[elbe-devel] [PATCH 1/1] Fix gpg-agent removing passphrase from cache after 2 hours

dion at linutronix.de dion at linutronix.de
Wed Jul 10 14:43:41 CEST 2019 

From: Olivier Dion <dion at linutronix.de>

* Reproducing the bug

  1. Set the value of EOT under "elbepack/epgpg.py" to a small number,
     such as 10.

  2. ./elbe initvm submit examples/x86_64-pc-hdimg-pbuilder-grub-buster.xml

** Expected traceback

   running cmd +reprepro --basedir "/var/cache/elbe/f89595fd-f178-45fa-836e-a8e652250285/repo" export buster+
   ------------------------------------------------------------------------------
   gpgme gave error Pinentry:32870:  Inappropriate ioctl for device
   ERROR: Could not finish exporting 'buster'!
   There have been errors!
   ------------------------------------------------------------------------------
   Command failed with errorcode 251
   Build failed
   Traceback (most recent call last):
   File "/var/cache/elbe/devel/elbepack/asyncworker.py", line 158, in execute
   skip_pbuild=self.skip_pbuilder)
   File "/var/cache/elbe/devel/elbepack/elbeproject.py", line 510, in build
   self.repo.finalize()
   File "/var/cache/elbe/devel/elbepack/repomanager.py", line 188, in finalize
   env_add={'GNUPGHOME': '/var/cache/elbe/gnupg'})
   File "/var/cache/elbe/devel/elbepack/asciidoclog.py", line 62, in do
    raise CommandError(cmd, ret)

* Fix

  According to the manual, default-cache-ttl is a timer that will be
  reset everytime an entry in the cache is accessed and is default to
  10 mins.  Also, max-cache-ttl timer is a timer that is never reset
  and is default to 2 hours.  This means that if elbe doesn't access
  the cache every 10 mins, of if the build takes more than 2 hours,
  it's undefined behavior.

  The solution to fix this is to set the max-cache-ttl and
  default-cache-ttl to their maximum value, roughtly 136 years.
  There's no other known way, as for now, in gpg v2 to keep a
  passphrase for 'ever'.

Signed-off-by: Olivier Dion <dion at linutronix.de>
---
 elbepack/egpg.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/elbepack/egpg.py b/elbepack/egpg.py
index 22377ac3..93926d53 100644
--- a/elbepack/egpg.py
+++ b/elbepack/egpg.py
@@ -233,11 +233,19 @@ def get_fingerprints():
         fingerprints.append(k.subkeys[0].fpr)
     return fingerprints
 
-
+# End Of Time - Roughtly 136 years
+#
+# The argument parser of GPG use the type unsigned long for
+# default-cache-ttl and max-cache-ttl values.  Thus we're setting the
+# least maximum value of the type unsigned long to ensure that the
+# passphrase is 'never' removed from gpg-agent.
+EOT = 4294967295
 def generate_elbe_internal_key():
     hostfs.mkdir_p("/var/cache/elbe/gnupg")
     hostfs.write_file("/var/cache/elbe/gnupg/gpg-agent.conf", 0o600,
-                      "allow-preset-passphrase")
+                      "allow-preset-passphrase\n"
+                      "default-cache-ttl %d\n"
+                      "max-cache-ttl %d\n" % (EOT, EOT))
     ctx = core.Context()
     ctx.set_engine_info(PROTOCOL_OpenPGP,
                         None,
-- 
2.11.0

More information about the elbe-devel mailing list