vscode-remote-release icon indicating copy to clipboard operation
vscode-remote-release copied to clipboard
verified publisher icon microsoft

GPG forwarding still not working with keyboxd disabled on Windows 11

Open lisekarimi opened this issue 7 months ago • 4 comments

  • VSCode Version: 1.90.2
  • Local OS Version: Windows 11
  • Remote OS Version: Debian (mcr.microsoft.com/devcontainers/python:3.11)
  • Remote Extension/Connection Type: Dev Containers
  • Logs: Attached below

Steps to Reproduce:

  1. Set up Windows 11 with GPG 2.4.4 (bundled with Git for Windows)
  2. Disable keyboxd by commenting out use-keyboxd in ~/.gnupg/common.conf
  3. Verify GPG works locally with gpg --list-secret-keys
  4. Create dev container with gnupg installed via common-utils feature
  5. Open project in dev container
  6. Try to list GPG keys in container: gpg --list-secret-keys
  7. Attempt to commit with GPG signing

Does this issue occur when you try this locally?: No - GPG works perfectly on local machine Does this issue occur when you try this locally and all extensions are disabled?: No - local GPG signing works fine

Local GPG Setup (Working)

# GPG works locally
PS> gpg --version
gpg (GnuPG) 2.4.4-unknown

PS> gpg --list-secret-keys --keyid-format=short
/c/Users/user/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096/XXXXXXXX 2025-05-30 [SC]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid         [ultimate] User Name <[email protected]>

# Keyboxd disabled as recommended
PS> Get-Content $env:USERPROFILE\.gnupg\common.conf
#use-keyboxd

# .kbx file exists
PS> ls $env:USERPROFILE\.gnupg\pubring.kbx
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         6/11/2025   7:28 PM           2482 pubring.kbx

Dev Container Configuration

{
  "name": "SkinDX ML Environment",
  "image": "mcr.microsoft.com/devcontainers/python:3.11",
  "features": {
    "ghcr.io/devcontainers/features/common-utils:2": {
      "installGnupg": true
    }
  },
  "postCreateCommand": "pip install --upgrade pip && pip install uv && uv sync"
}

Container Behavior (Failing)

# Empty GPG in container
vscode@container:/workspaces/project$ gpg --list-secret-keys --keyid-format=short
gpg: directory '/home/vscode/.gnupg' created
gpg: keybox '/home/vscode/.gnupg/pubring.kbx' created
gpg: /home/vscode/.gnupg/trustdb.gpg: trustdb created

# No keys forwarded
vscode@container:/workspaces/project$ gpg --list-secret-keys --keyid-format=short
# (empty output)

# Commit signing fails
vscode@container:/workspaces/project$ git commit -m "test" --no-verify
error: gpg failed to sign the data:
gpg: skipped "XXXXXXXX": No secret key
gpg: signing failed: No secret key
fatal: failed to write commit object

Attempted Fixes

Upgraded to latest pre-release: 0.416.0
Disabled keyboxd: Modified common.conf to #use-keyboxd
Verified .kbx files exist: pubring.kbx created and populated
Restarted GPG agent: gpg-connect-agent reloadagent /bye
Used official VS Code configuration: No manual mounts or configs
Confirmed local GPG works: Signing works perfectly on host

Expected Behavior

GPG keys should be automatically forwarded to the dev container, allowing commit signing to work as documented in the official VS Code guide.

Actual Behavior

Container creates empty GPG directory, no keys are forwarded, commit signing fails with "No secret key" error.

