Re: [gentoo-dev] pkgdev commit and gpg-agent
On Mon, 1 Aug 2022, Andrew Savchenko wrote: I have the same problem with pkgdev. It fails to run at least CLI/TUI pinentry when password is needed. To workaround I sign some dummy file with `gpg -s file`, then within cache period I can use it for commits using pkgdev. Thank you, this workaround works. Andrey
Re: [gentoo-dev] pkgdev commit and gpg-agent
> On 1 Aug 2022, at 17:14, Andrew Savchenko wrote: > > On Mon, 1 Aug 2022 15:49:18 + (UTC) Andrey Grozin wrote: >> Hello *, >> >> Sorry for a very naive question. >> >> In the past, I used >> repoman commit >> to commit a new ebuild. I got a text screen in my terminal where I typed my >> passphraise (if I then committed something else within the timeout, I didn't >> have to re-type it). >> >> Now we are recommended to use >> pkgdev commit >> instead. But it does not ask for my passphraise, just writes an error message >> that it cannot sign my commit. >> >> If I commit something with repoman and then (within the timeout) commit >> something else with pkgdev, it works. >> >> My .gnupg/gpg-agent.conf is >> >> pinentry-program /usr/bin/pinentry-curses >> write-env-file >> default-cache-ttl 100 >> >> My .gnupg/gpg.conf includes the line >> >> use-agent >> >> I can, of course, continue to use repoman for committing. But now it does not >> add the Signed-off-by: automatically. I have to add it by hand, in nano. >> This is >> definitely the most convenient way. > > I have the same problem with pkgdev. It fails to run at > least CLI/TUI pinentry when password is needed. To workaround > I sign some dummy file with `gpg -s file`, then within cache period > I can use it for commits using pkgdev. > > Cache timeout can be set in gpg-agent.conf, e.g. in seconds: > default-cache-ttl 7200 > > Furthermore I can't use `pkgdev push` to push my commits, because > it fails to sign the push and the server rejects my push. I have no > idea why, because `git push --signed' works perfectly fine. > Regarding pushing to git (I mean git push process, not various > checks), pkgdev should do the same as `git push --signed`, but it > apparently does not. git push --signed is of course going to work because you're explicitly telling git to. I suspect you need to run: git config --local push.gpgsign 1 You can probably set it per-remote if desired. > > And last but not the least pkgdev have some problem I could not > precisely identify that makes gpg socket forwarding unusable, so I > can't forward nitrokey from another host. Plain gpg usually works. You can do: GIT_TRACE=1 pkgdev commit ... to see exactly which gpg command is being run, then run that manually and debug it. > > Best regards, > Andrew Savchenko signature.asc Description: Message signed with OpenPGP
Re: [gentoo-dev] pkgdev commit and gpg-agent
> On 1 Aug 2022, at 16:49, Andrey Grozin wrote: > > Hello *, > > Sorry for a very naive question. > > In the past, I used > repoman commit > to commit a new ebuild. I got a text screen in my terminal where I typed my > passphraise (if I then committed something else within the timeout, I didn't > have to re-type it). > > Now we are recommended to use > pkgdev commit > instead. But it does not ask for my passphraise, just writes an error message > that it cannot sign my commit. > > If I commit something with repoman and then (within the timeout) commit > something else with pkgdev, it works. > See https://wiki.gentoo.org/wiki/Pkgdev#git_signing_errors. My guess is that repoman is picking up the right key but pkgdev, because It just asks git, isn't. repoman would use a configuration option in make.conf while pkgdev does not. > > Thanks in advance, > Andrey > Best, sam signature.asc Description: Message signed with OpenPGP
Re: [gentoo-dev] pkgdev commit and gpg-agent
On Mon, Aug 1, 2022 at 8:49 AM Andrey Grozin wrote: > > Hello *, Hi! > > Sorry for a very naive question. > > In the past, I used > repoman commit > to commit a new ebuild. I got a text screen in my terminal where I typed my > passphraise (if I then committed something else within the timeout, I didn't > have to re-type it). > > Now we are recommended to use > pkgdev commit > instead. But it does not ask for my passphraise, just writes an error message > that it cannot sign my commit. Can you please provide the error message? The rest is us guessing. For example, with gpg I have problems unless I set GPG_TTY=$(tty) in my .bashrc; if you run man gpg-agent you see a blurb about this being 'required' but it worked fine for years until it did not...I suspect it is quite environment dependent. -A > > If I commit something with repoman and then (within the timeout) commit > something else with pkgdev, it works. > > My .gnupg/gpg-agent.conf is > > pinentry-program /usr/bin/pinentry-curses > write-env-file > default-cache-ttl 100 > > My .gnupg/gpg.conf includes the line > > use-agent > > I can, of course, continue to use repoman for committing. But now it does not > add the Signed-off-by: automatically. I have to add it by hand, in nano. This > is > definitely the most convenient way. > > Thanks in advance, > Andrey >
Re: [gentoo-dev] pkgdev commit and gpg-agent
On Mon, 1 Aug 2022 15:49:18 + (UTC) Andrey Grozin wrote: > Hello *, > > Sorry for a very naive question. > > In the past, I used > repoman commit > to commit a new ebuild. I got a text screen in my terminal where I typed my > passphraise (if I then committed something else within the timeout, I didn't > have to re-type it). > > Now we are recommended to use > pkgdev commit > instead. But it does not ask for my passphraise, just writes an error message > that it cannot sign my commit. > > If I commit something with repoman and then (within the timeout) commit > something else with pkgdev, it works. > > My .gnupg/gpg-agent.conf is > > pinentry-program /usr/bin/pinentry-curses > write-env-file > default-cache-ttl 100 > > My .gnupg/gpg.conf includes the line > > use-agent > > I can, of course, continue to use repoman for committing. But now it does not > add the Signed-off-by: automatically. I have to add it by hand, in nano. This > is > definitely the most convenient way. I have the same problem with pkgdev. It fails to run at least CLI/TUI pinentry when password is needed. To workaround I sign some dummy file with `gpg -s file`, then within cache period I can use it for commits using pkgdev. Cache timeout can be set in gpg-agent.conf, e.g. in seconds: default-cache-ttl 7200 Furthermore I can't use `pkgdev push` to push my commits, because it fails to sign the push and the server rejects my push. I have no idea why, because `git push --signed' works perfectly fine. Regarding pushing to git (I mean git push process, not various checks), pkgdev should do the same as `git push --signed`, but it apparently does not. And last but not the least pkgdev have some problem I could not precisely identify that makes gpg socket forwarding unusable, so I can't forward nitrokey from another host. Plain gpg usually works. Best regards, Andrew Savchenko pgpG08RetJogI.pgp Description: PGP signature
