Re: [gentoo-dev] pkgdev commit and gpg-agent

2022-08-02 Thread Andrey Grozin

On Mon, 1 Aug 2022, Andrew Savchenko wrote:

I have the same problem with pkgdev. It fails to run at
least CLI/TUI pinentry when password is needed. To workaround
I sign some dummy file with `gpg -s file`, then within cache period
I can use it for commits using pkgdev.

Thank you, this workaround works.

Andrey



Re: [gentoo-dev] pkgdev commit and gpg-agent

2022-08-01 Thread Sam James


> On 1 Aug 2022, at 17:14, Andrew Savchenko  wrote:
> 
> On Mon, 1 Aug 2022 15:49:18 + (UTC) Andrey Grozin wrote:
>> Hello *,
>> 
>> Sorry for a very naive question.
>> 
>> In the past, I used
>> repoman commit
>> to commit a new ebuild. I got a text screen in my terminal where I typed my
>> passphraise (if I then committed something else within the timeout, I didn't
>> have to re-type it).
>> 
>> Now we are recommended to use
>> pkgdev commit
>> instead. But it does not ask for my passphraise, just writes an error message
>> that it cannot sign my commit.
>> 
>> If I commit something with repoman and then (within the timeout) commit
>> something else with pkgdev, it works.
>> 
>> My .gnupg/gpg-agent.conf is
>> 
>> pinentry-program /usr/bin/pinentry-curses
>> write-env-file
>> default-cache-ttl 100
>> 
>> My .gnupg/gpg.conf includes the line
>> 
>> use-agent
>> 
>> I can, of course, continue to use repoman for committing. But now it does not
>> add the Signed-off-by: automatically. I have to add it by hand, in nano. 
>> This is
>> definitely the most convenient way.
> 
> I have the same problem with pkgdev. It fails to run at
> least CLI/TUI pinentry when password is needed. To workaround
> I sign some dummy file with `gpg -s file`, then within cache period
> I can use it for commits using pkgdev.
> 
> Cache timeout can be set in gpg-agent.conf, e.g. in seconds:
> default-cache-ttl 7200
> 
> Furthermore I can't use `pkgdev push` to push my commits, because
> it fails to sign the push and the server rejects my push. I have no
> idea why, because `git push --signed' works perfectly fine.
> Regarding pushing to git (I mean git push process, not various
> checks), pkgdev should do the same as `git push --signed`, but it
> apparently does not.

git push --signed is of course going to work because you're explicitly
telling git to.

I suspect you need to run:
git config --local push.gpgsign 1

You can probably set it per-remote if desired.

> 
> And last but not the least pkgdev have some problem I could not
> precisely identify that makes gpg socket forwarding unusable, so I
> can't forward nitrokey from another host. Plain gpg usually works.

You can do:
GIT_TRACE=1 pkgdev commit ...
to see exactly which gpg command is being run, then run that
manually and debug it.

> 
> Best regards,
> Andrew Savchenko



signature.asc
Description: Message signed with OpenPGP


Re: [gentoo-dev] pkgdev commit and gpg-agent

2022-08-01 Thread Sam James


> On 1 Aug 2022, at 16:49, Andrey Grozin  wrote:
> 
> Hello *,
> 
> Sorry for a very naive question.
> 
> In the past, I used
> repoman commit
> to commit a new ebuild. I got a text screen in my terminal where I typed my
> passphraise (if I then committed something else within the timeout, I didn't
> have to re-type it).
> 
> Now we are recommended to use
> pkgdev commit
> instead. But it does not ask for my passphraise, just writes an error message
> that it cannot sign my commit.
> 
> If I commit something with repoman and then (within the timeout) commit
> something else with pkgdev, it works.
> 

See https://wiki.gentoo.org/wiki/Pkgdev#git_signing_errors.

My guess is that repoman is picking up the right key but pkgdev, because
It just asks git, isn't.

repoman would use a configuration option in make.conf while pkgdev does not.

> 
> Thanks in advance,
> Andrey
> 


Best,
sam


signature.asc
Description: Message signed with OpenPGP


Re: [gentoo-dev] pkgdev commit and gpg-agent

2022-08-01 Thread Alec Warner
On Mon, Aug 1, 2022 at 8:49 AM Andrey Grozin
 wrote:
>
> Hello *,

Hi!