Additional Context

  • Issue persists across multiple container rebuilds
  • GPG 2.4.4 is bundled with Git for Windows (not standalone install)
  • This affects the ability to have verified commits in containerized development workflows
  • Workaround: Committing from local machine works but defeats the purpose of containerized development

Related Issues

  • #9217 (keyboxd support - supposedly fixed)
  • Similar reports in #10496, #10184

The keyboxd fix appears incomplete for Windows + Git for Windows GPG setups.

lisekarimi avatar Jun 11 '25 19:06 lisekarimi

Please append the Dev Containers log from when this fails. (F1 > Dev Containers: Show Container Log)

chrmarti avatar Jun 12 '25 09:06 chrmarti

Please append the Dev Containers log from when this fails. (F1 > Dev Containers: Show Container Log)

GPG Agent Forwarding Failure

[10629 ms] Start: Launching Dev Containers helper.
[10629 ms] ssh-agent: SSH_AUTH_SOCK not set on local host.
[10629 ms] X11 forwarding: DISPLAY not set on local host.
[10630 ms] Start: Run in container: gpgconf --list-dirs
[10640 ms] sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/x86_64-linux-gnu/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
socketdir:/home/vscode/.gnupg
dirmngr-socket:/home/vscode/.gnupg/S.dirmngr
agent-ssh-socket:/home/vscode/.gnupg/S.gpg-agent.ssh
agent-extra-socket:/home/vscode/.gnupg/S.gpg-agent.extra
agent-browser-socket:/home/vscode/.gnupg/S.gpg-agent.browser
agent-socket:/home/vscode/.gnupg/S.gpg-agent
homedir:/home/vscode/.gnupg
[10640 ms] 
[10641 ms] Start: Run in container: ls '/home/vscode/.gnupg/private-keys-v1.d' 2>/dev/null
[10646 ms] 
[10646 ms] 
[10646 ms] Exit code 2
[10647 ms] Start: Run: gpgconf --list-dirs
[10686 ms] gpg-agent: No agent-extra-socket found on local host.

Git Config Cleanup

[11222 ms] Start: Run in container: # Cleaning up git config
[11237 ms] Removing Git config key: gpg.program = C:/Program Files/Git/usr/bin/gpg.exe
[11238 ms] Start: Run: git config --global --get gpg.ssh.allowedSignersFile
[11244 ms] (empty result)

VS Code is trying to forward GPG but completely failing to find any GPG agent or keys on my local Windows machine, even after keyboxd was disabled.

Thank you

lisekarimi avatar Jun 12 '25 10:06 lisekarimi

We added support for keyboxd a while ago, but it makes sense to try without to rule that out as the cause of the problem.

What do you get as output from running gpgconf --list-dirs locally? Is the log excerpt above showing all the output?

chrmarti avatar Jun 13 '25 06:06 chrmarti

Output from my local Windows machine

$ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
socketdir:/c/Users/synch/.gnupg
dirmngr-socket:/c/Users/synch/.gnupg/S.dirmngr
keyboxd-socket:/c/Users/synch/.gnupg/S.keyboxd
agent-ssh-socket:/c/Users/synch/.gnupg/S.gpg-agent.ssh
agent-extra-socket:/c/Users/synch/.gnupg/S.gpg-agent.extra
agent-browser-socket:/c/Users/synch/.gnupg/S.gpg-agent.browser
agent-socket:/c/Users/synch/.gnupg/S.gpg-agent
homedir:/c/Users/synch/.gnupg

Update: After completely killing gpg-agent and attempting to disable keyboxd:

  1. Commented out use-keyboxd in ~/.gnupg/common.conf
  2. Ran gpgconf --kill keyboxd && gpgconf --kill gpg-agent
  3. Killed gpg-agent.exe process manually (keyboxd.exe wasn't running)
  4. Restarted with gpgconf --launch gpg-agent

Result: keyboxd-socket still appears in gpgconf --list-dirs, proving it's hardcoded in the GPG 2.4.4 build bundled with Git for Windows 2.44.0.windows.1 and cannot be disabled.

This confirms the issue is VS Code Dev Containers extension can't handle Git for Windows GPG builds that have keyboxd hardcoded

VS Code + local Git/GPG = verified commits but Dev Containers extension + GPG forwarding = broken

lisekarimi avatar Jun 13 '25 17:06 lisekarimi

In the log you posted above gpgconf --list-dirs doesn't show the list of dirs. Could you double check if these are further down in the log? The log also has gpg-agent: No agent-extra-socket found on local host..

chrmarti avatar Jun 19 '25 08:06 chrmarti

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

vs-code-engineering[bot] avatar Jun 26 '25 12:06 vs-code-engineering[bot]