Is there a way to do unattended unlock with gpg passphrase?

[xueshanf]

The use case is for CI/CD system to be able to download git repo, and run git-crypt unlock with a deployment gpg key, protected with passphrase.

[alerque]

I'm designing the deploy process for a current project under the assumption that this is possible, but I haven't actually scripted the CI end yet. In your version would the GPG key itself be coming out of the CI environment or just its passphrase?

[jmalacho]

you should be able to use gpg-agent, evaluate the exported variables- then get the password into the agent [maybe using gpg with --passphrase --batch], then the decrypted key would be in memory in the agent, then try the unlock

[ip1981]

Gpg agent plus preset passphrase. You set up gpg home and pass it in environment variable. See for example https://github.com/zalora/nixsap/blob/master/modules/apps/gnupg/default.nix

[a7medkamel]

Here is my guide to how to do this inside a docker container (build time)

git-crypt — Unattended Unlock with GPG Passphrase in Docker

Dockerfile

[Peter-Sh]

One can also remove passphrase after importing key, this should not be more risky compared to agent since is supposed to be used in CI and all imported keys will be removed after job is finished.

If you have passphrase in variable PASSPHRASE and [email protected] key in file foo.key:

# Import key with password (without decrypting)
gpg --import --batch --pinentry-mode loopback foo.key
# Remove password sequence: old password, new line, empty password, new line
echo -e "$PASSPHRASE\n\n" | gpg --change-passphrase --batch --pinentry-mode loopback --command-fd 0 foo
git-crypt unlock