Page MenuHome GnuPG
Create Task
Maniphest T6635

keyboxd and --no-autostart option
Closed, ResolvedPublic
Actions

Description

Hello.
Keyboxd broke my pipeline for verification of artifacts.
I've been using a Gitlab-CI pipeline where I'd import gpg keys present in git and verify downloaded arfifact against them. I do not need a gpg agent for that and so I use --no-autostart option.
The approach worked until my base image change with upgrade of gpg. So it works with gpg (GnuPG) 2.2.40 but not with gpg (GnuPG) 2.4.3.

The version automagicaly creates gnupg config with keyboxd set if the gnupg homedir does not exist as I found in this commit

I made a workaround in my pipeline forcing empty gnupg config using:

mkdir ~/.gnupg
touch ~/.gnupg/common.conf

Finally I think this looks like issue with keyboxd that does not work properly with --no-autostart option as I got I/O error

Bellow find the log output of command gpg --no-autostart --import keys/tomcat-logback.keys

gpg (GnuPG) 2.4.3
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
gpg: enabled debug flags: packet filter cache memstat trust extprog
gpg: enabled compatibility flags:
gpg: directory '/root/.gnupg' created
gpg: DBG: armor-filter: control: 1
gpg: DBG: armor-filter: control: 3
gpg: armor header: Comment: Hostname:
gpg: armor header: Version: Hockeypuck 2.1.0-222-g25248d4
gpg: DBG: parse_packet(iob=1): type=6 length=269 (new_ctb) (parse.import.c.968)
gpg: DBG: parse_packet(iob=1): type=13 length=51 (new_ctb) (parse.import.c.968)
gpg: DBG: parse_packet(iob=1): type=2 length=312 (new_ctb) (parse.import.c.968)
gpg: DBG: parse_packet(iob=1): type=14 length=269 (new_ctb) (parse.import.c.968)
gpg: DBG: parse_packet(iob=1): type=2 length=287 (new_ctb) (parse.import.c.968)
gpg: DBG: armor-filter: control: 3
gpg: DBG: armor-filter: control: 2
gpg: pub  rsa2048/EEA8F6DF3031CD02 2017-11-07  Jeremy Landis (hazendaz) <jeremylandis@hotmail.com>
gpg: DBG: public key EEA8F6DF3031CD02: timestamp: 2017-11-07 02:01:52 (1510020112)
gpg: DBG: user id: Jeremy Landis (hazendaz) <jeremylandis@hotmail.com>
gpg: DBG:   sig: class: 0x13, issuer: EEA8F6DF3031CD02, timestamp: 2017-11-07 02:01:52 (1510020112), digest: 34 da
gpg: DBG:     Good signature over last key or uid!
gpg: DBG: subkey 27CCC583A83210AD: timestamp: 2017-11-07 02:01:52 (1510020112)
gpg: DBG:   sig: class: 0x18, issuer: EEA8F6DF3031CD02, timestamp: 2017-11-07 02:01:52 (1510020112), digest: 0f 69
gpg: DBG:     Good signature over last key or uid!
gpg: no keyboxd running in this session
gpg: error opening key DB: No Keybox daemon running
gpg: key EEA8F6DF3031CD02: public key not found: I/O error
gpg: error reading 'keys/tomcat-logback.keys': I/O error
gpg: import from 'keys/tomcat-logback.keys' failed: I/O error
gpg: Total number processed: 0
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=4 cached=2 good=2 bad=0
gpg: objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
gpg: objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/32768 bytes in 0 blocks

Details

Version
2.4.3

Event Timeline

dosmanak created this task.Aug 7 2023, 12:21 PM
ikloecker closed this task as Resolved.Aug 7 2023, 8:04 PM
ikloecker claimed this task.
ikloecker added a subscriber: ikloecker.

I think you should simply use gpgv for verifying signatures. gpgv exists for exactly this use case. You don't even have to import anything because you can directly pass a keyring to gpgv.

dosmanak added a comment.Aug 8 2023, 10:57 AM

Hi, thanks for prompt response. I have just bunch of public keys I want to verify against. They have form of
-----BEGIN PGP PUBLIC KEY BLOCK-----. If I try using the key file as a keyring I get error.

# gpgv -vvvv --keyring ../ecs.keys jul-ecs-formatter-1.5.0.jar.asc jul-ecs-formatter-1.5.0.jar
gpgv: armor: BEGIN PGP SIGNATURE
# off=0 ctb=89 tag=2 hlen=3 plen=307
:signature packet: algo 1, keyid D27D666CD88E42B4
	version 4, created 1661068344, md5len 0, sigclass 0x00
	digest algo 10, begin of digest cb cd
	hashed subpkt 33 len 21 (issuer fpr v4 46095ACC8548582C1A2699A9D27D666CD88E42B4)
	hashed subpkt 2 len 4 (sig created 2022-08-21)
	subpkt 16 len 8 (issuer key ID D27D666CD88E42B4)
	data: [2048 bits]
gpgv: Signature made Sun Aug 21 07:52:24 2022 UTC
gpgv:                using RSA key 46095ACC8548582C1A2699A9D27D666CD88E42B4
gpgv: [don't know]: invalid packet (ctb=2d)
gpgv: keydb_search failed: Invalid packet
gpgv: [don't know]: invalid packet (ctb=2d)
gpgv: keydb_search failed: Invalid packet
gpgv: Can't check signature: No public key
gpgv --help
gpgv (GnuPG) 2.4.3
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
(...)

The gpg with key imported is ok.

# gpg --verify jul-ecs-formatter-1.5.0.jar.asc jul-ecs-formatter-1.5.0.jar
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
gpg: Signature made Sun Aug 21 07:52:24 2022 UTC
gpg:                using RSA key 46095ACC8548582C1A2699A9D27D666CD88E42B4
gpg: Good signature from "Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4
ikloecker added a comment.Aug 8 2023, 12:29 PM

gpgv might not support ASCII armored key files. Try with a binary key file.

dosmanak added a comment.Aug 8 2023, 1:01 PM

Thank you. that worked. A pitty gpgv can't read from fd using process substitution

7b7e16ae923d:/data/loglib# gpgv --keyring <(gpg -o - --dearmor ../ecs.keys) jul-ecs-formatter-1.5.0.jar.as
c jul-ecs-formatter-1.5.0.jar
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
gpgv: Signature made Sun Aug 21 07:52:24 2022 UTC
gpgv:                using RSA key 46095ACC8548582C1A2699A9D27D666CD88E42B4
gpgv: Can't check signature: No public key

But I had two steps even before, so this could work.

7b7e16ae923d:/data/loglib# gpgv --keyring ../ecs.keys.gpg jul-ecs-formatter-1.5.0.jar.asc jul-ecs-formatte
r-1.5.0.jar
gpgv: Signature made Sun Aug 21 07:52:24 2022 UTC
gpgv:                using RSA key 46095ACC8548582C1A2699A9D27D666CD88E42B4
gpgv: Good signature from "Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>"