Skip to content

makepgk hangs forever with GnuPG's new keyboxd

Hey there,

I have stumbled across a rather curious issue with makepkg, which I understand to be part of the pacman project, so I hope I am reaching out to the right place. The issue may not be wide-spread yet, but I suspect it will start to pop up in more places very soon.

TL;DR: if package signing is used, makepkg executes something like gpg --list-secret-key xxx inside a fakeroot. This will hang indefinetly if, and only if, all of the following criteria apply:

  1. the user uses gnupg with the new "keyboxd" (this is likely rare right now, but has become the default for new installs recently)
  2. they keyboxd for the user is already running, and
  3. it is managed by the systemd-user session

To reproduce:

  • Assert you are running the latest version of GnuPG (I am on 2.4.3)
  • Create a new user that does not have a ~/.gnupg dir
  • Log in as that user, so that a systemd-user session is run
  • Import some secret key
  • Run gpg --list-secret-keys (make sure it shows [keybox])
  • Run fakeroot -- gpg --list-secret-keys <- this will hang

I have reproduced this on two different systems, so I hope I have not overlooked another important factor here.

I have tracked this down to the following behavior:

  • gpg looks for the keyboxd socket, in this order:
    • in /run/user/<UID>/gnupg
    • in /var/run/user/<UID>/gnupg
    • in $HOME/.gnupg
  • If the socket cannot be found, gpg attempts to start a keyboxd
    • if systemd-user is used, it will start keyboxd with the socket in /run/user/<UID>/gnupg
    • else, a keyboxd instance is started unsupervised, with the socket in $HOME/.gnupg

The attentive reader might already suspect what the problem is (I verified this with strace):

  • with fakeroot, gpg looks for the socket in:
    • /run/user/0/gnupg
    • /var/run/user/0/gnupg
    • $HOME/.gnupg

Due to the latter, this causes no issues if systemd-user is not being used, but for regular logged in users, on a regular Arch system, gpg won't find anything and hang, waiting for some keyboxd instance to appear in the places it is looking for it.

I don't really think this behavior by keyboxd is wrong. After all, fakeroot makes both effective and real UID appear as 0. If it is not wrong, however, the question is how to avoid the hanging in makepkg?

For me, the workaround for now is to make sure to not use the new keyboxd, even on new setups, but I am not sure how long this will remain a viable option.

One option for makepkg might be a link to the existing keyboxd socket, but this is likely also error-prone, as the daemon may in fact not be running at that time.

I'd be very curious if anyone any better ideas on how to deal with this, and of course I hope I am saving some folks a few hours of poking by getting the word out on this...

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information