Signing commits with GPG key is broken

[GeoffreyCoulaud]

This is basically the same as #53.

When trying to make a git commit from inside vscodium, if the GPG key needs a passphrase the prompt can't show up.
The solution proposed on the closed issue is a set of scripts that will flatpak-spawn the host's gpg program.

However, maybe we should handle this more cleanly ? A hack discoverable by going to the github is not really user friendly...

[noonsleeper]

Hey @GeoffreyCoulaud, today I tried to make this works on gnome but doesn't work (works out of the box on KDE without change anything). And after another research I found this flatpak/flatpak#2301 since there isn't a clean solution for this problem until flatpak get a proper handle to talk with gpg-agent or org.gnome.keyring.SystemPrompter

[RomanRiabenko]

Hello @noonsleeper, I just wanted to let everyone know that flatpak/flatpak#2301 is closed for some time now as completed via flatpak/flatpak#4958. It was released in Flatpak 1.14.0.

[madpipeline]

How does this work OOTB on KDE? I run Fedora 38 KDE, and still run into this issue. After I've set the "Filesystem access" for "xdg-run/gnupg" to "Read/write" it didn't complain anymore about not finding a GPG agen anymore, but now it complains about gpg: signing failed: No pinentry. I'm still not getting a prompt for the passphrase.

[jwillikers]

How does this work OOTB on KDE? I run Fedora 38 KDE, and still run into this issue. After I've set the "Filesystem access" for "xdg-run/gnupg" to "Read/write" it didn't complain anymore about not finding a GPG agen anymore, but now it complains about gpg: signing failed: No pinentry. I'm still not getting a prompt for the passphrase.

@madpipeline So, GNOME keyring has built-in support for storing GPG keys but I don't know if KWallet does. I think it should still be possible to configure a pinentry program for your gpg-agent to get past this error. First, make sure that you have pinentry-qt installed. I'm not sure if it comes installed as part of Fedora KDE.

sudo dnf install pinentry-qt

Then configure the gpg-agent to use the pinentry-qt program.

mkdir ~/.gpupg
echo "pinentry-program /usr/bin/pinentry-qt" | tee -a ~/.gnupg/gpg-agent.conf

Now see if you get a pop-up to enter your passphrase when you attempt to sign a commit.

[czhang03]

I run into the same gpg: signing failed: No pinentry on gnome too. I give the read and write access to xdg-run/gnupg

My vscodium don't have system file access, only to my project folder, so I also give the access to ~/.gnugpg

I have seen other apps package pinetry directly as a dependency as it is removed from free desktop sdk:

flatpak/freedesktop-sdk-images#70
https://github.com/flathub/org.gnome.Evolution/blob/3dcb18cdcee1cdbc0d56ba89176d0fb9f33d3c4c/org.gnome.Evolution.json#L262

More info here: flathub/com.visualstudio.code#56

[czhang03]

Okay, so I got the signing working using an existing with the following permissions:

• gpg-agent socket premission
• ~/.gnupg file system permission (read and write)
• ~/.gitconfig:ro file system permission (to use global git setting)
• remove host file system permission, and only allow access to my project folder.

I also have gpg-agent.conf file in ~/.gnupg, with the following content:

pinentry-program .gnupg/pinentry.sh

and pintry.sh file in ~/.gnupg with the following content:

#!/bin/sh
DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_RUNTIME_DIR/bus pinentry

The rest of the permission is left as default or irrelevant.

I think the passphrase is stored in password manager, hence codium did not prompt me for passphrase.

I was able to sign using an existing key in ~/.gnupg created by gnome passwords and keys. I will try to do more complex task when I have time (generated key, register key with git, and sign), but it would be great if others can confirm if this setting work.