| View previous topic :: View next topic |
| Author |
Message |
niderecha
n00b
Joined: 10 Nov 2024
Posts: 20
|
 Posted: Wed Nov 13, 2024 10:49 pm Post subject: [WORKAROUND] binary packages signing: gpg database lock |
 |
|
Hi. I'm trying to compile and sign binary packages. It doesn't work for me without strange manual steps, and googling didn't help.
If I run for example
it fails with
| Code: | >>> Completed installing sys-apps/cpuid-20240916 into /var/tmp/portage/sys-apps/cpuid-20240916/image
* Final size of build directory: 1240 KiB (1.2 MiB)
* Final size of installed tree: 626 KiB
strip: x86_64-pc-linux-gnu-strip --strip-unneeded -N __gentoo_check_ldflags__ -R .comment -R .GCC.command.
line -R .note.gnu.gold-version
/usr/bin/cpuid
!!!
gpg: Note: database_open 134217901 waiting for lock (held by 666240) ...
gpg: Note: database_open 134217901 waiting for lock (held by 666240) ...
gpg: Note: database_open 134217901 waiting for lock (held by 666240) ...
gpg: Note: database_open 134217901 waiting for lock (held by 666240) ...
gpg: Note: database_open 134217901 waiting for lock (held by 666240) ...
gpg: keydb_search failed: Connection timed out
gpg: skipped "0x306A307EE50F1047": Connection timed out
gpg: signing failed: Connection timed out
Traceback (most recent call last):
File "/usr/lib/portage/python3.12/gpkg-helper.py", line 75, in <module>
rval = main(sys.argv[:])
^^^^^^^^^^^^^^^^^
|
The process 666240 here is
| Code: | | keyboxd --homedir /root/.gnupg --daemon |
But it didn't exist when I was starting the emerge.
If, after I start emerge, I run
then emerge completes successfully.
My make.conf:
| Code: | ...
BINPKG_FORMAT="gpkg"
FEATURES="${FEATURES} getbinpkg binpkg-request-signature buildpkg binpkg-signing"
BINPKG_GPG_SIGNING_GPG_HOME="/root/.gnupg"
BINPKG_GPG_SIGNING_KEY="0x306A307EE50F1047"
...
|
Last edited by niderecha on Sat Nov 16, 2024 2:08 pm; edited 2 times in total |
|
| Back to top |
|
 |
bstaletic
Guru
Joined: 05 Apr 2014
Posts: 474
|
|
| Back to top |
|
|
niderecha
n00b
Joined: 10 Nov 2024
Posts: 20
|
| Posted: Wed Nov 13, 2024 11:01 pm Post subject: |
|
|
| yes... If I kill root's keyboxd after I start emerge, then everything goes through |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1528
Location: Richmond Hill, Canada
|
| Posted: Thu Nov 14, 2024 12:20 am Post subject: |
|
|
niderecha,
Do root user have a file in /root/.gnupg/common.conf file? And if that file exist do you have "use-keyboxd" in it? if "use-keyboxd" exist you need to comment it out. |
|
| Back to top |
|
|
niderecha
n00b
Joined: 10 Nov 2024
Posts: 20
|
| Posted: Thu Nov 14, 2024 9:45 am Post subject: |
|
|
| Code: | # cat ~/.gnupg/common.conf
use-keyboxd |
Yes, apparently so. I didn't touch this file myself, I guess it was created by one of the gpg invocations. It's safe to delete it, right? |
|
| Back to top |
|
|
niderecha
n00b
Joined: 10 Nov 2024
Posts: 20
|
| Posted: Thu Nov 14, 2024 9:50 am Post subject: |
|
|
Uh, without that file things break differently
| Code: | # emerge -av1 cpuid
Local copy of remote index is up-to-date and will be used.
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 2.04 s (backtrack: 0/20).
