Wind River Support Network

HomeDefectsLIN1019-3395
Not to be fixed

LIN1019-3395 : create-user-key-store.sh:gpg: invalid option "--pinentry-mode=loopback" CentOS Linux 7

Created: Nov 7, 2019    Updated: Apr 29, 2021
Resolved Date: Apr 29, 2021
Found In Version: 10.19.45.1
Severity: Standard
Applicable for: Wind River Linux LTS 19
Component/s: Userspace

Description

$uname -a
Linux pek-lpgtest19 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

$./create-user-key-store.sh 
KEYS_DIR: layers/meta-secure-core/meta-signing-key/scripts/user-keys
Enter GPG keyname [default: SecureCore]: 
Enter GPG e-mail address [default: SecureCore@foo.com]: 
Enter GPG comment [default: Package Signing Key]: 
Enter RPM/OSTREE Passphrase: 
Enter RPM/OSTREE Passphrase: 123456
Enter IMA Passphrase: 123456
Creating the user keys for UEFI Secure Boot
Generating a 2048 bit RSA private key
...................+++
...........................+++
writing new private key to user-keys/uefi_sb_keys/PK.key'
-----
Generating a 2048 bit RSA private key
.....+++
..........+++
writing new private key to 'user-keys/uefi_sb_keys/KEK.key'
-----
Generating a 2048 bit RSA private key
..........................+++
....+++
writing new private key to 'user-keys/uefi_sb_keys/DB.key'
-----
Creating the user keys for MOK Secure Boot
Generating a 2048 bit RSA private key
........................................................................................+++
.................................+++
writing new private key to 'user-keys/mok_sb_keys/shim_cert.key'
-----
Generating a 2048 bit RSA private key
..............................................................................+++
...............+++
writing new private key to 'user-keys/mok_sb_keys/vendor_cert.key'
-----
Creating the user key for system
Generating a 2048 bit RSA private key
............................+++
..+++
writing new private key to 'user-keys/system_trusted_keys/system_trusted_key.key'
-----
Creating the user key for system secondary trust
Generating a 2048 bit RSA private key
.................................+++
..............+++
writing new private key to 'user-keys/secondary_trusted_keys/secondary_trusted_key.key'
-----
Signature ok
subject=/CN=Extra System Trusted Certificate
Getting CA Private Key
Creating the user key for modsign
Generating a 2048 bit RSA private key
...............+++
...............................................+++
writing new private key to 'user-keys/modsign_keys/modsign_key.key'
-----
Creating the user key for IMA appraisal
Generating RSA private key, 2048 bit long modulus
..........................+++
...............................................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/CN=IMA Trusted Certificate
Getting CA Private Key
Creating the user key for RPM
gpg-connect-agent: can't connect to the agent: Invalid value passed to IPC
gpg: keyring `user-keys/rpm_keys/secring.gpg' created
gpg: keyring `user-keys/rpm_keys/pubring.gpg' created
gpg: can't connect to the agent: Invalid value passed to IPC
gpg: problem with the agent: No agent running
gpg: user-keys/rpm_keys/trustdb.gpg: trustdb created
gpg: key C6DBC9D0 marked as ultimately trusted
gpg: RPM keyring SecureCore created
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
user-keys/rpm_keys/pubring.gpg
------------------------------------------------------------------------------------------------------------------------
pub   4096R/C6DBC9D0 2019-11-08
uid                  SecureCore (Package Signing Key) <SecureCore@foo.com>

gpg: invalid option "--pinentry-mode=loopback"
layers/meta-secure-core/meta-signing-key/scripts
## The following variables need to be entered into your local.conf
## in order to use the new signing keys:

RPM_GPG_NAME = "SecureCore"
RPM_GPG_PASSPHRASE = "123456"
RPM_FSK_PASSWORD = "123456"
OSTREE_GPGID = "SecureCore"
OSTREE_GPG_PASSPHRASE = "123456"
WR_KEYS_DIR = "user-keys"
RPM_KEYS_DIR = user-keys/rpm_keys"

