-
-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Call to signer failed: signing error: openpgp: s2k GNU dummy key: dummy key found #825
Comments
judging by the error, it seems the key is invalid... we do have tests for signing with subkeys... and we haven't changed anything related to crypt lately 🤔 |
Yeah, I am not sure what is going on either. I can verify that the key is not invalid. $ gpg -K
-----------------------------------------
sec ed25519/0x889B19391F774443 2022-11-11 [SC]
Key fingerprint = 78E8 2890 D40D 5D39 7D19 399F 889B 1939 1F77 4443
uid [ultimate] Smallstep Ops <[email protected]>
ssb rsa4096/0x1E43859CB855223C 2022-11-11 [S]
$ gpg --clearsign test.txt
$ cat test.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This is a test
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExj6yRTZfoHtxBoBJHkOFnLhVIjwFAmZ5iOoACgkQHkOFnLhV
IjymCw//WnQHSMijFoVZx3CmpOt+RDn8180Pt0Qa3mWH9DAnV0zPaQJafdQ+Idhk
H736vXsz1O/qmDe3+GqT3RDIAWpBYvLKBjTnq8TNOutBKpyrL1LVCrbvw+Z6F7Kn
dNFA0Ht5HuPJkIW8cq650lNxnJ/9d5DF6d+EMxKr5bcf+J2TlqbM+bmeapszVjmK
+TUR1PpdzeS57AzYFsukYII7QnZRLnhrfy/+pqBhfyfyw/9aT+OBxtZq0ux5Bs59
IkDUlutqilSrw50A63YXv2h30kBNl3EmOHOcyhBfs/PpsKibFltHeCQJhcrbjDeu
ZYrgc1CRPZtcLQOWB97+0tn+PmDvxiFldVBpWq9zXsftZFdFbDq4GbAyBGcSeRMr
oIuZUq5bBf1Zx7hBZF1a8UXP8+70e7HqDuCDPi+If23X3RqO5ofKSmTqzHs0rRhu
KQhIVvcLMQYsjzJSKpA9/qBPntk/kUt0e3Axes7BE2qOai8QpVEY+xGXlRex37P6
xd69C0nKN51y+n2f+hoDw6IFHTuExdG7UZ5eX41qPFFQMnQMaAA1z/RutaQ6qRxD
EZaAa0l/HuaATiW1/EfHQCfV89eigZjkkCPuaTDIBRpAb/SneOWFMxbZUq3UcFOL
tol+eYdxSJ3s7xJygOduo0j84fKSH0qdq32HoB0jreR2xSPa4iM=
=jTFM
-----END PGP SIGNATURE-----
$ gpg --verify test.txt.asc
gpg: Signature made Mon 24 Jun 2024 09:55:38 AM CDT
gpg: using RSA key C63EB245365FA07B710680491E43859CB855223C
gpg: Good signature from "Smallstep Ops <[email protected]>" [ultimate]
Primary key fingerprint: 78E8 2890 D40D 5D39 7D19 399F 889B 1939 1F77 4443
Subkey fingerprint: C63E B245 365F A07B 7106 8049 1E43 859C B855 223C |
Looks like its considering any s2k key as a dummy key: https://github.com/ProtonMail/go-crypto/blob/140b3d6f14775c42f6544e1cc34cf77e3da56baa/openpgp/s2k/s2k.go#L304 From GPG docs:
So, maybe, it just doesn't support smartcards? Found only one issue that seemed somewhat relevant: ProtonMail/go-crypto#199 I do have an yubikey somewhere, will see if I can repro this using the same tutorial and everything, probably someday this week or weekend |
That is really weird. These keys are not in a smart card at all. I just use the tutorial to create the keys that live on disk for now. Maybe that extension was somehow enabled by the gpg.conf provided by the tutorial. |
yeah, really weird indeed |
that said, gpg is generally weird to deal with |
Yeah for sure. I wish we could use cosign for RPMs and Debs but here we are. |
What happened?
We are in the process of creating Apt and RPM repos and I cannot sign Debs and RPMs with a GPG Subkey that is meant for signing only. This seems somewhat related to #276 but it was closed as fixed when nfpm moved to gopenpgp. I see with PR #315 tests were added for signing with sub keys.
How can we reproduce this?
We followed this guide https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#create-certify-key for creating our GPG Certify key and Signing Subkey.
If I use the Certify key I can sign packages just fine.
nfpm version
I am using nfpm via Goreleaser Pro
Search
Code of Conduct
Additional context
No response
The text was updated successfully, but these errors were encountered: