You are not logged in.

#1 2016-06-30 19:13:11

gray_-_wolf
Member
Registered: 2016-03-30
Posts: 23

makepkg --sign and gpg-agent issue

Hi all,
I'm having issues with signing packages generated by makepkg. I verified my gpg-agent is running prior to starting makepkg. Didn't help. After I learned that makepkg is just a bash script, I added few messages into function create_signature and find this:

$ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
dirmngr-socket:/home/paladin/.gnupg/S.dirmngr
dirmngr-sys-socket:/usr/var/run/gnupg/S.dirmngr
agent-socket:/home/paladin/.gnupg/S.gpg-agent
homedir:/home/paladin/.gnupg

When I compare it with output I get running from my regular terminal

$ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
dirmngr-sys-socket:/usr/var/run/gnupg/S.dirmngr
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/paladin/.gnupg

I see the problem. In makepkg, the agent socket is /home/paladin/.gnupg/S.gpg-agent but normally it is /run/user/1000/gnupg/S.gpg-agent.

So I know what the problem is. I however have no idea how to fix it.

If you need more info to be able to help we (of course if you are willing to), please, ask :)

Thanks in advance

Offline

#2 2016-07-01 00:02:44

gray_-_wolf
Member
Registered: 2016-03-30
Posts: 23

Re: makepkg --sign and gpg-agent issue

I made another step, /run/user/1000 is owned by uid=1000 (no surprising), but signing is done from fakeroot (uid=0). So it fails to match /run/user/1000 and fallbacks to default, ~/.gnupg/S.gpg-agent. But still dunno what to do with it.

Offline

#3 2016-07-01 00:38:30

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: makepkg --sign and gpg-agent issue

signing is done in fakeroot?  That sounds bad....    I'm sure it was done at the end of packaging once we exited from fakeroot.

Offline

#4 2016-07-01 00:58:05

gray_-_wolf
Member
Registered: 2016-03-30
Posts: 23

Re: makepkg --sign and gpg-agent issue

Signing is done inside create_signature function, which is called from create_package, which is called from fakeroot. At least it seems to me that way. And the $EUID inside create_signature is definitely 0.

Last edited by gray_-_wolf (2016-07-01 00:58:42)

Offline

#5 2016-07-01 05:23:14

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: makepkg --sign and gpg-agent issue

All you should need to do is edit the 'PACKAGER' and 'GPGKEY' options in /etc/makepkg.conf. You didn't mention if you had done that yet. The wiki article on makepkg describes this. My apologies if you did and this is a separate problem. FWIW, I use gpg-agent and the two above edits and don't have any issues.

Scott

Last edited by firecat53 (2016-07-01 05:24:52)

Offline

#6 2016-07-02 03:21:25

gray_-_wolf
Member
Registered: 2016-03-30
Posts: 23

Re: makepkg --sign and gpg-agent issue

@firecat53: Are you sure it does really work? If you fill the PACKAGER and GPGKEY (I did), unlock the key before running makepkg --sign, then it will run and correctly sign the package without prompting for password? Are you sure? Because I don't see how it could (unless you just don't have /run/user/$UID folder).

Last edited by gray_-_wolf (2016-07-02 03:21:45)

Offline

#7 2016-07-02 04:54:51

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: makepkg --sign and gpg-agent issue

Yup...I use aurget for all my AUR packages, and every built package in my '.local/var/local_packages' directory has a *.tar.xz.sig file and it correctly verifies the associated package:

local_packages $ gpg --verify android-ndk-r11c-3-x86_64.pkg.tar.xz.sig android-ndk-r11c-3-x86_64.pkg.tar.xz
gpg: Signature made Mon 13 Jun 2016 02:35:52 PM PDT using RSA key ID xxxxxxxxxx
gpg: Good signature from "Scott Hansen (firecat53) <email@gmail.com>" [ultimate]
gpg:                 aka "Scott Hansen <email2@gmail.com>" [ultimate]
gpg:                 aka "Scott Hansen <email3@gmail.com>" [ultimate]

Scott

Edit:  Sorry...one more flag to fix in /etc/makepkg.conf: change the '!sign' to 'sign' in BUILDENV. Been a long time since I set it up smile

Last edited by firecat53 (2016-07-02 04:58:06)

Offline

#8 2016-07-02 11:49:33

gray_-_wolf
Member
Registered: 2016-03-30
Posts: 23

Re: makepkg --sign and gpg-agent issue

one last idea, what is your output of gpgconf --list-dirs ?

