[elbe-devel] [PATCH 1/1] Fix gpg-agent removing passphrase from cache after 2 hours

Kurt Kanzenbach kurt.kanzenbach at linutronix.de
Wed Jul 17 09:51:41 CEST 2019 

On Mon, Jul 15, 2019 at 11:16:25AM +0200, dion at linutronix.de wrote:
> From: Olivier Dion <dion at linutronix.de>
>
> * Reproducing the bug
>
>   1. Set the value of EOT under "elbepack/epgpg.py" to a small number,
>      such as 10.
>
>   2. ./elbe initvm submit examples/x86_64-pc-hdimg-pbuilder-grub-buster.xml
>
> ** Expected traceback
>
>    running cmd +reprepro --basedir "/var/cache/elbe/f89595fd-f178-45fa-836e-a8e652250285/repo" export buster+
>    ------------------------------------------------------------------------------
>    gpgme gave error Pinentry:32870:  Inappropriate ioctl for device
>    ERROR: Could not finish exporting 'buster'!
>    There have been errors!
>    ------------------------------------------------------------------------------
>    Command failed with errorcode 251
>    Build failed
>    Traceback (most recent call last):
>    File "/var/cache/elbe/devel/elbepack/asyncworker.py", line 158, in execute
>    skip_pbuild=self.skip_pbuilder)
>    File "/var/cache/elbe/devel/elbepack/elbeproject.py", line 510, in build
>    self.repo.finalize()
>    File "/var/cache/elbe/devel/elbepack/repomanager.py", line 188, in finalize
>    env_add={'GNUPGHOME': '/var/cache/elbe/gnupg'})
>    File "/var/cache/elbe/devel/elbepack/asciidoclog.py", line 62, in do
>     raise CommandError(cmd, ret)
>
> * Fix
>
>   According to the manual, default-cache-ttl is a timer that will be
>   reset everytime an entry in the cache is accessed and is default to
>   10 mins.  Also, max-cache-ttl timer is a timer that is never reset
>   and is default to 2 hours.  This means that if elbe doesn't access
>   the cache every 10 mins, of if the build takes more than 2 hours,
>   it's undefined behavior.
>
>   The solution to fix this is to set the max-cache-ttl and
>   default-cache-ttl to their maximum value, roughtly 136 years.
>   There's no other known way, as for now, in gpg v2 to keep a
>   passphrase for 'ever'.
>
> Signed-off-by: Olivier Dion <dion at linutronix.de>

Reviewed-by: Kurt Kanzenbach <kurt at linutronix.de>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linutronix.de/pipermail/elbe-devel/attachments/20190717/9bbcc500/attachment.sig>

More information about the elbe-devel mailing list