Re: [gentoo-dev] repoman commit unexpectedly drops FEATURES="sign" on error

[Michael Weber <xmw@gentoo.org>]

On 06/20/2013 05:27 AM, Zac Medico wrote:
> On 06/19/2013 08:25 PM, Zac Medico wrote:
>> On 06/19/2013 07:59 PM, "Paweł Hajdan, Jr." wrote:
>>> I was surprised by repoman just dropping FEATURES="sign" . I'm aware
>>> that at that time it has to commit an updated Manifest to prevent
>>> breakages, so if gpg fails it proceeds, but is there something it could
>>> do to check gpg sanity before committing anything?
Failing at the password prompt (two chances on regular pinentry) also
results in this behaviour.

>> It seems the simplest way to go would be to do a test signature before
>> commit, as suggested here:
>>
>> https://bugs.gentoo.org/show_bug.cgi?id=298605
>>
>> Is it okay to assume that everyone uses gpg-agent, so they won't have to
>> enter the passphrase more than once?
I have a remote (ssh) test-box to work on the tree, I don't want to
cache my decrypted key there.
Having the crypted version there is bad enough, but GPG_AGENT protocol
only exchanges passwords (unlike SSH_AGENT). GPG_AGENT forwarding over
SSH can be done with a general unix domain socket forwading hack [1].

> Or, we could skip the test signature if the GPG_AGENT_INFO variable is
> not set?
It's a clue, but the key-cache can be expired and a bad password entry
can still result in failure.

[1] http://25thandclement.com/~william/projects/streamlocal.html


-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>