Hello, I want to forward my host gpg-agent to an OCI container so that I can use a secret key that is available on the host to sign some packages inside the container. For this I create a bind mount of agent-extra-socket to /gpg-agent inside the container and start the container with
$ docker run --volume $(gpgconf --list-dirs agent-extra-socket):/gpg-agent --entrypoint=sh -ti fedora:latest Now inside the container I can see my socket # ls -l /gpg-agent srwx------ 1 root root 0 Jun 4 17:45 /gpg-agent From here on, I am kind of stuck. I fail to somehow make gpg-agent inside the container “use” the extra-socket. Here is what I am doing: # mkdir ~/.gnupg && chmod 700 ~/.gnupg # ln -s /gpg-agent ~/.gnupg/S.gpg-agent # ls -l ~/.gnupg/ total 0 lrwxrwxrwx 1 root root 10 Jun 4 18:29 S.gpg-agent -> /gpg-agent However, as soon as I start the agent explicitly, the symlink to the socket is overwritten. # gpg-connect-agent "keyinfo --list" /bye # ls -l ~/.gnupg/ total 8 srwx------ 1 root root 0 Jun 4 18:31 S.gpg-agent srwx------ 1 root root 0 Jun 4 18:31 S.gpg-agent.browser srwx------ 1 root root 0 Jun 4 18:31 S.gpg-agent.extra srwx------ 1 root root 0 Jun 4 18:31 S.gpg-agent.ssh -rw-r--r-- 1 root root 96 Jun 4 18:31 gpg-agent.conf drwx------ 2 root root 4096 Jun 4 18:31 private-keys-v1.d # cat ~/.gnupg/gpg-agent.conf default-cache-ttl 600 max-cache-ttl 7200 debug-level guru debug-all log-file /tmp/gpg-agent.log # cat /tmp/gpg-agent.log 2018-06-04 18:31:58 gpg-agent[12] listening on socket '/root/.gnupg/S.gpg-agent' 2018-06-04 18:31:58 gpg-agent[12] listening on socket '/root/.gnupg/S.gpg-agent.extra' 2018-06-04 18:31:58 gpg-agent[12] listening on socket '/root/.gnupg/S.gpg-agent.browser' 2018-06-04 18:31:58 gpg-agent[12] listening on socket '/root/.gnupg/S.gpg-agent.ssh' 2018-06-04 18:31:58 gpg-agent[13] gpg-agent (GnuPG) 2.2.6 started 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK Pleased to meet you, process 10 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- RESET 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- OPTION ttyname=/dev/pts/0 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- OPTION ttytype=xterm 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- OPTION lc-ctype=C 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- OPTION lc-messages=C 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- keyinfo --list 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 -> OK 2018-06-04 18:31:58 gpg-agent[13] DBG: chan_10 <- [eof] 2018-06-04 18:32:02 gpg-agent[13] DBG: agent_cache_housekeeping GnuPG version on the host: 2.2.7 GnuPG version in the container: 2.2.6 Also note that I neither use SSH nor socat to connect. Just that bind mount of the socket. I am aware that I need to fetch my public key before I can “see” and use the secret key. But from what I can see, it fails earlier. Any pointers heavily appreciated. BK _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users