ghaction-import-gpg icon indicating copy to clipboard operation
ghaction-import-gpg copied to clipboard

Published 20 hours ago verified publisher icon crazy-max

67108933 Not implemented <GPG Agent>

Open marcofranssen opened this issue 3 years ago • 4 comments

Behaviour

Steps to reproduce this issue

  1. Create a key with subkeys.
  2. Add a subkey for signing using ecdsa.
  3. Add a subkey for signing using RSA.
  4. export the key using ascii armor. gpg --armor --export-secret-keys KEYID | pbcopy
  5. add the key as a secret for this workflow.
  6. add the passphrase as a secret in github for this workflow.

In this workflow I am selecting the RSA subkey for signing.

Expected behaviour

The key should successfully load into the gpg-agent.

Actual behaviour

Running this workflow fails with following log

Configuring GnuPG agent
::group::Getting keygrip for fingerprint
Getting keygrip for fingerprint
Error: ERR 67108933 Not implemented <GPG Agent>

Configuration

  • Repository URL (if public): https://github.com/marcofranssen/terraform-provider-curl
  • Build URL (if public): https://github.com/marcofranssen/terraform-provider-curl/actions/runs/2785634489
name: release
on:
  push:

jobs:
  release-provider:
    runs-on: ubuntu-22.04

    permissions:
      contents: write

    steps:
      - name: Checkout
        uses: actions/[email protected]
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/[email protected]
        with:
          go-version-file: 'go.mod'
          check-latest: true
          cache: true

      - name: Import GPG key
        uses: crazy-max/[email protected]
        id: gpg
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          fingerprint: EA0A37E819AFBAE6

    …
    …
    …

Logs

See attached build URL.

marcofranssen avatar Aug 02 '22 22:08 marcofranssen

Looking at the log and the related code it seems it fails retrieving the keygrip.

https://github.com/crazy-max/ghaction-import-gpg/blob/master/src/main.ts#L77

In the logs you will see there is no keygrip printed, meaning https://github.com/crazy-max/ghaction-import-gpg/blob/master/src/main.ts#L76 probably failed getting the keygrip.

marcofranssen avatar Aug 02 '22 23:08 marcofranssen

I finally figured it out. I was using the subkey id as opposed to the subkey fingerprint. Now I'm using the subkey fingerprint all works perfect.

I figured it out when reading this code.

https://github.com/crazy-max/ghaction-import-gpg/blob/c8bb57c57e8df1be8c73ff3d59deab1dbc00e0d1/src/gpg.ts#L184-L193

Probably would be good to document how to get the fingerprint of a given subkey id.

I did this via following command.

gpg --batch --with-colons --with-keygrip --list-secret-keys | awk -F: "/^fpr:.*AE0B37D819AFABE6:/ { print $10 }"

The keyid AE0B37D819AFABE6 I must be replaced with your own subkey ID ofcourse. Not sure if there is an easier way of getting this.

marcofranssen avatar Aug 02 '22 23:08 marcofranssen

I am running into the same issue but adding the full fingerprint still does not make it work. You can get the fingerprint of subkeys like that:

gpg -K --with-subkey-fingerprint <[email protected]>

bertramn avatar Oct 16 '23 14:10 bertramn