Skip to content

script/*: fix gpg usage wrt keyboxd #4189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lifubang merged 1 commit into from
Jun 8, 2024
Merged

script/*: fix gpg usage wrt keyboxd #4189

lifubang merged 1 commit into from
Jun 8, 2024

Conversation

@kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Feb 6, 2024

I used script/keyring_validate.sh, which gave me this error:

[*] User cyphar in runc.keyring is not a maintainer!

Apparently, when gnupg 2.4.1+ sees a fresh install (i.e. no ~/.gnupg directory), it configures itself to use keyboxd instead of keyring files, and when just silently ignores options like --keyring and --no-default-keyring, working with keyboxd all the time.

The only way I found to make it not use keyboxd is to set --homedir. Let's do that when we explicitly want a separate keyring.

Similar change is made to script/release_key.sh.

Also, change "--import --import-options=show-only" to "--show-keys" which is a shortcut. When using this, there is no need to protect the default keyring since this command does not read or modify it.

cyphar
cyphar reviewed Mar 13, 2024
View reviewed changes
@kolyshkin
Copy link
Contributor Author

kolyshkin commented May 15, 2024

Addressed review comment; rebased.

@kolyshkin kolyshkin requested a review from cyphar May 15, 2024 19:06
cyphar
cyphar approved these changes May 16, 2024
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin
script/*: fix gpg usage wrt keyboxd
760105a 
I used script/keyring_validate.sh, which gave me this error:

> [*] User cyphar in runc.keyring is not a maintainer!

Apparently, when gnupg 2.4.1+ sees a fresh install (i.e. no ~/.gnupg
directory), it configures itself to use keyboxd instead of keyring
files, and when just silently ignores options like --keyring and
--no-default-keyring, working with keyboxd all the time.

The only way I found to make it not use keyboxd is to set --homedir.
Let's do that when we explicitly want a separate keyring.

Similar change is made to script/release_key.sh.

Also, change "--import --import-options=show-only" to "--show-keys"
which is a shortcut. When using this, there is no need to protect
the default keyring since this command does not read or modify it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
Copy link
Contributor Author

kolyshkin commented Jun 7, 2024

@thaJeztah @lifubang @AkihiroSuda PTAL

@lifubang lifubang merged commit a35a4c6 into opencontainers:main Jun 8, 2024
@lifubang
Copy link
Member

lifubang commented Jun 9, 2024

@kolyshkin Need to backport to 1.1?

@lifubang lifubang mentioned this pull request Jun 9, 2024
Merged
@lifubang lifubang added the backport/1.1-done A PR in main branch which has been backported to release-1.1 label Jun 10, 2024
@lifubang lifubang mentioned this pull request Jun 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lifubang lifubang lifubang approved these changes

@cyphar cyphar cyphar approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp

@thaJeztah thaJeztah Awaiting requested review from thaJeztah

@AkihiroSuda AkihiroSuda Awaiting requested review from AkihiroSuda

Assignees

No one assigned

Labels

area/ci backport/1.1-done A PR in main branch which has been backported to release-1.1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kolyshkin @lifubang @cyphar