Offline

#9 2016-07-02 18:59:06

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: makepkg --sign and gpg-agent issue

sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
dirmngr-sys-socket:/usr/var/run/gnupg/S.dirmngr
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/firecat53/.gnupg

Offline

#10 2016-07-03 19:45:18

0strodamus
Member
Registered: 2014-01-22
Posts: 92

Re: makepkg --sign and gpg-agent issue

I could be wrong, but I think your issues are caused by gnupg-2.1.13-1. Have you tried downgrading to gnupg-2.1.12-2? I'm seeing issues here with 2.1.13-1 regarding broken package signing as well as using gpa to trust or sign keys. I would try downgrading before you spend too much time chasing your tail like I've been doing on and off since 2.1.13-1 was released. I submitted a bug report for the gpa problem as I'm hoping it is easy to reproduce. I mentioned this thread in the report.

Last edited by 0strodamus (2016-07-03 20:09:52)


archlinux | OpenRC | TOMOYO Linux | Xfce

"In his house at R'lyeh dead Cthulhu waits dreaming."

Offline

#11 2016-07-04 19:34:38

gray_-_wolf
Member
Registered: 2016-03-30
Posts: 23

Re: makepkg --sign and gpg-agent issue

Welp.

You are right. Reverting to 2.1.12 fixed the issue. I'm gonna raise this issue on gnupg mailing list and see what's what.

PS: But thanks so much for the advice, saved me lot of time smile

Offline

#12 2016-07-04 20:32:22

0strodamus
Member
Registered: 2014-01-22
Posts: 92

Re: makepkg --sign and gpg-agent issue

You're very welcome, it's good to know that I was able to help. And thank you for posting to the forum so I know it's not just my setup causing me problems. Hopefully, we'll find a resolution soon. I'll update this thread if I stumble onto anything of value.


archlinux | OpenRC | TOMOYO Linux | Xfce

"In his house at R'lyeh dead Cthulhu waits dreaming."

Offline

#13 2016-07-04 20:36:07

gray_-_wolf
Member
Registered: 2016-03-30
Posts: 23

Re: makepkg --sign and gpg-agent issue

I've asked in mailing list https://lists.gnupg.org/pipermail/gnupg … 56239.html if you wanna follow it.

Offline

#14 2016-07-05 17:59:24

kerberizer
Member
From: Sofia, BG
Registered: 2014-02-01
Posts: 25
Website

Re: makepkg --sign and gpg-agent issue

I can also confirm this problem being caused by the 2.1.13 upgrade. Thank you very much, guys! Let's see indeed what the proper solution should be.


“Don't climb the mountain to conquer it. Climb it to conquer yourself.”

Offline

#15 2016-07-05 18:08:40

gray_-_wolf
Member
Registered: 2016-03-30
Posts: 23

Re: makepkg --sign and gpg-agent issue

Following workaround seems to work fine for me:

cd ~
ln -s .gnupg .gnupg.2.1.13.workaround

and put the following inside .bashrc:

export GNUPGHOME=~/.gnupg.2.1.13.workaround
gpg-agent --daemon

If you start gpg-agent from different place, make sure it has the GNUPGHOME setted correctly.

This came from the mailing list. Werner Koch is not keen on relaxing the check for ownership (even for root).

So proper place to fix this is inside makepkg (not signing in fakeroot), but Allan is not sure if it will squeeze inside 5.0.2 (see here: https://bugs.archlinux.org/task/49946#comment148671 ). For the time being I'll be using workaround above.

Last edited by gray_-_wolf (2016-07-05 18:11:40)

Offline

#16 2016-07-07 20:44:59

0strodamus
Member
Registered: 2014-01-22
Posts: 92

Re: makepkg --sign and gpg-agent issue

I can confirm that your work-around works here too. Thanks for sharing!

I compiled gpa with the commit that Werner mentioned on the gnupg mailing list and the gpa issues are resolved. Unfortunately, gpa now causes gpg-connect-agent and gpgconf to generate "Libgcrypt warning: missing initialization" errors at launch, but at least everything seems to working ok.


archlinux | OpenRC | TOMOYO Linux | Xfce

"In his house at R'lyeh dead Cthulhu waits dreaming."

Offline

Board footer

Powered by FluxBB