Using CRI-O v1.31 or v1.32 and GPGME version 1.23.2, we are experiencing hangs in GPGME when doing image signature verification as part of the container create. At times all works as expected, but more that half of the time a failure occurs on one of the 4 static pods (containers) that are created. During bring up, the 4 static pods are started more or less as the same time, hence the signature validations also occurs more or less as the same time.

I captured a GPGME DEBUG trace of the failure,

. In this trace (which sensitive information has been redacted) , it is the kube-controller-manager that hung up. ( 2025-05-19 20:16:36 gpgme[21970.55eb] )

The gpg-agent is started, gpg-agent --homedir /tmp/containers-ephemeral-gpg-20607231 --use-standard-socket --daemon and I see in the trace where gpg is invoked, and the signature validation completes, but then I see continuous polling of the file descriptors, and nothing happens. GPG at this point has terminated, so I don't understand why GPGME continues to poll (in fact has been polling now for hours). Control is not returned to CRI-O, and the end result is the control-plane activation fails.

CRI-O is using the GPGME (golang) package to interface with GPGME, I have an issue open to CRI-O with some questions regarding their use of GPGME, to which they have not yet responded to. ( https://github.com/cri-o/cri-o/issues/8906 )

I am hopeful that you may find something in the trace that would show the cause of the problem. It is bothersome to me that the gpg process has terminated after verifying the signature, yet GPGME does not seem to recognize this, and continues to poll.