-
-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gpg: signing failed: Inappropriate ioctl for device #313
Comments
@OJFord Are you able to repro with - name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v3
with:
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }} |
@crazy-max I needed v4.1 since it's a signing key only. |
Ok, fwiw it looks like the key is imported correctly: https://github.com/OJFord/terraform-provider-wireguard/runs/3999550316?check_suite_focus=true#step:4:32. I will try to repro with GoReleaser. |
Yup absolutely, not blaming ghaction-import-gpg, that's why I opened here 🙂. Thanks. |
Ok seems to work fine with GoReleaser: https://github.com/goreleaser/goreleaser-action/runs/4262700166?check_suite_focus=true#step:6:83 So I would guess it's linked to your subkey. I will add some tests here with a subkey and try to repro with it. |
You have two keygrips there: https://github.com/goreleaser/goreleaser-action/runs/4262700166?check_suite_focus=true#step:4:39 suggests it's not just a signing key? |
Oh sorry think I misunderstood your comment. Yes, agreed. |
@crazy-max Any progress with this? I just tried changing the key to one with encryption too; (RSA4096) not just the signing key, and I get the same: |
Perhaps 4096-bit RSA is what's common and somehow the problem? Is it worth trying EC, or lesser-bitted RSA? |
(Having changed the key to not be signing-only, so that that isn't the problem) yes. |
This seems related to actions/runner#241? I don't understand why seemingly only I have this issue with goreleaser-action though! |
With
But I'm not sure what the solution is, what input it's looking for - #201 was resolved by the author recreating the key, and then it just happened to work. I've tried multiple newly created keys and seen the same each time. I've also tried regenerating a key with all defaults (in gpg v2.2.32) - RSA&RSA, 3072 bit, no expiry; with a different passphrase, this time with no special characters. I'd appreciate any ideas, I'm at a bit of a loss; for now I think I'll just have to release outside of CI (i.e. with a tty). |
Feel silly for not thinking of this sooner, but creating the key without a passphrase seems to work around it successfully. |
Cf. goreleaser/goreleaser-action#313. I'm not sure why it's not working, but removing the passphrase seems to work as a workaround. Key created with ``` gpg --batch --generate-key <(echo ' Key-Type: default Subkey-Type: default Name-Real: ... Name-Comment: ... Name-Email: ... Expire-Date: 0 %no-ask-passphrase %no-protection %commit ') ```
Was not able to repro on my side with a subkey only or not and also with or without a passphrase. I will add some tests like I said but so far no issue. |
We're also facing this issue. removing the passphrase isn't something I feel comfortable with. Did anyone find another way yet? |
I figured something out, different sources use a different secret name for the passphrase. Goreleaser and grazy-max/ghaction uses So my guess is this error comes up if you are no longer reading an existing secret. Switching it back to PASSPHRASE fixed it for me. |
… from GPG_PASSPHRASE
To provide an additional data point: This is my working GPG configuration:
With the matching names in actions/secrets for the repository: IMO, the name ( Btw, I've automated the storing (and removal) of secrets so that they are only put on Github for the duration it takes to build a release. When done, I'm having it removed again. This can be done with |
No passphrase works using the example, having a passphrase chocks at
|
I mentioned this in a comment on closed issue: #201 (comment) but opening fresh as I've been unable to work around it, and perhaps the underlying cause is different.
https://github.com/OJFord/terraform-provider-wireguard/blob/fea1d2fcd9e1f90a2a6fe9dea220fb0fda35a311/.github/workflows/release.yml#L22-L36
The key is 4096-bit RSA, generated with a fresh
GNUPGHOME
andgpg --version
2.2.29, imported with [email protected] and failing with this error in goreleaser-action@v2:I have tried exporting
GPG_TTY=
(blank) and addingno-tty
to~/.gnupg/gpg.conf
, but no change.The text was updated successfully, but these errors were encountered: