vn971
GPG verification fails in sudo
rua 0.19.10
I want to create a separate user for rua because I don't want it clutter my home gpg keyring, but now I cannot install aur packages requiring gpg source verification (e.g. hplip-plugin). It says
Verifying source file signatures with gpg... hplip-3.24.4-plugin.run ... FAILED (unknown public key 73D770CDA59047B9)
even if I import the key manually: gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 4ABA2F66DBD5A95894910E0673D770CDA59047B9
Example:
$ sudo useradd -mG wheel aurbuilder
$ sudo passwd aurbuilder
$ sudo -u aurbuilder gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 4ABA2F66DBD5A95894910E0673D770CDA59047B9
gpg: directory '/home/aurbuilder/.gnupg' created
gpg: /home/aurbuilder/.gnupg/trustdb.gpg: trustdb created
gpg: key 73D770CDA59047B9: public key "HPLIP (HP Linux Imaging and Printing) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ sudo -u aurbuilder gpg -k 73D770CDA59047B9
pub dsa1024 2009-12-15 [SC]
4ABA2F66DBD5A95894910E0673D770CDA59047B9
uid [ unknown] HPLIP (HP Linux Imaging and Printing) <[email protected]>
sub elg2048 2009-12-15 [E]
$ sudo -u aurbuilder rua install hplip-plugin
...
==> Verifying source file signatures with gpg...
hplip-3.24.4-plugin.run ... FAILED (unknown public key 73D770CDA59047B9)
==> ERROR: One or more PGP signatures could not be verified!
But yay inside sudo works well. It successfully verifies the package:
Verifying source file signatures with gpg...
hplip-3.24.4-plugin.run ... Passed
I can also run gpg manually:
$ sudo -u aurbuilder -i
[aurbuilder] $ gpg --verify hplip-3.24.4-plugin.run.asc
gpg: assuming signed data in 'hplip-3.24.4-plugin.run'
gpg: Signature made Ср 22 мая 2024 04:57:54 UTC
gpg: using DSA key 4ABA2F66DBD5A95894910E0673D770CDA59047B9
gpg: Good signature from "HPLIP (HP Linux Imaging and Printing) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4ABA 2F66 DBD5 A958 9491 0E06 73D7 70CD A590 47B9
I found similar issue in aura: https://github.com/fosskers/aura/issues/606. Is it related?
PS: Without sudo rua works fine. But I don't want deprecated keys with DSA and SHA1 in my keyring.
I managed to workaround it with GNUPGHOME variable:
$ mkdir ~/.rua-gnupg
$ chmod 700 ~/.rua-gnupg
$ GNUPGHOME=~/.rua-gnupg gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 4ABA2F66DBD5A95894910E0673D770CDA59047B9
gpg: key 73D770CDA59047B9: public key "HPLIP (HP Linux Imaging and Printing) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ GNUPGHOME=~/.rua-gnupg gpg -k
/home/vehlwn/.rua-gnupg/pubring.kbx
--------------------------------
pub dsa1024 2009-12-15 [SC]
4ABA2F66DBD5A95894910E0673D770CDA59047B9
uid [ unknown] HPLIP (HP Linux Imaging and Printing) <[email protected]>
sub elg2048 2009-12-15 [E]
$ GNUPGHOME=~/.rua-gnupg rua install hplip-plugin
...
==> Verifying source file signatures with gpg...
hplip-3.24.4-plugin.run ... Passed
...
Rua provides the build jail with access to ~/.gnupg/pubring.gpg and ~/.gnupg/pubring.kbx, but it looks like in some cases received keys are stored in ~/.gnupg/public-keys.d/pubring.db (an SQLite databse), which isn't mounted into the jail.
Try adding the following to ~/.config/rua/wrap_args.d/gnupg.sh:
wrap_args+=(--ro-bind-try ~/.gnupg/public-keys.d ~/.gnupg/public-keys.d --ro-bind-try ~/.gnupg/common.conf ~/.gnupg/common.conf)
it solved the problem for me.
