Vscode-remote-release: GPG Sign Commit when running in DevContainer

I've managed to get this to work by using -v to map my local gpg agent socket into the container, likewise with the ssh agent:

"-v", "${env:HOME}/.gnupg/pubring.kbx:/root/.gnupg/pubring.kbx",
"-v", "${env:HOME}/.gnupg/trustdb.gpg:/root/.gnupg/trustdb.gpg",
// You'll probably have to change this to point to your gpg-agent socket.
// Not sure where Mac/Windows put it.
"-v", "${env:XDG_RUNTIME_DIR}/gnupg/S.gpg-agent:/root/.gnupg/S.gpg-agent",
"-v", "${env:SSH_AUTH_SOCK}:${env:SSH_AUTH_SOCK}",
"-e", "SSH_AUTH_SOCK=${env:SSH_AUTH_SOCK}"

Not ideal, but it's a decent workaround and allows for signing commits in the container and fetching dependencies in private git repositories via ssh.

@jrobsonchase unfortunately there are numerous problems with this if you're running on a Mac or Windows host.

I think it makes sense to allow git operations to run locally when using remote containers to avoid this issue, possibly hidden behind a flag.

I have similar or same problem. I am using git on code-insiders bash with WSL as remote. What is strange is that sometimes it is working, and it stops working, or it is not working and then after some minutes it works.

I noticed that restarting code-insiders seems to make it work, but not always. I have no idea how to solve, I have tried the normal solutions for the messages "error: gpg failed to sign the data
fatal: failed to write commit object" that I found on the web. Nothing seems to work permanently.

Same issue if using Ubuntu WSL. I found a workaround using this repository but there is not a published, peer-reviewed package since the issue is fairly new.

https://github.com/diablodale/pinentry-wsl-ps1

I'm not quite sure if this is the right place to ask this, but what's the best way to use your GPG key from your computer on your Raspberry Pi to sign commits. Do you transfer the key? Do you create a new one?

I've managed to get this to work by using -v to map my local gpg agent socket into the container, likewise with the ssh agent:

"-v", "${env:HOME}/.gnupg/pubring.kbx:/root/.gnupg/pubring.kbx",
"-v", "${env:HOME}/.gnupg/trustdb.gpg:/root/.gnupg/trustdb.gpg",
// You'll probably have to change this to point to your gpg-agent socket.
// Not sure where Mac/Windows put it.
"-v", "${env:XDG_RUNTIME_DIR}/gnupg/S.gpg-agent:/root/.gnupg/S.gpg-agent",
"-v", "${env:SSH_AUTH_SOCK}:${env:SSH_AUTH_SOCK}",
"-e", "SSH_AUTH_SOCK=${env:SSH_AUTH_SOCK}"

Not ideal, but it's a decent workaround and allows for signing commits in the container and fetching dependencies in private git repositories via ssh.

For windows host, according to https://zhuanlan.zhihu.com/p/31802760 (Chinese)
Gpg4win implement a tcp socket to simulation the behavior of Unix Socket.
We can use socat to forward the tcp connection to unix socket.
Based on this tutorial, I tried to make scripts and config for Dev Container Version and it working.

{
    "name":"...",
    "dockerFile":"...", 
    "appPort": ["..."],
    "runArgs": [
        "-v", "${env:APPDATA}/gnupg/pubring.kbx:/home/vscode/.gnupg/pubring.kbx",
        "-v", "${env:APPDATA}/gnupg/trustdb.gpg:/home/vscode/.gnupg/trustdb.gpg",
        "-v", "${env:APPDATA}/gnupg/S.gpg-agent.extra:/home/vscode/.gnupg-localhost/S.gpg-agent.extra:ro"
    ]

}

Then add script into .bashrc to launch the forwarding socat in background.

export GPG_TTY=$(tty)
if [ -f "$HOME/.gnupg-localhost/S.gpg-agent.extra" ] && [ ! -S "$HOME/.gnupg/S.gpg-agent" ];then
    GPG_AGENT="$HOME/.gnupg-localhost/S.gpg-agent.extra"
    PREPEND_FILE="/tmp/gpg_agent_prepend"
    WINDOWS_GPG_AGENT_PORT=$(head -n1 "$GPG_AGENT")
    tail -n+2 "$GPG_AGENT" > "$PREPEND_FILE"
    mkdir -p "$HOME/.gnupg/"
    socat "UNIX-LISTEN:$HOME/.gnupg/S.gpg-agent,fork" "SYSTEM:cat \"$PREPEND_FILE\" - <&3 | socat STDIO \"TCP\:host.docker.internal\:$WINDOWS_GPG_AGENT_PORT\" >&4,fdin=3,fdout=4" &
fi

For me I launch a script in postCreateCommand to insert it automatic.