[ebuild N ] sys-apps/cpuid-20240916::gentoo 0 KiB
Total: 1 package (1 new), Size of downloads: 0 KiB
Would you like to merge these packages? [Yes/No]
>>> Unlocking GPG... gpg: skipped "0x306A307EE50F1047": No secret key
gpg: signing failed: No secret key
!!! GPG unlock failed |
|
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1528
Location: Richmond Hill, Canada
|
| Posted: Thu Nov 14, 2024 12:35 pm Post subject: |
|
|
| niderecha wrote: | | Code: | # cat ~/.gnupg/common.conf
use-keyboxd |
Yes, apparently so. I didn't touch this file myself, I guess it was created by one of the gpg invocations. It's safe to delete it, right? |
No, I ask comment out the line. Not delete the file. |
|
| Back to top |
|
|
niderecha
n00b
Joined: 10 Nov 2024
Posts: 20
|
| Posted: Thu Nov 14, 2024 2:34 pm Post subject: |
|
|
| With the line commented out I get the same error as without the file |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1528
Location: Richmond Hill, Canada
|
| Posted: Thu Nov 14, 2024 3:34 pm Post subject: Re: binary packages signing: gpg database lock |
|
|
| niderecha wrote: | My make.conf:
| Code: | ...
BINPKG_FORMAT="gpkg"
FEATURES="${FEATURES} getbinpkg binpkg-request-signature buildpkg binpkg-signing"
BINPKG_GPG_SIGNING_GPG_HOME="/root/.gnupg"
BINPKG_GPG_SIGNING_KEY="0x306A307EE50F1047"
...
|
|
I am no GPG expert, so I don't know what that error is about. I just search what is "keyboxd" and find some explain how it got started.
However how did you arrive with "0x306A307EE50F1047" it looks to me is something random, so somewhere you have store a "key" for it? |
|
| Back to top |
|
|
pingtoo
Veteran
Joined: 10 Sep 2021
Posts: 1528
Location: Richmond Hill, Canada
|
|
| Back to top |
|
|
niderecha
n00b
Joined: 10 Nov 2024
Posts: 20
|
| Posted: Thu Nov 14, 2024 3:55 pm Post subject: |
|
|
I don't understand gpg at all. Actually, I don't even need or want to sign the packages, but I want to mix my own packages with packages from gentoo binhost, for which I want to verify the signature. And it means I have to sign my own binary packages too...
"0x306A307EE50F1047" is my key which I generated by "gpg --full-generate-key"
Then I followed https://forums.gentoo.org/viewtopic-p-8828115.html to make portage understand my key (I haven't found any other manuals):
| Code: | # gpg --output - --export 0xB9FE342E12D2B962 | gpg --homedir /etc/portage/gnupg --import -
# cat /etc/portage/gnupg/pass
(here goes password used later on lsign stage)
# gpg --homedir /etc/portage/gnupg --edit-key 0xB9FE342E12D2B962
gpg> trust
...
4 = I trust fully
...
Your decision? 4
gpg> lsign
...
Really sign? (y/N) y
... enter password from above ...
gpg> save
# gpg --homedir /etc/portage/gnupg --check-trustdb
# emerge whatever |
Last edited by niderecha on Thu Nov 14, 2024 4:01 pm; edited 1 time in total |
|
| Back to top |
|
|
niderecha
n00b
Joined: 10 Nov 2024
Posts: 20
|
| Posted: Thu Nov 14, 2024 3:59 pm Post subject: |
|
|
heh, sure I did  |
|
| Back to top |
|
|
niderecha
n00b
Joined: 10 Nov 2024
Posts: 20
|
| Posted: Fri Nov 15, 2024 9:13 am Post subject: |
|
|
I got it working. This is not a solution but a workaround, which I tried after reading again https://forums.gentoo.org/viewtopic-p-8828115.html
It's very quick. Set up all the keys in /etc/portage/gnupg, without touching /root:
| Code: | | gpg --homedir=/etc/portage/gpg --full-generate-key |
Choose an empty passphrase if no security is needed and you just want the packages signed without having to enter the passphrase on each call to emerge.
Get the new key from the output of
| Code: | | gpg --homedir=/etc/portage/gpg --list-keys --keyid-format 0xlong |
and set up make.conf with that key, 0x306A307EE50F1047 for me:
| Code: | BINPKG_GPG_SIGNING_GPG_HOME="/etc/portage/gnupg"
BINPKG_GPG_SIGNING_KEY="0x306A307EE50F1047" |
P.S.: There's probably a bug which does not let me use BINPKG_GPG_SIGNING_GPG_HOME="/root/.gnupg", and I'm not getting close to its roots, but the above "worksforme" |
|
| Back to top |
|
|
|
Portage & Programming
