sign-my-commits fails when gpg-agent and pinentry-curses are being used
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Bazaar |
Fix Released
|
Low
|
John A Meinel | ||
Bug Description
When trying to use sign-my-commits, with gpg-agent and pinentry-curses in use then the command fails with
$ bzr sign-my-commits
<email address hidden>
You need a passphrase to unlock the secret key for
user: "James Westby <email address hidden>"
1024-bit DSA key, ID B577FE13, created 2006-06-02
gpg: cancelled by user
gpg: no default secret key: bad passphrase
gpg: [stdin]: clearsign failed: bad passphrase
bzr: ERROR: Failed to gpg sign data with command '['gpg', '--clearsign']'
But works with pinentry-gtk2.
The problem can be seen that
cat test | gpg --clearsign fails, where gpg --clearsign test suceeds.
So
process = subprocess.
will cause it to fail in this case.
I think it is reasonable for pinentry-curses to work in this case, but maybe it could be handled more gracefully.
The solution I immediately thought of was to write the commit to a temporary file and pass that to gpg. But as LarstiQ pointed out this could be troublesome.
Hopfully someone smarter can think up a better solution.
James
Related branches
| John A Meinel (jameinel) wrote | #1 |
| Changed in bzr: | |
| importance: | Untriaged → Low |
| status: | Unconfirmed → Fix Committed |
| James Westby (james-w) wrote | #2 |
| John A Meinel (jameinel) wrote | #3 |
| John A Meinel (jameinel) wrote | #4 |
| Changed in bzr: | |
| assignee: | nobody → jameinel |
| status: | Fix Committed → Fix Released |
This plugin:
http://
Uses a temporary chmod directory, followed by a temporary chmod file, to prevent tampering. And spawns 'gpg --clearsign' on the file.
Implemented as a plugin, because it is not as safe as using pipes. But is a reasonable workaround.