[gentoo-dev] can't gpg sign with repoman, but can with git

[gentoo-dev] can't gpg sign with repoman, but can with git

[Paweł Hajdan, Jr.]

[-- Attachment #1.1: Type: text/plain, Size: 1216 bytes --]

Hey folks,

This is mysterious, and likely some issue with my setup, although it
used to work.

Trying tocommit with repoman commit (app-portage/repoman version 2.3.1)
results in the following:

* 4 files being committed...
error: gpg failed to sign the data
fatal: failed to write commit object
!!! Exiting on git (shell) error code: 128

However, committing directly with git commit works (and asks for gpg
passphrase).

In .git/config I have the following:

[user]
	signingkey = 0x4F1A2555EA71991D
[commit]
	gpgsign = 1
[push]
	gpgsign = 1

In /etc/make.conf I have:

PORTAGE_GPG_KEY="0x4F1A2555EA71991D"

In ~/.gnupg/gpg-agent.conf I have the following:

pinentry-program /usr/bin/pinentry

eselect pinentry show prints pinentry-gnome3

I'm using app-crypt/gnupg-2.1.20-r1, last updated May 24.

Interestingly, I recently (July 17) re-emerged
app-crypt/pinentry-0.9.7-r1, probably changing some USE flags. It may
have been broken before that anyway, I don't remember now.

Most of all, I'm interested how to get more debug info from repoman than
it currently shows me.

Any other insights would be welcome. Please let me know if you need any
other info.

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] can't gpg sign with repoman, but can with git

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1612 bytes --]

On Wed, 19 Jul 2017 21:24:49 +0200 Paweł Hajdan, Jr. wrote:
> Hey folks,
> 
> This is mysterious, and likely some issue with my setup, although it
> used to work.
> 
> Trying tocommit with repoman commit (app-portage/repoman version 2.3.1)
> results in the following:
> 
> * 4 files being committed...
> error: gpg failed to sign the data
> fatal: failed to write commit object
> !!! Exiting on git (shell) error code: 128
> 
> However, committing directly with git commit works (and asks for gpg
> passphrase).
> 
> In .git/config I have the following:
> 
> [user]
> 	signingkey = 0x4F1A2555EA71991D
> [commit]
> 	gpgsign = 1
> [push]
> 	gpgsign = 1
> 
> In /etc/make.conf I have:
> 
> PORTAGE_GPG_KEY="0x4F1A2555EA71991D"
> 
> In ~/.gnupg/gpg-agent.conf I have the following:
> 
> pinentry-program /usr/bin/pinentry
> 
> eselect pinentry show prints pinentry-gnome3
> 
> I'm using app-crypt/gnupg-2.1.20-r1, last updated May 24.
> 
> Interestingly, I recently (July 17) re-emerged
> app-crypt/pinentry-0.9.7-r1, probably changing some USE flags. It may
> have been broken before that anyway, I don't remember now.
> 
> Most of all, I'm interested how to get more debug info from repoman than
> it currently shows me.
> 
> Any other insights would be welcome. Please let me know if you need any
> other info.

Try to see with strace what is going on. When some weird stuff
happens this is what I usually do.

Also try to switch pinentry to other implementations (ncurses, qt).
Make sure that GPG_TTY is set in your shell.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] can't gpg sign with repoman, but can with git

[Joshua Kinard]

On 07/19/2017 15:43, Andrew Savchenko wrote:
> On Wed, 19 Jul 2017 21:24:49 +0200 Paweł Hajdan, Jr. wrote:
>> Hey folks,
>>
>> This is mysterious, and likely some issue with my setup, although it
>> used to work.
>>
>> Trying tocommit with repoman commit (app-portage/repoman version 2.3.1)
>> results in the following:
>>
>> * 4 files being committed...
>> error: gpg failed to sign the data
>> fatal: failed to write commit object
>> !!! Exiting on git (shell) error code: 128
>>

[snip]
> 
[snip]

> Make sure that GPG_TTY is set in your shell.

^^^--- This is likely the issue.

