aptly icon indicating copy to clipboard operation
aptly copied to clipboard
verified publisher icon aptly-dev

Aptly publish API (curl) fails because gpg still asks for passphrase even when passing "Passphrase" or "PassphraseFile"

Open pdepaulis opened this issue 1 year ago • 3 comments

Detailed Description

This happens when using gpg2 at least. In regular aptly command line, two options are required:

  • -passphrase-file
  • -batch However there's no way to pass "batch" with REST, so we get an error:
Feb 27 00:47:10 dp-debian-infra aptly[807]: Loading packages...
Feb 27 00:47:10 dp-debian-infra aptly[807]: Generating metadata files and linking package files...
Feb 27 00:47:11 dp-debian-infra aptly[807]: Finalizing metadata files...
Feb 27 00:47:12 dp-debian-infra aptly[807]: Signing file 'Release' with gpg, please enter your passphrase when prompted:
Feb 27 00:47:12 dp-debian-infra aptly[1102]: gpg: signing failed: Inappropriate ioctl for device
Feb 27 00:47:12 dp-debian-infra aptly[1102]: gpg: signing failed: Inappropriate ioctl for device
Feb 27 00:47:12 dp-debian-infra aptly[807]: [GIN] 2024/02/27 - 00:47:12 | 500 |  1.716432193s |      10.10.2.15 | POST     "/api/publish/filesystem:FPBX17-qa-web:fpbx17-bin"
Feb 27 00:47:12 dp-debian-infra aptly[807]: Error #01: unable to publish: unable to detached sign file: exit status 2

Context

When using the REST API for Publishing for the first time which requires passing the gpp passphrase to unlock the key. Note that because the key is gpg2 I cannot use the "internal" GPG provider since it looks for the legacy secring/pubring which don't exist in gpg2.

Possible Implementation

Not sure why "batch" is required, even when passing the PassPhraseFile with cmd line, but be that as it may, please provide a "batch" option for REST

Your Environment

Debian bookworm aptly version: 1.5.0+ds1-1+b4

    "gpgDisableSign": false,
    "gpgDisableVerify": false,
    "gpgProvider": "gpg2",

pdepaulis avatar Feb 27 '24 01:02 pdepaulis

how are you starting aptly ? gpg might need tty access or some agent to handle input.

neolynx avatar Apr 11 '24 17:04 neolynx

could you share your REST call?

the Batch option is available via REST, within the Singing block:

    curl -fsS -X PUT -H 'Content-Type: application/json' --data \
        "{\"AcquireByHash\": true, \"Snapshots\": [{\"Component\": \"main\", \"Name\": \"$aptly_snapshot\"}],
                                   \"Signing\": {\"Batch\": true, \"Keyring\": \"aptly.repo/aptly.pub\",
                                                 \"secretKeyring\": \"aptly.repo/aptly.sec\", \"PassphraseFile\": \"aptly.repo/passphrase\"}}" \
        -u $aptly_user:$aptly_password ${aptly_api}/api/publish/$aptly_published

(from: upload-artifacts.sh)

neolynx avatar Apr 20 '24 22:04 neolynx

there is a way to pass "Batch": true in the sjon data for API calls, see above...

neolynx avatar Aug 13 '24 17:08 neolynx