Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

67108933 Not implemented <GPG Agent> #146

Open
marcofranssen opened this issue Aug 2, 2022 · 3 comments
Open

67108933 Not implemented <GPG Agent> #146

marcofranssen opened this issue Aug 2, 2022 · 3 comments
Labels
kind/docs

Comments

@marcofranssen
Copy link

marcofranssen commented Aug 2, 2022
edited
Loading

Behaviour

Steps to reproduce this issue

  1. Create a key with subkeys.
  2. Add a subkey for signing using ecdsa.
  3. Add a subkey for signing using RSA.
  4. export the key using ascii armor. gpg --armor --export-secret-keys KEYID | pbcopy
  5. add the key as a secret for this workflow.
  6. add the passphrase as a secret in github for this workflow.

In this workflow I am selecting the RSA subkey for signing.

Expected behaviour

The key should successfully load into the gpg-agent.

Actual behaviour

Running this workflow fails with following log

Configuring GnuPG agent
::group::Getting keygrip for fingerprint
Getting keygrip for fingerprint
Error: ERR 67108933 Not implemented <GPG Agent>

Configuration

name: release
on:
  push:

jobs:
  release-provider:
    runs-on: ubuntu-22.04

    permissions:
      contents: write

    steps:
      - name: Checkout
        uses: actions/[email protected]
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/[email protected]
        with:
          go-version-file: 'go.mod'
          check-latest: true
          cache: true

      - name: Import GPG key
        uses: crazy-max/[email protected]
        id: gpg
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          fingerprint: EA0A37E819AFBAE6

Logs

See attached build URL.
@marcofranssen
Copy link
Author

Looking at the log and the related code it seems it fails retrieving the keygrip.

https://github.com/crazy-max/ghaction-import-gpg/blob/master/src/main.ts#L77

In the logs you will see there is no keygrip printed, meaning https://github.com/crazy-max/ghaction-import-gpg/blob/master/src/main.ts#L76 probably failed getting the keygrip.

@marcofranssen
Copy link
Author

I finally figured it out. I was using the subkey id as opposed to the subkey fingerprint. Now I'm using the subkey fingerprint all works perfect.

I figured it out when reading this code.

ghaction-import-gpg/src/gpg.ts

Lines 184 to 193 in c8bb57c

export const getKeygrip = async (fingerprint: string): Promise<string> => {
return await exec
.getExecOutput('gpg', ['--batch', '--with-colons', '--with-keygrip', '--list-secret-keys', fingerprint], {
ignoreReturnCode: true,
silent: true
})
.then(res => {
return parseKeygripFromGpgColonsOutput(res.stdout, fingerprint);
});
};

Probably would be good to document how to get the fingerprint of a given subkey id.

I did this via following command.

gpg --batch --with-colons --with-keygrip --list-secret-keys | awk -F: "/^fpr:.*AE0B37D819AFABE6:/ { print $10 }"

The keyid AE0B37D819AFABE6 I must be replaced with your own subkey ID ofcourse. Not sure if there is an easier way of getting this.

@bertramn
Copy link

I am running into the same issue but adding the full fingerprint still does not make it work. You can get the fingerprint of subkeys like that:

gpg -K --with-subkey-fingerprint <[email protected]>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcofranssen @crazy-max @bertramn