Skip to content

Pass helper may ignore GPG key absence #327

Open
@serious-angel

Description

@serious-angel

Dear Developers,

Thank you for the awesome project!

Issue

For some reason, pass helper may result in error when trying to docker push:

denied: requested access to the resource is denied

There is no other error message shown even if docker login returns "Login Successful" called just prior a pushing.

The issue is that the helper probably does not respect the non-zero exit code returned from pass, that is also shown in the strace:

...
epoll_ctl(4, EPOLL_CTL_DEL, 3, 0xc0000d5724) = 0
close(3)                                = 0
epoll_ctl(4, EPOLL_CTL_DEL, 9, 0xc0000d5724) = 0
close(9)                                = 0
epoll_ctl(4, EPOLL_CTL_DEL, 11, 0xc0000d5724) = 0
close(11)                               = 0
--- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=6150, si_uid=1000} ---
rt_sigreturn({mask=[]})                 = 0
waitid(P_PID, 6156, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=6156, si_uid=1000, si_status=0, si_utime=0, si_stime=0}, WEXITED|WNOWAIT, NULL) = 0
futex(0x5d73a0, FUTEX_WAKE_PRIVATE, 1)  = 1
wait4(6156, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, {ru_utime={tv_sec=0, tv_usec=7522}, ru_stime={tv_sec=0, tv_usec=26082}, ...}) = 6156
sched_yield()                           = 0
futex(0x5d72b8, FUTEX_WAKE_PRIVATE, 1)  = 0
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLOUT, data={u32=1010302978, u64=9167000871277953026}}], 128, -1, NULL, 0) = 1
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLOUT, data={u32=994050050, u64=9167000871261700098}}], 128, -1, NULL, 0) = 1
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLOUT, data={u32=1042808835, u64=9167000871310458883}}], 128, -1, NULL, 0) = 1
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLIN, data={u32=1026555906, u64=9167000871294205954}}], 128, -1, NULL, 0) = 1
futex(0x5d73a0, FUTEX_WAKE_PRIVATE, 1)  = 1
read(10, "gpg: decryption failed: No secret key\n", 512) = 38
read(10, 0xc0001b4026, 986)             = -1 EAGAIN (Resource temporarily unavailable)
epoll_pwait(4, [], 128, 0, NULL, 0)     = 0
epoll_pwait(4, [{events=EPOLLHUP, data={u32=1026555906, u64=9167000871294205954}}, {events=EPOLLHUP, data={u32=961544194, u64=9167000871229194242}}], 128, -1, NULL, 0) = 2
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=6164, si_uid=1000, si_status=2, si_utime=0, si_stime=2} ---
rt_sigreturn({mask=[]})                 = 2
futex(0xc000080148, FUTEX_WAKE_PRIVATE, 1) = 1
read(8, "", 512)                        = 0
epoll_ctl(4, EPOLL_CTL_DEL, 8, 0xc0000345e4) = 0
close(8)                                = 0
futex(0xc00003e548, FUTEX_WAKE_PRIVATE, 1) = 0
write(1, "exit status 2: gpg: decryption failed: No secret key\n\n", 54) = 54
exit_group(1)                           = ?
+++ exited with 1 +++

exit status 2: gpg: decryption failed: No secret key

So, in the case the password store is currently locked, Docker usage with such credentials is probably impossible.

Solution

A solution is to "cache" the GPG key via pass show with gpg-agent, for example, and call docker push immediately afterwards:

image

Question

Is that an intended behavior?


Best and kind regards ✨

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions