You are not logged in.
Hi all,
I'm having issues with signing packages generated by makepkg. I verified my gpg-agent is running prior to starting makepkg. Didn't help. After I learned that makepkg is just a bash script, I added few messages into function create_signature and find this:
$ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
dirmngr-socket:/home/paladin/.gnupg/S.dirmngr
dirmngr-sys-socket:/usr/var/run/gnupg/S.dirmngr
agent-socket:/home/paladin/.gnupg/S.gpg-agent
homedir:/home/paladin/.gnupg
When I compare it with output I get running from my regular terminal
$ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
dirmngr-sys-socket:/usr/var/run/gnupg/S.dirmngr
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/paladin/.gnupg
I see the problem. In makepkg, the agent socket is /home/paladin/.gnupg/S.gpg-agent but normally it is /run/user/1000/gnupg/S.gpg-agent.
So I know what the problem is. I however have no idea how to fix it.
If you need more info to be able to help we (of course if you are willing to), please, ask :)
Thanks in advance
Offline
I made another step, /run/user/1000 is owned by uid=1000 (no surprising), but signing is done from fakeroot (uid=0). So it fails to match /run/user/1000 and fallbacks to default, ~/.gnupg/S.gpg-agent. But still dunno what to do with it.
Offline
signing is done in fakeroot? That sounds bad.... I'm sure it was done at the end of packaging once we exited from fakeroot.
Offline
Signing is done inside create_signature function, which is called from create_package, which is called from fakeroot. At least it seems to me that way. And the $EUID inside create_signature is definitely 0.
Last edited by gray_-_wolf (2016-07-01 00:58:42)
Offline
All you should need to do is edit the 'PACKAGER' and 'GPGKEY' options in /etc/makepkg.conf. You didn't mention if you had done that yet. The wiki article on makepkg describes this. My apologies if you did and this is a separate problem. FWIW, I use gpg-agent and the two above edits and don't have any issues.
Scott
Last edited by firecat53 (2016-07-01 05:24:52)
Offline
@firecat53: Are you sure it does really work? If you fill the PACKAGER and GPGKEY (I did), unlock the key before running makepkg --sign, then it will run and correctly sign the package without prompting for password? Are you sure? Because I don't see how it could (unless you just don't have /run/user/$UID folder).
Last edited by gray_-_wolf (2016-07-02 03:21:45)
Offline
Yup...I use aurget for all my AUR packages, and every built package in my '.local/var/local_packages' directory has a *.tar.xz.sig file and it correctly verifies the associated package:
local_packages $ gpg --verify android-ndk-r11c-3-x86_64.pkg.tar.xz.sig android-ndk-r11c-3-x86_64.pkg.tar.xz
gpg: Signature made Mon 13 Jun 2016 02:35:52 PM PDT using RSA key ID xxxxxxxxxx
gpg: Good signature from "Scott Hansen (firecat53) <email@gmail.com>" [ultimate]
gpg: aka "Scott Hansen <email2@gmail.com>" [ultimate]
gpg: aka "Scott Hansen <email3@gmail.com>" [ultimate]
Scott
Edit: Sorry...one more flag to fix in /etc/makepkg.conf: change the '!sign' to 'sign' in BUILDENV. Been a long time since I set it up
Last edited by firecat53 (2016-07-02 04:58:06)
Offline
one last idea, what is your output of gpgconf --list-dirs ?
Offline
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
dirmngr-sys-socket:/usr/var/run/gnupg/S.dirmngr
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/firecat53/.gnupg
Offline
I could be wrong, but I think your issues are caused by gnupg-2.1.13-1. Have you tried downgrading to gnupg-2.1.12-2? I'm seeing issues here with 2.1.13-1 regarding broken package signing as well as using gpa to trust or sign keys. I would try downgrading before you spend too much time chasing your tail like I've been doing on and off since 2.1.13-1 was released. I submitted a bug report for the gpa problem as I'm hoping it is easy to reproduce. I mentioned this thread in the report.
Last edited by 0strodamus (2016-07-03 20:09:52)
archlinux | OpenRC | TOMOYO Linux | Xfce
"In his house at R'lyeh dead Cthulhu waits dreaming."
Offline
Welp.
You are right. Reverting to 2.1.12 fixed the issue. I'm gonna raise this issue on gnupg mailing list and see what's what.
PS: But thanks so much for the advice, saved me lot of time
Offline
You're very welcome, it's good to know that I was able to help. And thank you for posting to the forum so I know it's not just my setup causing me problems. Hopefully, we'll find a resolution soon. I'll update this thread if I stumble onto anything of value.
archlinux | OpenRC | TOMOYO Linux | Xfce
"In his house at R'lyeh dead Cthulhu waits dreaming."
Offline
I've asked in mailing list https://lists.gnupg.org/pipermail/gnupg … 56239.html if you wanna follow it.
Offline
I can also confirm this problem being caused by the 2.1.13 upgrade. Thank you very much, guys! Let's see indeed what the proper solution should be.
“Don't climb the mountain to conquer it. Climb it to conquer yourself.”
Offline
Following workaround seems to work fine for me:
cd ~
ln -s .gnupg .gnupg.2.1.13.workaround
and put the following inside .bashrc:
export GNUPGHOME=~/.gnupg.2.1.13.workaround
gpg-agent --daemon
If you start gpg-agent from different place, make sure it has the GNUPGHOME setted correctly.
This came from the mailing list. Werner Koch is not keen on relaxing the check for ownership (even for root).
So proper place to fix this is inside makepkg (not signing in fakeroot), but Allan is not sure if it will squeeze inside 5.0.2 (see here: https://bugs.archlinux.org/task/49946#comment148671 ). For the time being I'll be using workaround above.
Last edited by gray_-_wolf (2016-07-05 18:11:40)
Offline
I can confirm that your work-around works here too. Thanks for sharing!
I compiled gpa with the commit that Werner mentioned on the gnupg mailing list and the gpa issues are resolved. Unfortunately, gpa now causes gpg-connect-agent and gpgconf to generate "Libgcrypt warning: missing initialization" errors at launch, but at least everything seems to working ok.
archlinux | OpenRC | TOMOYO Linux | Xfce
"In his house at R'lyeh dead Cthulhu waits dreaming."
Offline