Search code examples
gnupggitlab-ci-runner

Blackbox on GitLab CI, unable to load GPG private key

I'm trying to use Blackbox to encrypt sensitive files in a repository I'm working with, but I am unable to make the GitLab CI pipeline load the private GPG key required to decrypt the files.

At the , you can see the output from the GitLab CI runner where it is evident that:

  • My private key, stored as a Secret Variable for the runner, is available.
  • The secret key is properly written to a file that can be read back.
  • The GPG key is properly formatted and contains a complete and proper key.
  • GPG exists and can be properly initiated.

However, when I run the command gpg -v --import /tmp/server.gpg, I keep getting gpg: no valid OpenPGP data found.. This makes no sense.

I have followed all posts I could find on this, but they are either about verifying file contents rather than actually importing a proper key, or that the key is actually malformed, which mine evidently is not.

I'd appreciate any help I can get on this matter as I am making no progress whatsoever.

Thank you!

Output from the GitLab CI runner:

Running with gitlab-ci-multi-runner 9.1.0 (0118d89) on docker-auto-scale (e11ae361)
Using Docker executor with image golang:1.8.1 ...
Using docker image sha256:3858bc6d4732445082339c9ccccfe56bf599d1fe7d9e850fb67ceec76807ed8d for predefined container...
Pulling docker image golang:1.8.1 ...
Using docker image golang:1.8.1 ID=sha256:6d0bfafa0452c6398be979f89614b5e3cb5d10e853ccd4f5791c4971a88065e0 for build container...
Running on runner-e11ae361-project-3172553-concurrent-0 via runner-e11ae361-machine-1493644095-36064084-digital-ocean-2gb...
Cloning repository...
Cloning into '/builds/project/repo'...
Checking out 7013b30a as feature/blackbox...
Skipping Git submodules setup
$ git clone https://github.com/StackExchange/blackbox
Cloning into 'blackbox'...
$ cd blackbox
$ make manual-install
Symlinking files from ./bin to /usr/local/bin
Done.
$ echo $GPG_PRIVATE_KEY > /tmp/server.gpg
$ chmod 400 /tmp/server.gpg
$ cat /tmp/server.gpg
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2

[redacted]
-----END PGP PRIVATE KEY BLOCK-----
$ gpg -v --list-keys
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during 
this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: using PGP trust model
$ gpg -v --import /tmp/server.gpg
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
ERROR: Job failed: exit code 1
Solution

  • I found the answer. In my .gitlab-ci.yml, I changed my GPG read implementation from:

    - echo $GPG_PRIVATE_KEY > /tmp/server.gpg
- gpg -v --import /tmp/server.gpg

    to:

    - gpg -v --import <(echo "$GPG_PRIVATE_KEY")

    This solved the issue.