## Please save the values above to your local.conf
$tree user-keys/
user-keys/
├── ima_keys
│   ├── x509_ima.der
│   └── x509_ima.key
├── modsign_keys
│   ├── modsign_key.crt
│   └── modsign_key.key
├── mok_sb_keys
│   ├── shim_cert.crt
│   ├── shim_cert.key
│   ├── vendor_cert.crt
│   └── vendor_cert.key
├── rpm_keys
│   ├── RPM-GPG-KEY-SecureCore
│   └── RPM-GPG-PRIVKEY-SecureCore
├── secondary_trusted_keys
│   ├── secondary_trusted_key.crt
│   └── secondary_trusted_key.key
├── system_trusted_keys
│   ├── system_trusted_key.crt
│   └── system_trusted_key.key
└── uefi_sb_keys
    ├── DB.crt
    ├── DB.key
    ├── KEK.crt
    ├── KEK.key
    ├── PK.crt
    └── PK.key

7 directories, 20 files


No such issue on ubuntu:
$./create-user-key-store.sh -d $PWD/../keys -c "Package Signing Key" -n "Package Admin" -m "package.admin@sample.org" -rp "test1234" -ip "1234test"
KEYS_DIR:keys
Creating the user keys for UEFI Secure Boot
Generating a RSA private key
.......+++++
.........................................................+++++
writing new private key to 'keys/uefi_sb_keys/PK.key'
-----
Generating a RSA private key
........+++++
............................................................+++++
writing new private key to 'keys/uefi_sb_keys/KEK.key'
-----
Generating a RSA private key
......+++++
..................................................................................................+++++
writing new private key to 'keys/uefi_sb_keys/DB.key'
-----
Creating the user keys for MOK Secure Boot
Generating a RSA private key
.......................+++++
.................+++++
writing new private key to '/keys/mok_sb_keys/shim_cert.key'
-----
Generating a RSA private key
.......................................................................................+++++
.........+++++
writing new private key to 'keys/mok_sb_keys/vendor_cert.key'
-----
Creating the user key for system
Generating a RSA private key
............+++++
...............+++++
writing new private key to '/keys/system_trusted_keys/system_trusted_key.key'
-----
Creating the user key for system secondary trust
Generating a RSA private key
.+++++
.............................+++++
writing new private key to 'keys/secondary_trusted_keys/secondary_trusted_key.key'
-----
Signature ok
subject=CN = Extra System Trusted Certificate
Getting CA Private Key
Creating the user key for modsign
Generating a RSA private key
.............................+++++
................................................................................................................................................................................+++++
writing new private key to 'keys/modsign_keys/modsign_key.key'
-----
Creating the user key for IMA appraisal
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
.............................................................................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = IMA Trusted Certificate
Getting CA Private Key
Creating the user key for RPM
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: waiting for the agent to come up ... (4s)
gpg-connect-agent: connection to agent established
OK
gpg: keybox keys/rpm_keys/pubring.kbx' created
gpg: keys/rpm_keys/trustdb.gpg: trustdb created
gpg: key 1891C2DB07CECCF2 marked as ultimately trusted
gpg: directory 'keys/rpm_keys/openpgp-revocs.d' created
gpg: revocation certificate stored as 'keys/rpm_keys/openpgp-revocs.d/B84FCA14E1C4477B58B74C6F1891C2DB07CECCF2.rev'
gpg: RPM keyring Package Admin created
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
layers/meta-secure-core/meta-signing-key/scripts/../keys/rpm_keys/pubring.kbx
--------------------------------------------------------------------------------------------------
pub   rsa4096 2019-11-08 [SCEA]
      B84FCA14E1C4477B58B74C6F1891C2DB07CECCF2
uid           [ultimate] Package Admin (Package Signing Key) <package.admin@sample.org>

layers/meta-secure-core/meta-signing-key/scripts
## The following variables need to be entered into your local.conf
## in order to use the new signing keys:

RPM_GPG_NAME = "Package Admin"
RPM_GPG_PASSPHRASE = "test1234"
RPM_FSK_PASSWORD = "1234test"
OSTREE_GPGID = "Package Admin"
OSTREE_GPG_PASSPHRASE = "test1234"
WR_KEYS_DIR = "keys"
RPM_KEYS_DIR = "keys/rpm_keys"

## Please save the values above to your local.conf
$uname -a
Linux pek-lpgtest7401 4.15.0-64-generic #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Steps to Reproduce

/folk/lpg-build/cdc/fast_prod/WRL10_19/WRL10_19_GIT/wrlinux-10/setup.sh --machines=intel-x86-64 --distros=wrlinux --dl-layers --all-layers

cd ayers/meta-secure-core/meta-signing-key/scripts

run create-user-key-store.sh
Live chat
Online