# https://github.com/keybase/keybase-issues/issues/2798 fix gpg Inappropriate ioctl for device problem
echo "export GPG_TTY=\$(tty)" >> ~/.bashrc
cat >> ~/.bashrc <<EOL
if [ -f "\$HOME/.gnupg-localhost/S.gpg-agent.extra" ] && [ ! -S "\$HOME/.gnupg/S.gpg-agent" ];then
    GPG_AGENT="\$HOME/.gnupg-localhost/S.gpg-agent.extra"
    PREPEND_FILE="/tmp/gpg_agent_prepend"
    WINDOWS_GPG_AGENT_PORT=\$(head -n1 "\$GPG_AGENT")
    tail -n+2 "\$GPG_AGENT" > "\$PREPEND_FILE"
    mkdir -p "\$HOME/.gnupg/"
    socat "UNIX-LISTEN:\$HOME/.gnupg/S.gpg-agent,fork" "SYSTEM:cat \"\$PREPEND_FILE\" - <&3 | socat STDIO \"TCP\:host.docker.internal\:\$WINDOWS_GPG_AGENT_PORT\" >&4,fdin=3,fdout=4" &
fi
EOL

But I don't why nohup & won't working properly in .bashrc,while I press multitime ctrl+c or simply exit the terminal .the socat background process will exit too. But if I run it manually it won't behavior like this. I need to find a better way to let a socat run in background while container startup.

vscode@2274dfd714b1:/$ 
vscode@2274dfd714b1:/$ 
vscode@2274dfd714b1:/$ 
vscode@2274dfd714b1:/$ ^C
vscode@2274dfd714b1:/$ ^C
[1]+  Exit 130                nohup socat "UNIX-LISTEN:$HOME/.gnupg/S.gpg-agent,fork" "SYSTEM:cat \"$PREPEND_FILE\" - <&3 | socat STDIO \"TCP\:host.docker.internal\:$WINDOWS_GPG_AGENT_PORT\" >&4,fdin=3,fdout=4"  (wd: /workspaces/virtual-patient-room-amazing)
(wd now: /)
vscode@2274dfd714b1:/$ ^C
vscode@2274dfd714b1:/$ 

I'm really interested on any updates on this.

Does anyone has been successful in signing Git commits within the dev container?

Got it implemented by copying pubring.kbx and trustdb.gpg into the container and then forwarding the agent socket in the container to the extra ('remote') socket on the local machine. This will need some testing in the wild to confirm it works as expected.

@chrmarti Do you mind sharing a code sample? Also, rather than copying the keyring (which is a manual operation), could we mount the GPG folder in the container instead?

Is it possible to explain my explanation did not understand a lot please
clarify a few

في الاثنين، ١٨ أيار، ٢٠٢٠ ١١:١١ م Christof Marti notifications@github.com
كتب:

Closed #72 https://github.com/microsoft/vscode-remote-release/issues/72.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/microsoft/vscode-remote-release/issues/72#event-3348938563,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/APUECRINYCPJ5YXTO6LBYSDRSGI6DANCNFSM4HKT6ATQ
.

Ok🌹😍

في الاثنين، ١٨ أيار، ٢٠٢٠ ١١:١٤ م Alessandro (Ale) Segala <
[email protected]> كتب:

@chrmarti https://github.com/chrmarti Do you mind sharing a code
sample? Also, rather than copying the keyring (which is a manual
operation), could we mount the GPG folder in the container instead?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/microsoft/vscode-remote-release/issues/72#issuecomment-630411003,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/APUECRJKYCHW3F3HVIICLODRSGJIVANCNFSM4HKT6ATQ
.

Got it implemented by copying pubring.kbx and trustdb.gpg into the container and then forwarding the agent socket in the container to the extra ('remote') socket on the local machine. This will need some testing in the wild to confirm it works as expected.

Prove it.

show us a gif of it working on windows using docker-desktop for windows and vscode-remote connecting to a linux container.

until then this isn't solved.

@ItalyPaleAle You can still mount the GPG folder (or the individual files) if you prefer. The implementation checks if the files exist before writing them.

@airtonix This will be in the next version of the Remote-Containers extension. I have closed this issue for my own book-keeping.

@chrmarti Apologies, but I'm a bit confused... Did you fix this already? Does it work on the current version, or do we need to wait for the next version? Will there be some docs explaining how to do this?

@ItalyPaleAle It will be available with the next version. It should work out-of-the-box and we will add documentation as needed.

It really tricky to setup to forward agent connection especially between windows and container myself,I almost forget how I done this before...Even though it can work but it still not that convenience ,and I give up to use container develop at the end years ago.
But I'm still excited to know that this feature is going to become build-in feature :D

This is available in the latest version of Remote-Containers (0.118.0). You will need VS Code Insiders to get that version at the moment. Make sure to have gpg installed locally and in the container (update the Dockerfile if needed).

Let me know if it works and open bug reports if it does not! 👍

Was super excited to try this out today @chrmarti! Currently seeing an issue with older versions of gpg2. Opened an issue here: #3048. In the meantime I'm working on getting my dev container setup with the latest gpg2.

It should work out-of-the-box and we will add documentation as needed.

It doesn't. Documentation required.

@chrmarti I think you've implmented something that assumes we want this feature turned on all the time...

so now this explodes our local docker environments.

@airtonix Let's try to make it work first. Could you open a new issue with details on what is not working?