I use Fedora on my main laptop, but sometimes I need to GPG-sign something in an Ubuntu environment.
I store my GPG key on my Yubikey and access the device with gpg-agent. Here are instructions for forwarding my gpg-agent connection into a Docker container.
This will only work on with a ubuntu:xenial image and newer, because Trusty has GPG 2.0, and this needs 2.1. Earlier versions of GPG 2 failed because they still need access to the data in secing.gpg. See https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring for more information.
On the host, bind-mount the gpg-agent socket when running the container:
docker run --volume /home/kdreyer/.gnupg/S.gpg-agent-extra:/gpg-agent
--env GPG_AGENT_INFO=/gpg-agent:0:1
-ti ubuntu:xenial
Within the container:
Xenial's gpg2 looks for the socket in ~/.gnupg, ignoring GPG_AGENT_INFO, so we have to link it in:
mkdir -p ~/.gnupg && chmod 700 ~/.gnupg
ln -s /gpg-agent ~/.gnupg/S.gpg-agent
Trust the kdreyer@redhat.com key:
gpg2 --keyserver keys.fedoraproject.org --recv 478A947F782096AC
echo -e "trust\n5\ny\n" | gpg2 --command-fd 0 --edit-key kdreyer@redhat.com
Test a signature operation:
echo hi | gpg2 -as -u kdreyer@redhat.com --use-agent
Now we can use GPG with other tools, for example debsign:
debsign -p gpg2 tambo_0.4.0-0ubuntu0.16.04.1_source.changes
Note there's a bug in dput that it hardcodes the use of /usr/bin/gpg when verifying sigs, so you'll have to import your key again into the gpg1 key store:
gpg --keyserver keys.fedoraproject.org --recv 478A947F782096AC
And then you can upload to a Launchpad PPA:
dput ppa:kdreyer-redhat/ceph-medic tambo_0.4.0-0ubuntu0.16.04.1_source.changes
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment