Gentoo Archives: gentoo-dev

From: Sam James <sam@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] pkgdev commit and gpg-agent
Date: Tue, 02 Aug 2022 00:30:26
Message-Id: 076CC590-3EC7-4F22-8C4B-A3E35C456272@gentoo.org
In Reply to: Re: [gentoo-dev] pkgdev commit and gpg-agent by Andrew Savchenko
1 > On 1 Aug 2022, at 17:14, Andrew Savchenko <bircoph@g.o> wrote:
2 >
3 > On Mon, 1 Aug 2022 15:49:18 +0000 (UTC) Andrey Grozin wrote:
4 >> Hello *,
5 >>
6 >> Sorry for a very naive question.
7 >>
8 >> In the past, I used
9 >> repoman commit
10 >> to commit a new ebuild. I got a text screen in my terminal where I typed my
11 >> passphraise (if I then committed something else within the timeout, I didn't
12 >> have to re-type it).
13 >>
14 >> Now we are recommended to use
15 >> pkgdev commit
16 >> instead. But it does not ask for my passphraise, just writes an error message
17 >> that it cannot sign my commit.
18 >>
19 >> If I commit something with repoman and then (within the timeout) commit
20 >> something else with pkgdev, it works.
21 >>
22 >> My .gnupg/gpg-agent.conf is
23 >>
24 >> pinentry-program /usr/bin/pinentry-curses
25 >> write-env-file
26 >> default-cache-ttl 1000000
27 >>
28 >> My .gnupg/gpg.conf includes the line
29 >>
30 >> use-agent
31 >>
32 >> I can, of course, continue to use repoman for committing. But now it does not
33 >> add the Signed-off-by: automatically. I have to add it by hand, in nano. This is
34 >> definitely the most convenient way.
35 >
36 > I have the same problem with pkgdev. It fails to run at
37 > least CLI/TUI pinentry when password is needed. To workaround
38 > I sign some dummy file with `gpg -s file`, then within cache period
39 > I can use it for commits using pkgdev.
40 >
41 > Cache timeout can be set in gpg-agent.conf, e.g. in seconds:
42 > default-cache-ttl 7200
43 >
44 > Furthermore I can't use `pkgdev push` to push my commits, because
45 > it fails to sign the push and the server rejects my push. I have no
46 > idea why, because `git push --signed' works perfectly fine.
47 > Regarding pushing to git (I mean git push process, not various
48 > checks), pkgdev should do the same as `git push --signed`, but it
49 > apparently does not.
50
51 git push --signed is of course going to work because you're explicitly
52 telling git to.
53
54 I suspect you need to run:
55 git config --local push.gpgsign 1
56
57 You can probably set it per-remote if desired.
58
59 >
60 > And last but not the least pkgdev have some problem I could not
61 > precisely identify that makes gpg socket forwarding unusable, so I
62 > can't forward nitrokey from another host. Plain gpg usually works.
63
64 You can do:
65 GIT_TRACE=1 pkgdev commit ...
66 to see exactly which gpg command is being run, then run that
67 manually and debug it.
68
69 >
70 > Best regards,
71 > Andrew Savchenko

Attachments

File name MIME type
signature.asc application/pgp-signature