Add:
    export GPG_TTY=`tty`

To your ~/.bash_profile (or wherever you put your PORTAGE_GPG_KEY value), and
that should solve the issue.  I got bit by this once, and spent a while
convincing Google that I'm not a robot to get that answer.

-- 
Joshua Kinard
Gentoo/MIPS
kumba@gentoo.org
6144R/F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us.  And our
lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Re: [gentoo-dev] can't gpg sign with repoman, but can with git

[Mart Raudsepp]

Ühel kenal päeval, K, 19.07.2017 kell 15:57, kirjutas Joshua Kinard:
> On 07/19/2017 15:43, Andrew Savchenko wrote:
> > On Wed, 19 Jul 2017 21:24:49 +0200 Paweł Hajdan, Jr. wrote:
> > > Hey folks,
> > > 
> > > This is mysterious, and likely some issue with my setup, although
> > > it
> > > used to work.
> > > 
> > > Trying tocommit with repoman commit (app-portage/repoman version
> > > 2.3.1)
> > > results in the following:
> > > 
> > > * 4 files being committed...
> > > error: gpg failed to sign the data
> > > fatal: failed to write commit object
> > > !!! Exiting on git (shell) error code: 128
> > > 
> 
> [snip]
> > 
> 
> [snip]
> 
> > Make sure that GPG_TTY is set in your shell.
> 
> ^^^--- This is likely the issue.
> 
> Add:
>     export GPG_TTY=`tty`
> 
> To your ~/.bash_profile (or wherever you put your PORTAGE_GPG_KEY
> value), and
> that should solve the issue.  I got bit by this once, and spent a
> while
> convincing Google that I'm not a robot to get that answer.

Sounds like a workaround, and yes, I know it's been suggested before,
including to me.
Some pinentry issues imho if GPG_TTY makes it work, at least it was
when I hit that half a year ago with this suggested as a solution. It's
not a solution, it's a workaround, as users need to do something.

FWIW, I don't have GPG_TTY set at all and things work fine, but I'm on
pinentry-gnome3
I think pinentry-curses and pinentry-tty might have had such trouble
that need GPG_TTY stuff.


Mart

Re: [gentoo-dev] can't gpg sign with repoman, but can with git

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2063 bytes --]

On Thu, 20 Jul 2017 00:44:12 +0300 Mart Raudsepp wrote:
> Ühel kenal päeval, K, 19.07.2017 kell 15:57, kirjutas Joshua Kinard:
> > On 07/19/2017 15:43, Andrew Savchenko wrote:
> > > On Wed, 19 Jul 2017 21:24:49 +0200 Paweł Hajdan, Jr. wrote:
> > > > Hey folks,
> > > > 
> > > > This is mysterious, and likely some issue with my setup, although
> > > > it
> > > > used to work.
> > > > 
> > > > Trying tocommit with repoman commit (app-portage/repoman version
> > > > 2.3.1)
> > > > results in the following:
> > > > 
> > > > * 4 files being committed...
> > > > error: gpg failed to sign the data
> > > > fatal: failed to write commit object
> > > > !!! Exiting on git (shell) error code: 128
> > > > 
> > 
> > [snip]
> > > 
> > 
> > [snip]
> > 
> > > Make sure that GPG_TTY is set in your shell.
> > 
> > ^^^--- This is likely the issue.
> > 
> > Add:
> >     export GPG_TTY=`tty`
> > 
> > To your ~/.bash_profile (or wherever you put your PORTAGE_GPG_KEY
> > value), and
> > that should solve the issue.  I got bit by this once, and spent a
> > while
> > convincing Google that I'm not a robot to get that answer.
> 
> Sounds like a workaround, and yes, I know it's been suggested before,
> including to me.
> Some pinentry issues imho if GPG_TTY makes it work, at least it was
> when I hit that half a year ago with this suggested as a solution. It's
> not a solution, it's a workaround, as users need to do something.
> 
> FWIW, I don't have GPG_TTY set at all and things work fine, but I'm on
> pinentry-gnome3
> I think pinentry-curses and pinentry-tty might have had such trouble
> that need GPG_TTY stuff.

man gpg-agent says:

You should always add the following lines to your .bashrc or
whatever initialization file is used for all shell invocations:

         GPG_TTY=$(tty)
         export GPG_TTY

Thus there is no need to speculate if this is a workaround or if
one needs to convince Google they is not a robot. Just read the
official manual :)

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] can't gpg sign with repoman, but can with git

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1808 bytes --]

On 07/20/2017 07:49 AM, Andrew Savchenko wrote:
> Some pinentry issues imho if GPG_TTY makes it work, at least it was
> when I hit that half a year ago with this suggested as a solution. It's
> not a solution, it's a workaround, as users need to do something.

