Will gpg 1.x remain supported for the foreseeable future?

Dan Kegel dank at kegel.com
Sun Jan 21 00:40:19 CET 2018

On Thu, Jan 18, 2018 at 7:58 PM, Dan Kegel <dank at kegel.com> wrote:
>> The keys referred to via signed-by are the only acceptable keys for the
>> associated apt repo.
>> does that make sense?
> That'd be great if it worked.  Since it's hard to explain what's broken
> without a simple script showing exactly what I'm doing, let's just
> hold that thought until I post one.

I spent a little while cleaning up my script and found the problem, whew!

Here's part of the log:

+ gpg2 -q --pinentry-mode loopback --passphrase
--personal-digest-preferences SHA256 --gen-key gpg.in.tmp
+ gpg2 --armor --export temp-repo at example.com
+ sudo GNUPGHOME=/tmp/obs_localbuild_gpghome_dank.tmp
APT_CONFIG=/home/dank/src/obs/foo.tmp/etc/apt.conf apt-get  update
Preparing to exec:  /usr/bin/apt-key --quiet --readonly --keyring
/tmp/obs_localbuild_keyrings_dank.tmp/keyrings/localhost.gpg verify
--status-fd 3 /tmp/apt.sig.nD3tum /tmp/apt.data.OVJLiX
Read: [GNUPG:] ERRSIG 505A301EE37484C6 1 8 01 1516484740 9
Read: [GNUPG:] NO_PUBKEY 505A301EE37484C6

Even with apt debug logging on, that wasn't enough to make the problem
obvious.  I had to add

exec 2> /tmp/apt-key.log.$$
set -x

to the top of /usr/bin/apt-key.  Grepping for that key in /tmp/apt-key*, I found

+ gpgv --homedir /tmp/tmp.oM7RZ707db --keyring
--ignore-time-conflict --status-fd 3 /tmp/apt.sig.nD3tum
gpgv: Signature made Sat Jan 20 13:45:40 2018 PST using RSA key ID E37484C6
gpgv: [don't know]: invalid packet (ctb=2d)
gpgv: keydb_search failed: invalid packet
gpgv: Can't check signature: public key not found

Well, well.  That 'invalid packet' appears to be a telltale sign of
using --armor where one shouldn't, and looking at my first log, you
can see a --armor.  Removing it made everything happy.
So this was a case of a) dumb user and b) poor diagnostics from apt.

Also, now that I've ripped out all gpg1 support from my script, I
realize that gpg-agent is nearly well behaved.
Only possible rough spots I ran into were:
- having to enable pinentry (ubuntu 16.04's gpg is old)
- not knowing a clean way to tidy up an old gnupghome and its agent
without hanging if the agent is missing
- the gpg man page says --dearmor isn't very useful.  I beg to differ :-)
- might save time and anguish if apt-key (and thus gpg[v]?) accepted
armored keyrings even if filename ends in .gpg

Thanks for the encouragement.
All's well that ends well.
I'm sure I'll trip over my shoelaces again soon enough!
- Dan

More information about the Gnupg-users mailing list