Although I got a solution for the initial problem to use gpgv, I am still curious why all the other methods fail.
Any ideas? On Fri, Jan 31, 2025 at 12:15:18AM +0100, Josef Wolf wrote: > Hello all, > > I am trying to verify signature of downloaded files when creating a docker > container. This is what I am trying to do within the Dockerfile: > > RUN gpg -v --status-fd 1 --no-keyring \ > --trust-model always \ > --recipient-file /pubkes/release-key.txt \ > --verify sigfile.asc foo.tar.gz > > This errors with "gpg: Can't check signature: No public key". Using strace, I > can see that gpg won't even try to open /pubkeys/release-key.txt > > I also tried to de-armor the pubkey file and pass it as > > RUN gpg --yes -o release-key.gpg --dearmor release-key.txt > RUN gpg -v --status-fd 1 --no-keyring \ > --trust-model always \ > --no-keyring --keyring /pubkes/release-key.gpg \ > --verify sigfile.asc foo.tar.gz > > with exactly the same result: gpg won't even try to open the keyfile. > > I also tried to import the pubkey and verify using the default keyring: > > RUN gpg --import ql/release-key.txt > RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc > ql/quicklisp.lisp > > but this one tries to start and connect to gpg-agent, which fails: > > [1/2] STEP 17/21: RUN gpg --verify --trust-model always > ql/quicklisp.lisp.asc ql/quicklisp.lisp > gpg: Signature made Wed Jan 28 21:13:26 2015 UTC > gpg: using RSA key 307965AB028B5FF7 > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: Note: database_open 134217901 waiting for lock (held by 3) ... > gpg: keydb_search failed: Operation timed out > gpg: Can't check signature: No public key > Error: building at STEP "RUN gpg --verify --trust-model always > ql/quicklisp.lisp.asc ql/quicklisp.lisp": while running runtime: exit status 2 > > BTW: I create an empty ~/.gnupg directory before the very first gpg invocation > to prevent use-keyboxd option to be set. > > Does it really need to be that hard to verify signature with a given pubkey? > > Any help? > > -- > Josef Wolf > j...@raven.inka.de > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -- Josef Wolf j...@raven.inka.de _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
