Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Gentoo's Portage: Best ways to keep binary package signing key unlocked?
gnupg-users at gnupg
Aug 30, 2023, 2:54 AM
Post #1 of 3 (149 views)
Permalink
Hi all,

In order to allow users to verify binary packages Gentoo's portage
offers the option to sign any generated binary packages after
installation. For this to work the configured signing key is unlocked
once before a job starts, and it should then remain unlocked until
portage completes the job.

Currently the way this is accomplished involves periodically signing
/dev/null, code snippet below:

self.GPG_unlock_command = self.GPG_signing_base_command.replace(
"[PORTAGE_CONFIG]",
f"--homedir {self.signing_gpg_home} "
f"--digest-algo {self.digest_algo} "
f"--local-user {self.signing_gpg_key} "
"--output - /dev/null",
)

Recently we fixed a bug[1][2] in this code that caused /dev/null to be
removed if GnuPG failed to unlock the key. This however prompted the
question if there is not a more elegant way to do this.

Signing /dev/null feels like more of a hack then an actual solution to
keeping the key unlocked until portage finishes. Therefore I would like
to ask you if you have any better ideas to do this?

Best regards,
Andrew


[1] https://bugs.gentoo.org/912808
[2]
https://github.com/gentoo/portage/commit/9d278330839049a818ba9f1e3985c7e502c63451

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gentoo's Portage: Best ways to keep binary package signing key unlocked? [ In reply to ]
gnupg-users at gnupg
Aug 31, 2023, 7:35 AM
Post #2 of 3 (147 views)
Permalink
On Wed, 30 Aug 2023 11:54, Andrew Ammerlaan said:

> Signing /dev/null feels like more of a hack then an actual solution to
> keeping the key unlocked until portage finishes. Therefore I would
> like to ask you if you have any better ideas to do this?

Don't use a passphrase or better use remote signing from your desktop
and not on a server. See wiki.gnupg.org on how to use a remobe
gpg-agent.

Another option is to use gpg-preset-passphrase (installed to
libexec). Use

gpg -K --with-keygrip YOURSIGNINGKEY

to find the keygrip; then use

gpg-preset-passphrase --preset KEYGRIP

and enter the passphrase followed by a LF (or provide to stdin). This
puts the passphrase into gpg-agent's cache with no timeout. The --forget
option might not work right now, thus you better use

gpgconf --reload gpg-agent

to flush gpg-agent's cache.


Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Attached Files:

Re: Re: Gentoo's Portage: Best ways to keep binary package signing key unlocked? [ In reply to ]
gnupg-users at gnupg
Sep 1, 2023, 12:34 AM
Post #3 of 3 (144 views)
Permalink
Thank you sir. You are much to kind.



> On Thursday, 31. August 2023 14:35, Werner Koch via Gnupg-users
> [/webmail/send?to=gnupg-users@gnupg.org] wrote:
>
>
>
> On Wed, 30 Aug 2023 11:54, Andrew Ammerlaan said:
>
> > Signing /dev/null feels like more of a hack then an actual solution to
> > keeping the key unlocked until portage finishes. Therefore I would
> > like to ask you if you have any better ideas to do this?
>
> Don't use a passphrase or better use remote signing from your desktop
> and not on a server. See wiki.gnupg.org on how to use a remobe
> gpg-agent.
>
> Another option is to use gpg-preset-passphrase (installed to
> libexec). Use
>
> gpg -K --with-keygrip YOURSIGNINGKEY
>
> to find the keygrip; then use
>
> gpg-preset-passphrase --preset KEYGRIP
>
> and enter the passphrase followed by a LF (or provide to stdin). This
> puts the passphrase into gpg-agent's cache with no timeout. The --forget
> option might not work right now, thus you better use
>
> gpgconf --reload gpg-agent
>
> to flush gpg-agent's cache.
>
> Salam-Shalom,
>
> Werner
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal