Forward gpg-agent to container

Benjamin Kircher benjamin.kircher at gmail.com
Mon Jun 4 20:44:19 CEST 2018 

Hello, 

I want to forward my host gpg-agent to an OCI container so that I can use a secret key that is available on the host to sign some packages inside the container. For this I create a bind mount of agent-extra-socket to /gpg-agent inside the container and start the container with

  $ docker run --volume $(gpgconf --list-dirs agent-extra-socket):/gpg-agent --entrypoint=sh -ti fedora:latest

Now inside the container I can see my socket

  # ls -l /gpg-agent 
  srwx------ 1 root root 0 Jun  4 17:45 /gpg-agent

From here on, I am kind of stuck. I fail to somehow make gpg-agent inside the container “use” the extra-socket. Here is what I am doing:

  # mkdir ~/.gnupg && chmod 700 ~/.gnupg

  # ln -s /gpg-agent ~/.gnupg/S.gpg-agent

  # ls -l ~/.gnupg/
  total 0
  lrwxrwxrwx 1 root root 10 Jun  4 18:29 S.gpg-agent -> /gpg-agent

  However, as soon as I start the agent explicitly, the symlink to the socket is overwritten.

  # gpg-connect-agent "keyinfo --list" /bye

  # ls -l ~/.gnupg/
  total 8
  srwx------ 1 root root    0 Jun  4 18:31 S.gpg-agent
  srwx------ 1 root root    0 Jun  4 18:31 S.gpg-agent.browser
  srwx------ 1 root root    0 Jun  4 18:31 S.gpg-agent.extra
  srwx------ 1 root root    0 Jun  4 18:31 S.gpg-agent.ssh
  -rw-r--r-- 1 root root   96 Jun  4 18:31 gpg-agent.conf
  drwx------ 2 root root 4096 Jun  4 18:31 private-keys-v1.d

  # cat ~/.gnupg/gpg-agent.conf 
  default-cache-ttl 600
  max-cache-ttl 7200
  debug-level guru
  debug-all
  log-file /tmp/gpg-agent.log

  # cat /tmp/gpg-agent.log 
  2018-06-04 18:31:58 gpg-agent[12] listening on socket '/root/.gnupg/S.gpg-agent'
  2018-06-04 18:31:58 gpg-agent[12] listening on socket '/root/.gnupg/S.gpg-agent.extra'
  2018-06-04 18:31:58 gpg-agent[12] listening on socket '/root/.gnupg/S.gpg-agent.browser'
  2018-06-04 18:31:58 gpg-agent[12] listening on socket '/root/.gnupg/S.gpg-agent.ssh'
  2018-06-04 18:31:58 gpg-agent[13] gpg-agent (GnuPG) 2.2.6 started
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK Pleased to meet you, process 10
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- RESET
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- OPTION ttyname=/dev/pts/0
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- OPTION ttytype=xterm
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- OPTION lc-ctype=C
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- OPTION lc-messages=C
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- keyinfo --list
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK
  2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- [eof]
  2018-06-04 18:32:02 gpg-agent[13] DBG: agent_cache_housekeeping


GnuPG version on the host: 2.2.7
GnuPG version in the container: 2.2.6

Also note that I neither use SSH nor socat to connect. Just that bind mount of the socket.

I am aware that I need to fetch my public key before I can “see” and use the secret key. But from what I can see, it fails earlier.

Any pointers heavily appreciated.

BK

More information about the Gnupg-users mailing list