[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Duplicity-talk] Being asked signing passphrase even when SIGN_PASSP
|
From: |
Scott Hansen |
|
Subject: |
Re: [Duplicity-talk] Being asked signing passphrase even when SIGN_PASSPHRASE or --use-agent is set |
|
Date: |
Tue, 28 Aug 2012 15:31:37 -0700 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Tue, Aug 28, 2012 at 09:20:34PM +0200, address@hidden wrote:
> your export statement seems wrong. try leaving away the dollar e.g.
>
> export PASSPHRASE
>
> see http://ss64.com/bash/export.html
> actually you could as well
>
> export PASSPHRASE="secret"
>
> to make it shorter.
>
Oops :) Ok, fixed that. I actually tried the `export PASSPHRASE="secret"`
originally, but it didn't seem to work. Honestly didn't go back and retest
this again after I figured out how to make gpg-agent work right. It seems
more logical to me to use gpg-agent, especially because it's more likely that
my scripts would accidently be posted someplace with the passphrases.
On Tue, Aug 28, 2012 at 09:27:52PM +0200, address@hidden wrote:
> On 28.08.2012 21:20, address@hidden wrote:
> additionally:
> i am not sure that gpg-agent and env vars (PASSPHRASE etc.) work together.
> i assume that gpg-agent will always ask for the passphrases on the first
> use and keep them in memory from thereon.
>
Well, I think I solved the problem. It appears that keychain has a bug where
it doesn't cache both the encryption and signing passphrases for a given gpg
key when you initially enter the passphrase for the gpg-agent keys. It took
me a long time to figure out that it was normal for gpg to ask for signing
and encryption passphrases separately even though you typically assign just
one passphrase when you generate the key.
So I moved away from keychain for my gpg-agent needs and wrote a small
function in .bashrc to ensure that all my passphrases for all the keys are
cached by running that function (I just have to remember to login as root and
run that function anytime my server gets rebooted.) If there's another way to
make sure both passphrases are cached, I'd love to hear it! This seems
awfully hack-ish, but I couldn't find any other solutions.
/root/.bashrc:
......
function gpg_start {
gnupginf="${HOME}/.gnupg/gpg-agent-info"
if pgrep -u "${USER}" gpg-agent >/dev/null 2>&1; then
eval "$(cat $gnupginf)"
eval "$(cut -d= -f1 < $gnupginf | xargs echo export)"
else
eval "$(gpg-agent -s --daemon --write-env-file $gnupginf)"
fi
}
function keys {
touch test-gpg.txt
touch test-gpg.txt1
gpg -r 'Duplicity Encryption Key' -e test-gpg.txt
gpg -r 'Duplicity Signature Key' -e test-gpg.txt1
gpg -u E6C991E3 --detach-sign test-gpg.txt
gpg -u 42A79D21 --detach-sign test-gpg.txt1
gpg -d test-gpg.txt.gpg
gpg -d test-gpg.txt1.gpg
rm test-gpg.txt*
}
gpg_start
......
I also have very long expiration times set in .gnupg/gpg-agent.conf:
max-cache-ttl 60480000
default-cache-ttl 60480000
I made an entry on the Arch Wiki duplicity page reflecting this in case other
people have troubles with unattended backups using gpg-agent.
https://wiki.archlinux.org/index.php/Duplicity#Example_backup_script
I've now got my interrupted backup continuing without any more glitches. I
think it must have worked for a long time because I would just run the backup
script manually the first time after a reboot, so all the passphrases for
gpg-agent would be cached...until I finally rebooted the server and actually
wanted this to work properly!
Hope that all made sense.
Thanks!
Scott