocked?

Andrew Ammerlaan andrewammerlaan at gentoo.org
Wed Aug 30 11:54:30 CEST 2023


Hi all,

In order to allow users to verify binary packages Gentoo's portage 
offers the option to sign any generated binary packages after 
installation. For this to work the configured signing key is unlocked 
once before a job starts, and it should then remain unlocked until 
portage completes the job.

Currently the way this is accomplished involves periodically signing 
/dev/null, code snippet below:

         self.GPG_unlock_command = self.GPG_signing_base_command.replace(
             "[PORTAGE_CONFIG]",
             f"--homedir {self.signing_gpg_home} "
             f"--digest-algo {self.digest_algo} "
             f"--local-user {self.signing_gpg_key} "
             "--output - /dev/null",
         )

Recently we fixed a bug[1][2] in this code that caused /dev/null to be 
removed if GnuPG failed to unlock the key. This however prompted the 
question if there is not a more elegant way to do this.

Signing /dev/null feels like more of a hack then an actual solution to 
keeping the key unlocked until portage finishes. Therefore I would like 
to ask you if you have any better ideas to do this?

Best regards,
Andrew


[1] https://bugs.gentoo.org/912808
[2] 
https://github.com/gentoo/portage/commit/9d278330839049a818ba9f1e3985c7e502c63451



More information about the Gnupg-users mailing list