Snapcraft

snapcraft validate (and possibly other operations requiring gpg passphrases) fail on remote/headless systems

Bug #1917919 reported by Daniel Manrique on 2021-03-05

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Snapcraft	Triaged	Medium	Unassigned
	snapd	Triaged	Medium	Samuele Pedroni

Bug Description

A customer reported (and I was able to reproduce) getting an error when using snapcraft validate.

The key to reproducing (for me at least - still awaiting confirmation from customer) was doing this on a remote headless system. Sounds like gpg is trying to invoke something that isn't present on the system to get the passphrase and then fails. But it seems to happen only when gpg is invoked by snapcraft - so perhaps gpg is detecting something about its running environment or stdin/out redirection when running under snapcraft, and trying to ask for the password differently, and one thing to do would be forcing gpg to ask for the password a different way or something.

To reproduce:

1- ssh into a system that has snapcraft. I used a VM installed from an ubuntu server cloud image.

snapcraft validate allyoursnaparebelongtous1 allyoursnaparebelongtous2=2 --key-name an-example-three
Getting details for allyoursnaparebelongtous2
Signing validations assertion for allyoursnaparebelongtous2=2
Error signing validations assertion for allyoursnaparebelongtous2=2: error: cannot sign assertion: cannot sign using GPG: /usr/bin/gpg --personal-digest-preferences SHA512 --default-key 0x4A7677B256FB90F61B91C061C3E6F877EC048DD3 --detach-sign failed: exit status 2 ("gpg: signing failed: No such file or directory\ngpg: signing failed: No such file or directory\n")

The workaround is to first run the gpg command outside of snapcraft, so the key is unlocked:

echo "lalal" > a-file
/usr/bin/gpg --homedir=.snap/gnupg --personal-digest-preferences SHA512 --default-key 0xE185A8404D4CCDA151FA4AC51F5108DA9CD52BC6 --detach-sign a-file

then the snapcraft operation succeeds:

snapcraft validate allyoursnaparebelongtous1 allyoursnaparebelongtous2=2 --key-name an-example-two
Getting details for allyoursnaparebelongtous2
Signing validations assertion for allyoursnaparebelongtous2=2

snapcraft version
snapcraft, version 4.5.4

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

snap version
snap 2.49
snapd 2.49
series 16
ubuntu 18.04
kernel 4.15.0-136-generic

This is likely related to:

https://forum.snapcraft.io/t/snap-sign-unable-to-invoke-gpg-agent-pinentry/10938

and:

https://bugs.launchpad.net/snapcraft/+bug/1866257

from the latter, "there is a known issue with gpg-agent not freeing the lock"

Revision history for this message

Sergio Schvezov (sergiusens) wrote on 2021-03-05:

I have this issue myself when not on a desktop system. This is "snap sign", provided by snapd which probably needs to work without an agent or needs to know how to start one (an implementation detail inside snapd for snapcraft).

Sergio Schvezov (sergiusens) on 2021-03-11

Changed in snapcraft:
status:	New → Triaged

Samuele Pedroni (pedronis) on 2021-03-25

Changed in snapd:
assignee:	nobody → Samuele Pedroni (pedronis)

Sergio Schvezov (sergiusens) on 2021-03-25

Changed in snapcraft:
importance:	Undecided → Medium

Revision history for this message

Kyle Nitzsche (knitzsche) wrote on 2021-09-02:

I have found `export GPG_TTY=$(tty)` resolves the snap sign issue.

Maciej Borzecki (maciek-borzecki) on 2022-05-26

Changed in snapd:
importance:	Undecided → Medium
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.