From jw at raven.inka.de Sun Feb 2 09:22:37 2025 From: jw at raven.inka.de (Josef Wolf) Date: Sun, 2 Feb 2025 09:22:37 +0100 Subject: Please help verify signature within Dockerfile In-Reply-To: <20250130231518.GX30202@raven.inka.de> References: <20250130231518.GX30202@raven.inka.de> Message-ID: <20250202082237.GZ30202@raven.inka.de> Although I got a solution for the initial problem to use gpgv, I am still curious why all the other methods fail. Any ideas? On Fri, Jan 31, 2025 at 12:15:18AM +0100, Josef Wolf wrote: > Hello all, > > I am trying to verify signature of downloaded files when creating a docker > container. This is what I am trying to do within the Dockerfile: > > RUN gpg -v --status-fd 1 --no-keyring \ > --trust-model always \ > --recipient-file /pubkes/release-key.txt \ > --verify sigfile.asc foo.tar.gz > > This errors with "gpg: Can't check signature: No public key". Using strace, I > can see that gpg won't even try to open /pubkeys/release-key.txt > > I also tried to de-armor the pubkey file and pass it as > > RUN gpg --yes -o release-key.gpg --dearmor release-key.txt > RUN gpg -v --status-fd 1 --no-keyring \ > --trust-model always \ > --no-keyring --keyring /pubkes/release-key.gpg \ > --verify sigfile.asc foo.tar.gz > > with exactly the same result: gpg won't even try to open the keyfile. > > I also tried to import the pubkey and verify using the default keyring: > > RUN gpg --import ql/release-key.txt > RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp > > but this one tries to start and connect to gpg-agent, which fails: > > [1/2] STEP 17/21: RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp > gpg: Signature made Wed Jan 28 21:13:26 2015 UTC > gpg: using RSA key 307965AB028B5FF7 > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: keydb_search failed: Operation timed out > gpg: Can't check signature: No public key > Error: building at STEP "RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp": while running runtime: exit status 2 > > BTW: I create an empty ~/.gnupg directory before the very first gpg invocation > to prevent use-keyboxd option to be set. > > Does it really need to be that hard to verify signature with a given pubkey? > > Any help? > > -- > Josef Wolf > jw at raven.inka.de > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -- Josef Wolf jw at raven.inka.de From ametzler at bebt.de Sun Feb 2 12:02:19 2025 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 2 Feb 2025 12:02:19 +0100 Subject: Please help verify signature within Dockerfile In-Reply-To: <20250202082237.GZ30202@raven.inka.de> References: <20250130231518.GX30202@raven.inka.de> <20250202082237.GZ30202@raven.inka.de> Message-ID: On 2025-02-02 Josef Wolf wrote: > Although I got a solution for the initial problem to use gpgv, I am still > curious why all the other methods fail. > Any ideas? See below: > On Fri, Jan 31, 2025 at 12:15:18AM +0100, Josef Wolf wrote: > > Hello all, > > > > I am trying to verify signature of downloaded files when creating a docker > > container. This is what I am trying to do within the Dockerfile: > > > > RUN gpg -v --status-fd 1 --no-keyring \ > > --trust-model always \ > > --recipient-file /pubkes/release-key.txt \ > > --verify sigfile.asc foo.tar.gz > > > > This errors with "gpg: Can't check signature: No public key". Using strace, I > > can see that gpg won't even try to open /pubkeys/release-key.txt Looking at te manpage we find: --recipient-file file -f This option is similar to --recipient except that it encrypts to a key stored in the given file. file must be the name of a file containing exactly one key. gpg assumes that the key in this file is fully valid. So this has clearly nothing to do with specifying a keyring to check against. > > I also tried to de-armor the pubkey file and pass it as > > > > RUN gpg --yes -o release-key.gpg --dearmor release-key.txt > > RUN gpg -v --status-fd 1 --no-keyring \ > > --trust-model always \ > > --no-keyring --keyring /pubkes/release-key.gpg \ > > --verify sigfile.asc foo.tar.gz > > > > with exactly the same result: gpg won't even try to open the keyfile. --no-keyring Do not use any keyring at all. This overrides the default and all options which specify keyrings. So --no-keyring should take care of ignoring --keyring /pubkes/release-key.gpg. :-( > > I also tried to import the pubkey and verify using the default keyring: > > > > RUN gpg --import ql/release-key.txt > > RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp This should work. [...] > > BTW: I create an empty ~/.gnupg directory before the very first gpg > > invocation to prevent use-keyboxd option to be set. > > Does it really need to be that hard to verify signature with a given > > pubkey? (I would use a temporary directory with --homedir). cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From wk at gnupg.org Mon Feb 3 09:05:18 2025 From: wk at gnupg.org (Werner Koch) Date: Mon, 03 Feb 2025 09:05:18 +0100 Subject: Please help verify signature within Dockerfile In-Reply-To: <20250202082237.GZ30202@raven.inka.de> (Josef Wolf's message of "Sun, 2 Feb 2025 09:22:37 +0100") References: <20250130231518.GX30202@raven.inka.de> <20250202082237.GZ30202@raven.inka.de> Message-ID: <874j1bmp1d.fsf@jacob.g10code.de> On Sun, 2 Feb 2025 09:22, Josef Wolf said: >> Does it really need to be that hard to verify signature with a given pubkey? That is for what gpgv was created for. Use it. Or use the newer gpg option --assert-signer fpr_or_file This option checks whether at least one valid signature on a file has been made with the specified key. The key is either specified as a fingerprint or a file listing fingerprints. The fingerprint must be given or listed in compact format (no colons or spaces in between). This option can be given multiple times and each fingerprint is checked against the signing key as well as the corresponding primary key. If fpr_or_file specifies a file, empty lines are ignored as well as all lines starting with a hash sign. With this option gpg is guaranteed to return with an exit code of 0 if and only if a signature has been encountered, is valid, and the key matches one of the fingerprints given by this option. But here you need to import the keys first. But you need to store them anyway and have a way to update them. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Mon Feb 3 09:08:17 2025 From: wk at gnupg.org (Werner Koch) Date: Mon, 03 Feb 2025 09:08:17 +0100 Subject: Error generating subkey in gpg's batch mode using curve brainpoolP512r1 In-Reply-To: (sgh@erghfe.com's message of "Sat, 1 Feb 2025 01:01:54 +0800") References: Message-ID: <87zfj3laby.fsf@jacob.g10code.de> Hi! Thanks for the report. Andre meanwhile looked in more detail at the bug; see https://dev.gnupg.org/T7506 Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: