GPG keys are not imported in container if GPG is configured with `use-keyboxd`. Default for GPG >= 2.4.1 fresh install.

[DaazKu]

Description

The current implementation assume that ~/.gnupg/pubring.kbx exists and can be copied inside the container so that we have access to keys inside it.
This is not the case if use-keyboxd is used.

=>> Since version 2.4.1 of gnupg, fresh installations are now using use-keyboxd by default. See: https://github.com/gpg/gnupg/blob/42ee84197695aca44f5f909a0b1eb59298497da0/README#L131C17-L131C22 <<=

Versions

• VSCode Version: 1.84.2
• Local OS Version: Darwin arm64 21.6.0
• Remote OS Version: debian:buster-20191118
• Remote Extension/Connection Type: K8s

Steps to Reproduce:

1. Have ~/.gnupg/common.conf with use-keyboxd. Supported since 2.3.0 and the default since 2.4.1 of gnupg
2. Attach VS to container
3. See that ~/.gnupg/pubring.kbx is not copied into the container because it does not exists.
4. Do gpg -k in the container for the first time and get the following message: gpg: keybox '~/.gnupg/pubring.kbx' created
   • Note that you don't have any keys loaded in the container

As per https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html, use-keyboxd changes the way GPG works:

Note that if the option use-keyboxd is enabled in common.conf, no keyrings are used at all and keys are all maintained by the keyboxd process in its own database.

We end up with no file ~/.gnupg/pubring.kbx.

You can use the below temporary fix to migrate off using use-keyboxd

TEMPORARY FIX

You can revert back to using pubring.kbx

1. Export keys
2. Disable use-keyboxd
3. Import keys

Basically you do the inverse of: https://github.com/gpg/gnupg/blob/42ee84197695aca44f5f909a0b1eb59298497da0/README#L134C2-L145

[3f6a]

Hi, what is the status of this issue?

I see #8549 is closed, but I'm running into this issue so it seems it's not fixed yet? Or was there a workaround?

For context, my issue is that on a fresh dev container, I cannot sign git commits with my GPG key. My local computer is a macOS. Signing works fine on my local machine. I followed Github docs (https://docs.github.com/en/authentication/managing-commit-signature-verification) to create the GPG key. And then tried following the steps here: https://code.visualstudio.com/remote/advancedcontainers/sharing-git-credentials#_sharing-gpg-keys. But I still cannot sign:

error: gpg failed to sign the data:
gpg: skipped "***": No secret key
[GNUPG:] INV_SGNR *******
[GNUPG:] FAILURE sign ****
gpg: signing failed: No secret key

Thanks!

[AvinZarlez]

I also just ran into this issue.

I was able to do the workaround by exporting keys, removing use-keyboxd from config, and then reimporting.