~sircmpwn/sr.ht-dev

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
2 2

[PATCH builds.sr.ht] images/archlinux: avoid GnuPG's new keyboxd

Details
Message ID
<20231206215225.1060771-1-ch@bitfehler.net>
DKIM signature
missing
Download raw message
Patch: +5 -0
GnuPG recently made "keyboxd", an alternative keyring storage, the
default for new installs [1]. For reasons I cannot explain yet, a gpg
command will hang indefinetly trying to talk to keyboxd, if all of the
following are true:

- keyboxd is already running for the user
- it is managed by the systemd-user session (!?)
- the gpg command is run inside fakeroot

This is easily reproducible on builds.sr.ht: when building and signing a
package with `makepkg`, it will just hang forever after outputting
"Entering fakeroot environment". One can see in the process tree that it
is executing a gpg command inside a fakeroot at that time, which never
finishes.

While I have not found the cause, this issue is not isolated to
builds.sr.ht. I have reproduced this on other Arch Linux systems.

I am trying to figure out what the exact issue is, and whom to talk to
about it, but until then I think just avoiding keyboxd makes sense. As
described in [1], GnuPGP will only default keyboxd if it has to create
`~/.gnupg` when running. I verified that indeed only the empty directory
being present is already sufficient to make GnuPG fall back to the old
storage format.

Hence, this commit simply creates the build user's `~/.gnupg` with the
appropriate permissions, so that keyboxd will not be used.

[1] https://github.com/gpg/gnupg/blob/master/README#L119
---
 images/archlinux/genimg | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/images/archlinux/genimg b/images/archlinux/genimg
index 58e55ab..503d8f1 100755
--- a/images/archlinux/genimg
+++ b/images/archlinux/genimg
@@ -133,6 +133,11 @@ cat > "$root"/home/build/.gitconfig << EOF
  email = builds@sr.ht
EOF
run_root chown build:build /home/build/.gitconfig
# Nudge GnuPG to _not_ use the new keyboxd, it does not play nice with fakeroot
# and hence breaks makepkg (the package signing part)
run_root mkdir /home/build/.gnupg
run_root chown build:build /home/build/.gnupg
run_root chmod 0700 /home/build/.gnupg

run_root pacman --noconfirm -Rs go
paccache -rk0 -c "$root/var/cache/pacman/pkg"
-- 
2.43.0

[builds.sr.ht/patches] build failed

builds.sr.ht <builds@sr.ht>
Details
Message ID
<CXHL5NEB7X39.1X0O681RMGDNF@cirno2>
In-Reply-To
<20231206215225.1060771-1-ch@bitfehler.net> (view parent)
DKIM signature
missing
Download raw message
builds.sr.ht/patches: FAILED in 5m29s

[images/archlinux: avoid GnuPG's new keyboxd][0] from [Conrad Hoffmann][1]

[0]: https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/47441
[1]: ch@bitfehler.net

✓ #1109352 SUCCESS builds.sr.ht/patches/alpine.yml    https://builds.sr.ht/~sircmpwn/job/1109352
✗ #1109353 FAILED  builds.sr.ht/patches/archlinux.yml https://builds.sr.ht/~sircmpwn/job/1109353
✓ #1109354 SUCCESS builds.sr.ht/patches/debian.yml    https://builds.sr.ht/~sircmpwn/job/1109354
Details
Message ID
<tvbtAfdvLoL04sOAZv-83l1Jz1YSYKIVasF_L92dnCa-8-jqZqYlyjo6qdcwlG7f6nZecbIEX00MmdXQuDOCKbq0YWeMzeO5oW_zD-oT_D4=@emersion.fr>
In-Reply-To
<20231206215225.1060771-1-ch@bitfehler.net> (view parent)
DKIM signature
missing
Download raw message
Oh nice! I've seen this myself (it seems the hangs are not 100% reproducible,
somewhat random).

LGTM
Reply to thread Export thread (mbox)