Overview
In order to use a GPG key that has a passphrase, an external gpg-agent must be running and seeded with your passphrase and key before attempting packagecloud:enterprise installation.
Required Setup
The Socket Environment file
...
. This feature is enabled with the following configuration directive in /etc/packagecloud/packagecloud.rb:
Prerequisites
- gpg-agent 2.0.x (note: gpg-agent 2.1.x will not work)
Setup
1) Start gpg-agent
| Code Block |
|---|
gpg-agent --homedir /etc/packagecloud/gpgkey --allow-preset-passphrase --max-cache-ttl 31622400 --daemon --sh --write-env-file /etc/packagecloud/gpgkey/gpg_socket.env |
The --write-env-file argument writes the gpg-agent's socket information into a file (henceforth referred to as the 'socket environment file') and it is how the application can locate and communicate with the gpg-agent. The example command above uses the default packagecloud_gpg['key_directory'] of "/etc/packagecloud/gpgkey". The application will look for a `gpg_socket.env` file inside of the configured packagecloud_gpg['key_directory'].
2) Seeding the agent with your passphrase
Monitoring
Since the external gpg-agent lives in a critical code path (signing repository metadata), it's important that it stays upit is always available, or repository updates might stop working unexpectedly.
Max Cache TTL
After you seed your passphrase, it will eventually expire according to the max-cache-ttl setting used when starting up the agent. If this is desired, you'll need to use a periodic process, like a cron job to continually reseed the passphrase before it expires, or alternatively, you can set it to a year (31622400 seconds).
Common Errors
When using the Indexer Status area, you might see recently failed jobs with the following errors:
...