>
> Sorry for a very naive question.
>
> In the past, I used
> repoman commit
> to commit a new ebuild. I got a text screen in my terminal where I typed my
> passphraise (if I then committed something else within the timeout, I didn't
> have to re-type it).
>
> Now we are recommended to use
> pkgdev commit
> instead. But it does not ask for my passphraise, just writes an error message
> that it cannot sign my commit.

Can you please provide the error message? The rest is us guessing.

For example, with gpg I have problems unless I set GPG_TTY=$(tty) in
my .bashrc; if you run man gpg-agent you see a blurb about this being
'required' but it worked fine for years until it did not...I suspect
it is quite environment dependent.

-A

>
> If I commit something with repoman and then (within the timeout) commit
> something else with pkgdev, it works.
>
> My .gnupg/gpg-agent.conf is
>
> pinentry-program /usr/bin/pinentry-curses
> write-env-file
> default-cache-ttl 100
>
> My .gnupg/gpg.conf includes the line
>
> use-agent
>
> I can, of course, continue to use repoman for committing. But now it does not
> add the Signed-off-by: automatically. I have to add it by hand, in nano. This 
> is
> definitely the most convenient way.
>
> Thanks in advance,
> Andrey
>



Re: [gentoo-dev] pkgdev commit and gpg-agent

2022-08-01 Thread Andrew Savchenko
On Mon, 1 Aug 2022 15:49:18 + (UTC) Andrey Grozin wrote:
> Hello *,
> 
> Sorry for a very naive question.
> 
> In the past, I used
> repoman commit
> to commit a new ebuild. I got a text screen in my terminal where I typed my
> passphraise (if I then committed something else within the timeout, I didn't
> have to re-type it).
> 
> Now we are recommended to use
> pkgdev commit
> instead. But it does not ask for my passphraise, just writes an error message
> that it cannot sign my commit.
> 
> If I commit something with repoman and then (within the timeout) commit
> something else with pkgdev, it works.
> 
> My .gnupg/gpg-agent.conf is
> 
> pinentry-program /usr/bin/pinentry-curses
> write-env-file
> default-cache-ttl 100
> 
> My .gnupg/gpg.conf includes the line
> 
> use-agent
> 
> I can, of course, continue to use repoman for committing. But now it does not
> add the Signed-off-by: automatically. I have to add it by hand, in nano. This 
> is
> definitely the most convenient way.

I have the same problem with pkgdev. It fails to run at
least CLI/TUI pinentry when password is needed. To workaround
I sign some dummy file with `gpg -s file`, then within cache period
I can use it for commits using pkgdev.

Cache timeout can be set in gpg-agent.conf, e.g. in seconds:
default-cache-ttl 7200

Furthermore I can't use `pkgdev push` to push my commits, because
it fails to sign the push and the server rejects my push. I have no
idea why, because `git push --signed' works perfectly fine.
Regarding pushing to git (I mean git push process, not various
checks), pkgdev should do the same as `git push --signed`, but it
apparently does not.

And last but not the least pkgdev have some problem I could not
precisely identify that makes gpg socket forwarding unusable, so I
can't forward nitrokey from another host. Plain gpg usually works.

Best regards,
Andrew Savchenko


pgpG08RetJogI.pgp
Description: PGP signature


[gentoo-dev] pkgdev commit and gpg-agent

2022-08-01 Thread Andrey Grozin

Hello *,

Sorry for a very naive question.

In the past, I used
repoman commit
to commit a new ebuild. I got a text screen in my terminal where I typed my
passphraise (if I then committed something else within the timeout, I didn't
have to re-type it).

Now we are recommended to use
pkgdev commit
instead. But it does not ask for my passphraise, just writes an error message
that it cannot sign my commit.

If I commit something with repoman and then (within the timeout) commit
something else with pkgdev, it works.

My .gnupg/gpg-agent.conf is

pinentry-program /usr/bin/pinentry-curses
write-env-file
default-cache-ttl 100

My .gnupg/gpg.conf includes the line

use-agent

I can, of course, continue to use repoman for committing. But now it does not
add the Signed-off-by: automatically. I have to add it by hand, in nano. This is
definitely the most convenient way.

Thanks in advance,
Andrey