Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Aptly publish API (curl) fails because gpg still asks for passphrase even when passing "Passphrase" or "PassphraseFile" #1252

Open
pdepaulis opened this issue Feb 27, 2024 · 2 comments
Open

Aptly publish API (curl) fails because gpg still asks for passphrase even when passing "Passphrase" or "PassphraseFile" #1252

pdepaulis opened this issue Feb 27, 2024 · 2 comments

Comments

@pdepaulis
Copy link

Detailed Description

This happens when using gpg2 at least. In regular aptly command line, two options are required:

  • -passphrase-file
  • -batch
    However there's no way to pass "batch" with REST, so we get an error:
Feb 27 00:47:10 dp-debian-infra aptly[807]: Loading packages...
Feb 27 00:47:10 dp-debian-infra aptly[807]: Generating metadata files and linking package files...
Feb 27 00:47:11 dp-debian-infra aptly[807]: Finalizing metadata files...
Feb 27 00:47:12 dp-debian-infra aptly[807]: Signing file 'Release' with gpg, please enter your passphrase when prompted:
Feb 27 00:47:12 dp-debian-infra aptly[1102]: gpg: signing failed: Inappropriate ioctl for device
Feb 27 00:47:12 dp-debian-infra aptly[1102]: gpg: signing failed: Inappropriate ioctl for device
Feb 27 00:47:12 dp-debian-infra aptly[807]: [GIN] 2024/02/27 - 00:47:12 | 500 |  1.716432193s |      10.10.2.15 | POST     "/api/publish/filesystem:FPBX17-qa-web:fpbx17-bin"
Feb 27 00:47:12 dp-debian-infra aptly[807]: Error #01: unable to publish: unable to detached sign file: exit status 2

Context

When using the REST API for Publishing for the first time which requires passing the gpp passphrase to unlock the key.
Note that because the key is gpg2 I cannot use the "internal" GPG provider since it looks for the legacy secring/pubring which don't exist in gpg2.

Possible Implementation

Not sure why "batch" is required, even when passing the PassPhraseFile with cmd line, but be that as it may, please provide a "batch" option for REST

Your Environment

Debian bookworm
aptly version: 1.5.0+ds1-1+b4

    "gpgDisableSign": false,
    "gpgDisableVerify": false,
    "gpgProvider": "gpg2",
@neolynx
Copy link
Member

neolynx commented Apr 11, 2024

how are you starting aptly ? gpg might need tty access or some agent to handle input.

@neolynx
Copy link
Member

neolynx commented Apr 20, 2024

could you share your REST call?

the Batch option is available via REST, within the Singing block:

    curl -fsS -X PUT -H 'Content-Type: application/json' --data \
        "{\"AcquireByHash\": true, \"Snapshots\": [{\"Component\": \"main\", \"Name\": \"$aptly_snapshot\"}],
                                   \"Signing\": {\"Batch\": true, \"Keyring\": \"aptly.repo/aptly.pub\",
                                                 \"secretKeyring\": \"aptly.repo/aptly.sec\", \"PassphraseFile\": \"aptly.repo/passphrase\"}}" \
        -u $aptly_user:$aptly_password ${aptly_api}/api/publish/$aptly_published

(from: upload-artifacts.sh)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neolynx @pdepaulis and others