[rt-users] RT::Crypt::GPG with gpg-agent

Peter Viskup skupko.sk at gmail.com
Mon Apr 4 09:45:07 EDT 2016 

On Wed, Mar 30, 2016 at 3:06 PM, Jim Brandt <jbrandt at bestpractical.com> wrote:
>
>
> On 3/30/16 7:52 AM, Peter Viskup wrote:
>>
>> Hello all,
>> just trying to figure how to setup RT with use of gpg-agent.
>>
>> Tried to start gpg-agent this way:
>>
>> root at server:~# gpg-agent --daemon --pinentry-program
>> /usr/bin/pinentry-curses --home /opt/rt4/var/data/GnuPG
>>
>> And then in RT_SiteConfig.pm:
>> Set( %GnuPG,
>>          Enable => 1,
>>          OutgoingMessagesFormat => 'RFC',
>>          AllowEncryptDataInDB => 0
>> );
>>
>> Set( %GnuPGOptions,
>>          'digest-algo'   => 'SHA512',
>>          'use-agent'    => undef,
>>          'gpg-agent-info'=> '/opt/rt4/var/data/GnuPG/.agent-socket',
>>          'no-permission-warning' => undef,
>>          'homedir'       => '/opt/rt4/var/data/GnuPG'
>> );
>>
>> Set( @MailPlugins =>
>>          "Auth::MailFrom",
>>          "Auth::Crypt"
>> );
>>
>> Unfortunately it didn't work.
>>
>> The gpg-agent-info option need to have the values which change with
>> every gpg-agent execution.
>>
>> It could be possible to use write-env-file option and then read the
>> file by RT. Is it possible to extend the RT_SiteConfig.pm that way it
>> will read the file and fill the gpg-agent-info value in GnuPGOptions
>> hash?
>>
>> Any other thoughts?
>>
>> We are running GnuPG version 1.4.12, GnuPG agent version 2.0.19 and
>> latest release of RT 4.2.
>>
>
> I think the use-standard-socket option is another approach. The value is
> then consistent each time. This has become the default in version 2.
> ---------
> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
> * Washington DC - May 23 & 24, 2016

Thank you - got it working this way:

in rc.local:
# start GPG agent for Request Tracker
/usr/local/bin/rt-gpg-agent

File /usr/local/bin/rt-gpg-agent (possible to extend it to standard
SysVinit script):
#!/bin/sh

RT_GPG_HOME=/opt/rt4/var/data/GnuPG/

[ -f "${RT_GPG_HOME}/S.gpg-agent" ] && rm -f "${RT_GPG_HOME}/S.gpg-agent"

# with cache TTL of 30 days
/usr/bin/gpg-agent --daemon --pinentry-program
/usr/bin/pinentry-curses --home "${RT_GPG_HOME}" --use-standard-socket
--default-cache-ttl 2592000 --max-cache-ttl 2592000

chmod 770 "${RT_GPG_HOME}/S.gpg-agent"
chgrp www-data "${RT_GPG_HOME}/S.gpg-agent"

cp /etc/hosts /tmp
gpg --use-agent --no-permission-warning --home
/opt/rt4/var/data/GnuPG/ -r security at eset.sk -e /tmp/hosts
# this will ask gpg-agent for a passphrase and will cache it for RT
gpg --use-agent --no-permission-warning --home
/opt/rt4/var/data/GnuPG/ -r security at eset.sk -d /tmp/hosts.gpg
# EOF

Entries for GPG in RT_SiteConfig.pm:
Set( %GnuPG,
        Enable => 1,
        OutgoingMessagesFormat => 'RFC',
        AllowEncryptDataInDB => 0
);

Set( %GnuPGOptions,
        'digest-algo'   => 'SHA512',
        'use-agent'     => undef,
        'gpg-agent-info'=> '/opt/rt4/var/data/GnuPG/S.gpg-agent',
        'no-permission-warning' => undef,
        'homedir'       => '/opt/rt4/var/data/GnuPG'
);

Set( @MailPlugins =>
        "Auth::MailFrom",
        "Auth::Crypt"
);

Hope it will help somebody.
-- 
Peter

More information about the rt-users mailing list