FS#45351 - [pacman] pacman-key autostarts gpg-agent (which prevents unmounting during installation of Arch)

Attached to Project: Pacman
Opened by Sebastian Pipping (sping) - Tuesday, 16 June 2015, 18:42 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 17 July 2015, 19:01 GMT
Task Type Bug Report
Category Packages: Core
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Hi!

The guide on installing from another distribution at [1] proposes running

# pacman-key --init
# pacman-key --populate archlinux

from inside the Arch chroot. Fine.
Both of these call GPG binaries internally. Okay.

At some point, GPG started autostarting an instance of gpg-agent unless it is invoked with --no-autostart, an option missing in --help output but documented in man page of GPG.
The trouble with starting gpg-agent is that the agent process outlives the call to pacman-key and causes trouble when unmounting the chroot stack since gpg-agent is still using files from inside the chroot.
Especially in a context where calls to pacman-key are automated, one would have to

a) find that very gpg-agent process (the host system may have another)
and terminate it or

b) prefix the call to pacman-key by something like "unshare --pid --fork"
to have put it into a dedicated process ID namespasce and have it
killed when pacman-key terminates, automatically.


I am wondering, if you would be willing to do something like that from inside pacman-key, i.e. be willing to

a) pass --no-autostart to calls of GPG or

b) prefix calls to GPG with "unshare --pid --fork" or so
inside pacman-key.


I'm curious for your reply.

Best,



Sebastian

[1] https://wiki.archlinux.org/index.php/Install_from_existing_Linux
This task depends upon

Comment by Dave Reisner (falconindy) - Tuesday, 16 June 2015, 18:49 GMT
Sounds like the fix could just as easily be done in documentation. If you use arch-chroot, the separate PID namespacing is done for you. arch-install-scripts are meant to be useful from non-Arch distros.
Comment by Sebastian Pipping (sping) - Tuesday, 16 June 2015, 19:17 GMT
I am running a series of commands inside the chroot, i.e.

chroot ... pacman-key --init
chroot ... pacman-key --populate archlinux
chroot ... pacman -S ....

To my understanding, using arch-chroot would create and destroy the mount stack for each call again.
It would do a lot more than needed.

Personally, I believe this would better be addressed in pacman rather than arch-install-scripts.
Comment by Sebastian Pipping (sping) - Tuesday, 16 June 2015, 19:29 GMT
PS:
- in pacman rather than [in] arch-install-scripts.
+ in pacman rather than by using arch-chroot.

I start to understand that the docs may need a different fix than what would ease (my) automation.
Comment by Dave Reisner (falconindy) - Tuesday, 16 June 2015, 19:36 GMT
Then don't call arch-chroot multiple times?

arch-chroot sh -c 'pacman-key --init && pacman-key --populate archlinux && pacman -S ...'
Comment by Sebastian Pipping (sping) - Saturday, 04 July 2015, 22:08 GMT
Here's a patch to fix the issue. Please consider application. Thank you.
   0001-No-longer-start-new-inst... (0.9 KiB)
Comment by Allan McRae (Allan) - Monday, 14 December 2015, 14:39 GMT
I will not accept a patch that disables the autostart of the gpg agent universally.

Comment by Sebastian Pipping (sping) - Monday, 14 December 2015, 15:15 GMT
How about a patch adding a new option to pacman-key to do it conditionally?

On the universally case: Please help me understand the plus side of having a GPG deamon running after pacman-key terminated if it wasn't running already. I don't see it myself, yet.

Loading...