sign-my-commits fails when gpg-agent and pinentry-curses are being used
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bazaar |
Fix Released
|
Low
|
John A Meinel |
Bug Description
When trying to use sign-my-commits, with gpg-agent and pinentry-curses in use then the command fails with
$ bzr sign-my-commits
<email address hidden>
You need a passphrase to unlock the secret key for
user: "James Westby <email address hidden>"
1024-bit DSA key, ID B577FE13, created 2006-06-02
gpg: cancelled by user
gpg: no default secret key: bad passphrase
gpg: [stdin]: clearsign failed: bad passphrase
bzr: ERROR: Failed to gpg sign data with command '['gpg', '--clearsign']'
But works with pinentry-gtk2.
The problem can be seen that
cat test | gpg --clearsign fails, where gpg --clearsign test suceeds.
So
process = subprocess.
will cause it to fail in this case.
I think it is reasonable for pinentry-curses to work in this case, but maybe it could be handled more gracefully.
The solution I immediately thought of was to write the commit to a temporary file and pass that to gpg. But as LarstiQ pointed out this could be troublesome.
Hopfully someone smarter can think up a better solution.
James
This plugin: bzr.arbash- meinel. com/plugins/ gpg_uses_ tempfile/
http://
Uses a temporary chmod directory, followed by a temporary chmod file, to prevent tampering. And spawns 'gpg --clearsign' on the file.
Implemented as a plugin, because it is not as safe as using pipes. But is a reasonable workaround.