Hello,
While uploading a new archive to ftp.gnu.org, I noticed that gnupload
does not play nice with newer version of gpg.
On Debian 10 with /usr/bin/gpg being "gpg (GnuPG) 2.2.12",
the signage step fails with:
$ ./build-aux/gnupload --to ftp.gnu.org:datamash datamash-1.5.tar.gz
Enter GPG passphrase:
Signing datamash-1.5.tar.gz ...
gpg: signing failed: Inappropriate ioctl for device
The reason is that gnupload effectively uses the following command:
echo "$passphrase" \
| gpg --batch --no-tty --passphrase-fd 0 -ba -o $FILE.sig $FILE
But for GPG>=v2.1 the manual page says:
--passphrase-fd n
[....] Since Version 2.1 the --pinentry-mode also needs
to be set to loopback.
And so,
gnupload runs 'gpg' in a way that ignores the passphrase on STDIN,
and it tries to use gpg-agent to ask for the password on the TTY.
Being run from inside gnupload, it doesn't find the tty and fails.
---
Possibe work-arounds:
1.
Run:
export GPG_TTY=$(tty)
Before running 'gnupload'. This will help gpg find the TTY.
gnupload will first ask for the passphrase as usual. This first
passphrase will be ignored. GPG will then ask for the passphrase again
using its own interface.
2.
Use symlink to for gpg to be gpg1, as described here:
https://lists.gnu.org/archive/html/bug-gnulib/2017-11/msg00007.html
3.
Modify 'gnupload' and add '-pinentry-mode=loopback' based on detected
gpg version (there is already some version detecting code there).
Untested patch:
---------
diff --git a/build-aux/gnupload b/build-aux/gnupload
index d24a924d3..92cc4cbb7 100755
--- a/build-aux/gnupload
+++ b/build-aux/gnupload
@@ -43,6 +43,11 @@ case "$gpg_agent_version" in
echo "WARNING: Using 'gpg', which is too old. You should install
'gpg2'." 1>&2
fi
;;
+ 2.*)
+ # gpg versions 2.1 and later require "--pinentry-mode=loopback"
+ # for "--batch --passphrase-fd" to work
+ GPG="gpg --pinentry-mode=loopback"
+ ;;
esac
;;
esac
---------
Hope this helps,
- assaf