This is a documented feature from upstream, mainly on secure systems you
want pinentry to be directed to a specific terminal and not whichever an
application calling gpg is called from, as this can also result in
information leak if a fake pinentry is used etc.

So by default, pinentry is started with the tty that gpg-agent is
started in, which can be a protected environment (even more so with the
possibility of remote gpg-agent, allowing it to run in a protected
sandbox and communicating solely over IPC)

With the graphical pinentries this is a bit different (they are less
secure by design, since they are running on a system with a GUI to begin
with..) , gnome3 one will use some DBUS funkery, whereby gtk+ and qt
ones will be easier to debug as they rely mostly on DISPLAY variable to
trigger. By default a curses pinentry is used as fallback (but that
requires proper GPG_TTY, of which the proper very much can be the
initial tty from the agent)

What I have noticed with regards to git though, but not had time to
debug is that it seems to do something odd with regards to communicating
with the agent to begin with, and possibly spawns an own agent, at least
sufficiently confusing that for smartcard use it fail to access the card
due to locking and needing to re-insert the card.. with similar
mechanism to use it outside of git context again afterwards.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] can't gpg sign with repoman, but can with git

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 752 bytes --]

On 07/19/2017 09:24 PM, Paweł Hajdan, Jr. wrote:
> * 4 files being committed...
> error: gpg failed to sign the data
> fatal: failed to write commit object
> !!! Exiting on git (shell) error code: 128

you can increase gpg-agent logging verbosity in gpg-agent.conf:
log-file /home/user/my.log
debug-level guru
... don't share the file outright, as it can contain sensitive info at
that debug level.. but it should give you a hint as to what is going on
if the request hits gpg-agent (and if not that is a point of info in itself)

fwiw, debugging this in #gentoo-crypto might be easier :)

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] can't gpg sign with repoman, but can with git

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 932 bytes --]

On 07/20/2017 10:16 AM, Kristian Fiskerstrand wrote:
> What I have noticed with regards to git though, but not had time to
> debug is that it seems to do something odd with regards to communicating
> with the agent to begin with, and possibly spawns an own agent, at least
> sufficiently confusing that for smartcard use it fail to access the card
> due to locking and needing to re-insert the card.. with similar
> mechanism to use it outside of git context again afterwards.

And looking into this, the issue is actually a lack of sanitation of the
--homedir parameter for gpg-agent, so "$HOME/.gnupg" and "$HOME/.gnupg/"
is treated as separate directories and as such two separate agents are
started... reported upstream... will be nice to get rid of _that_ annoyance.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] can't gpg sign with repoman, but can with git

[Paweł Hajdan, Jr.]

[-- Attachment #1.1: Type: text/plain, Size: 844 bytes --]

On 20/07/2017 11:38, Kristian Fiskerstrand wrote:
> On 07/19/2017 09:24 PM, Paweł Hajdan, Jr. wrote:
>> * 4 files being committed...
>> error: gpg failed to sign the data
>> fatal: failed to write commit object
>> !!! Exiting on git (shell) error code: 128
> 
> you can increase gpg-agent logging verbosity in gpg-agent.conf:
> log-file /home/user/my.log
> debug-level guru
> ... don't share the file outright, as it can contain sensitive info at
> that debug level.. but it should give you a hint as to what is going on
> if the request hits gpg-agent (and if not that is a point of info in itself)

Thanks for the suggestion.

I did above, but no log file was even created.

I can still successfully commit with plain git.

> fwiw, debugging this in #gentoo-crypto might be easier :)

Okay, I'll try that.

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]