Will gpg 1.x remain supported for the foreseeable future?
dank at kegel.com
Sun Jan 21 00:40:19 CET 2018
On Thu, Jan 18, 2018 at 7:58 PM, Dan Kegel <dank at kegel.com> wrote:
>> The keys referred to via signed-by are the only acceptable keys for the
>> associated apt repo.
>> does that make sense?
> That'd be great if it worked. Since it's hard to explain what's broken
> without a simple script showing exactly what I'm doing, let's just
> hold that thought until I post one.
I spent a little while cleaning up my script and found the problem, whew!
Here's part of the log:
+ gpg2 -q --pinentry-mode loopback --passphrase
--personal-digest-preferences SHA256 --gen-key gpg.in.tmp
+ gpg2 --armor --export temp-repo at example.com
+ sudo GNUPGHOME=/tmp/obs_localbuild_gpghome_dank.tmp
APT_CONFIG=/home/dank/src/obs/foo.tmp/etc/apt.conf apt-get update
Preparing to exec: /usr/bin/apt-key --quiet --readonly --keyring
--status-fd 3 /tmp/apt.sig.nD3tum /tmp/apt.data.OVJLiX
Read: [GNUPG:] ERRSIG 505A301EE37484C6 1 8 01 1516484740 9
Read: [GNUPG:] NO_PUBKEY 505A301EE37484C6
Even with apt debug logging on, that wasn't enough to make the problem
obvious. I had to add
exec 2> /tmp/apt-key.log.$$
to the top of /usr/bin/apt-key. Grepping for that key in /tmp/apt-key*, I found
+ gpgv --homedir /tmp/tmp.oM7RZ707db --keyring
--ignore-time-conflict --status-fd 3 /tmp/apt.sig.nD3tum
gpgv: Signature made Sat Jan 20 13:45:40 2018 PST using RSA key ID E37484C6
gpgv: [don't know]: invalid packet (ctb=2d)
gpgv: keydb_search failed: invalid packet
gpgv: Can't check signature: public key not found
Well, well. That 'invalid packet' appears to be a telltale sign of
using --armor where one shouldn't, and looking at my first log, you
can see a --armor. Removing it made everything happy.
So this was a case of a) dumb user and b) poor diagnostics from apt.
Also, now that I've ripped out all gpg1 support from my script, I
realize that gpg-agent is nearly well behaved.
Only possible rough spots I ran into were:
- having to enable pinentry (ubuntu 16.04's gpg is old)
- not knowing a clean way to tidy up an old gnupghome and its agent
without hanging if the agent is missing
- the gpg man page says --dearmor isn't very useful. I beg to differ :-)
- might save time and anguish if apt-key (and thus gpg[v]?) accepted
armored keyrings even if filename ends in .gpg
Thanks for the encouragement.
All's well that ends well.
I'm sure I'll trip over my shoelaces again soon enough!
More information about the Gnupg-users