Skip to content

Cannot import GPG key when pipeline is triggered on tag push

Summary

Any gpg --pinentry-mode loopback --passphrase $GPG_PASSPHRASE --import $GPG_USER_KEY command defined in .gitlab-ci.yml fails when the job is triggered from a git tag push. The same gpg command for the same commit succeeds when it is triggered from a branch push

Steps to reproduce

  1. Use an image with gpg version > 2.1
  2. Create GPG_USER_KEY File environment variable with a PGP ASCII base64 encoded secret key
  3. Create GPG_PASSPHRASE environment variable with value of the above key's passphrase
  4. Add gpg --pinentry-mode loopback --passphrase $GPG_PASSPHRASE --import $GPG_USER_KEYto before_scriptsection
  5. Commit and Tag

The pipeline triggered from the branch commit will succeed, but the pipeline triggered from the tag will fail

Example Project

Example Project

Examples where branch succeeded but pipeline failed:

8bda20a0

9605b8bd

What is the current bug behavior?

gpg complains that no command is supplied and job fails

What is the expected correct behavior?

gpg key should be imported and job should pass

Relevant logs and/or screenshots

Passed Logs

Running with gitlab-runner 11.11.2 (ac2a293c)
  on docker-auto-scale 0277ea0f
Using Docker executor with image maven:3.6.1-jdk-11 ...
Pulling docker image maven:3.6.1-jdk-11 ...
Using docker image sha256:4728ed24889835d638f3fa945f6b5ac56572c0ccdfde2d928ae0c506000373d5 for maven:3.6.1-jdk-11 ...
Running on runner-0277ea0f-project-12314079-concurrent-0 via runner-0277ea0f-srm-1560174302-3cdf3074...
Initialized empty Git repository in /builds/giest4life/funky/.git/
Fetching changes...
Created fresh repository.
From https://gitlab.com/giest4life/funky
 * [new branch]      master     -> origin/master
Checking out 8bda20a0 as master...

Skipping Git submodules setup
$ gpg $GPG_CLI_OPTS --passphrase $GPG_PASSPHRASE --import $GPG_USER_KEY
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key FB9E9020CA1A0DAC: public key "Eqan Butt <eqan_asif@yahoo.com>" imported
gpg: key FB9E9020CA1A0DAC: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
$ echo "Done!"
Done!
Job succeeded

Failed Logs

Running with gitlab-runner 11.11.2 (ac2a293c)
  on docker-auto-scale 72989761
Using Docker executor with image maven:3.6.1-jdk-11 ...
Pulling docker image maven:3.6.1-jdk-11 ...
Using docker image sha256:4728ed24889835d638f3fa945f6b5ac56572c0ccdfde2d928ae0c506000373d5 for maven:3.6.1-jdk-11 ...
Running on runner-72989761-project-12314079-concurrent-0 via runner-72989761-srm-1560174555-0044b6bf...
Initialized empty Git repository in /builds/giest4life/funky/.git/
Fetching changes...
Created fresh repository.
From https://gitlab.com/giest4life/funky
 * [new branch]      master       -> origin/master
 * [new tag]         release/test -> release/test
Checking out 8bda20a0 as release/test...

Skipping Git submodules setup
$ gpg $GPG_CLI_OPTS --passphrase $GPG_PASSPHRASE --import $GPG_USER_KEY
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: processing message failed: Unknown system error
ERROR: Job failed: exit code 1

Output of checks

This bug happens on GitLab.com

/label ~bug

Edited by Eqan