[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Beware of leftover gpg-agent processes (was: Re: Changes for GnuPG in debian)


Quoting Daniel Kahn Gillmor (2016-08-04 18:29:03)
> One of the main differences is that all access to your secret key will be
> handled through gpg-agent, which should be automatically launched as needed.

it might be important to note that gpg launching this gpg-agent process is not
optional and that it will automatically be launched and continue running in the
background for many gpg operations. This means, that applications that use gpg
from within a short-lived container (like during package builds, for example as
part of a test suite) should probably add a

gpgconf --kill gpg-agent

somewhere after they are done with all gpg related operations or otherwise it
will be impossible to unmount /dev from the container until gpg-agent died
after a timeout.  It is also important to note that not all versions of gpgconf
have the --kill switch.  This command must be run with the same $GNUPGHOME that
was used to run gpg.

Doing this might be made complicated if your scripts do not call gpg directly
but use tools that in turn call gpg. For example apt-key uses a temporary
$GNUPGHOME which is removed after apt-key exits and thus it is impossible to
use "gpgconf --kill gpg-agent" to kill the gpg-agent process left by apt-key.
This was fixed in the apt git, but there might be similar situations around.


cheers, josch

Attachment: signature.asc
Description: signature

Reply to: