Debian Bug report logs - #1051793
simple-cdd: GNUPGHOME is not always passed correctly to gpg

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: "Jonathan Hettwer (bauen1)" <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: simple-cdd: GNUPGHOME is not always passed correctly to gpg

Date: Tue, 12 Sep 2023 18:17:34 +0200

Package: simple-cdd
Version: 0.6.9
Severity: normal
X-Debbugs-Cc: [email protected], [email protected]

Dear simple-cdd Authors and/or Maintainers,

When `GNUPGHOME` is not set, simple-cdd defaults it to `$PWD/tmp/gpg-keyring`, this is
done in <https://salsa.debian.org/debian/simple-cdd/-/blob/e94dd3303ef9c3ae6815bb3df76355613296cd40/build-simple-cdd#L165-167>.

However if `GNUPGHOME` is set internally like this, then it is not always passed along to all calls to `gpg` in <https://salsa.debian.org/debian/simple-cdd/-/blob/e94dd3303ef9c3ae6815bb3df76355613296cd40/simple_cdd/gnupg.py>.

For example running `simple-cdd` in a rootless podman container where only parts of my home directory are mounted in, leaving ~ as
a read-only empty directory.

Because `GNUPGHOME` is not passed a long in at least <https://salsa.debian.org/debian/simple-cdd/-/blob/e94dd3303ef9c3ae6815bb3df76355613296cd40/simple_cdd/gnupg.py#L82-88>, this results in the following error:

> gpg: Fatal: can't create directory '/home/jh/.gnupg': Read-only file system
> Traceback (most recent call last):
>   File "/usr/bin/simple-cdd", line 674, in <module>
>     scdd.read_configuration()
>   File "/usr/bin/simple-cdd", line 179, in read_configuration
>     verify_release_keys.extend(gnupg.list_valid_keys(keyring_file))
>   File "/usr/lib/python3/dist-packages/simple_cdd/gnupg.py", line 82, in list_valid_keys
>     keys_raw = subprocess.check_output(["gpg",
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3.11/subprocess.py", line 466, in check_output
>     return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3.11/subprocess.py", line 571, in run
>     raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['gpg', '--batch', '--no-default-keyring', '--keyring', '/usr/share/keyrings/debian-archive-keyring.gpg', '--list-keys', '--with-colons']' returned non-zero exit status 2.

I suspect the same is also true for <https://salsa.debian.org/debian/simple-cdd/-/blob/e94dd3303ef9c3ae6815bb3df76355613296cd40/simple_cdd/gnupg.py#L40>.

Thanks a lot, Jonathan Hettwer (bauen1)

-- System Information:
Debian Release: 12.0
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: bauen1-policy

Send a report that this bug log contains spam.