[OE-core] gpg signing and stale gpg-agent


Federico Pellegrin <fede.evol@...>
 



Hi all,
I've been working with signing packages via gpg (specificall RPM, but that shouldn't really matter) lately and things mostly work fine (modulo that small patch from some 2 weeks ago now in master).

I have just one more possibly minor issue I wanted to get possibly an opinion from the expert folk if possible!


Little background: to keep things isolated and not system dependant the GPG related files are kept in a separate directory. This is then specified via GPG_PATH (which then de facto is passed to various gpg tools as --homedir). The keys are then kept there and just as a detail that is then an encrypted FS which is just mounted/umounted when needed.

When gpg is run it will spawn a gpg-agent to deal with keys and this is fine. The problem I have is that after bitbake finished the gpg-agent will still be left running there and in my specific case this means that the directory (pointed by GPG_PATH) will figure as in use and therefore cannot be umounted. Of course if I kill by hand the gpg-agent then I can just proceed and so on.

So the first question is: is it 'nice' that after the bitbake execution we possibly leave as a matter of fact running stuff from Yocto around the system? 


As I wanted to come to pose a question also having done a bit of homework I tried to understand how I could fix this and right now I arrived at something like:

-------------

diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index aa9bb49f2c..d6d1fd9e6c 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -58,6 +58,12 @@ class LocalSigner(object):
         for i in range(0, len(files), sign_chunk):
             subprocess.check_output(shlex.split(cmd + ' '.join(files[i:i+sign_chunk])), stderr=subprocess.STDOUT)
 
+        gpg_conf_bin = bb.utils.which(os.getenv('PATH'), "gpgconf")
+        if gpg_conf_bin and self.gpg_path:
+            cmd = [ gpg_conf_bin ] + ["--homedir", self.gpg_path, "--kill", "gpg-agent"]
+            subprocess.check_output(cmd, stderr=subprocess.STDOUT)
+
+
     def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True, output_suffix=None, use_sha256=False):
         """Create a detached signature of a file"""
 
-------------

(note: I kill only if the homedir is defined, this is TBD, it's just a PoC)
So basically after the loop that does all the chunk-wise signing I ask gpgconf to stop the gpgagent and this actually seem to work pretty fine. But I'm not convinced this is the best as maybe it is stopped and restarted more than needed (TBC).

My desire was to make sure to do it just once, for example hooking on an "atexit" but that seemed to be called a bit randomly and not always (which is a bit puzzling for me, but maybe clear for the experts, as I saw atexit is also used in a couple of other places as cleanup).

So in short:
1) Do you think we should implement a clean-up of the gpg-agent or should we just live with it?
2) If yes should we do it always or just under some conditions? (ie. GPG_PATH is passed, not if using the user's default one?)
3) What would be the best way to get some cleanup code reliably called and just once? (if not the PoC above)

Many thanks in advance,
Federico

Join yocto@lists.yoctoproject.org to automatically receive all group messages.