GnuPG on RT5.0.1 setup issue

I’ve installed RT5.0.1 from source on Debian Testing (Bullseye) with MySql+Apache and ./configure --with-web-user=www-data --with-web-group=www-data --enable-graphviz --enable-gd --enable-gpg --enable-smime --enable-externalauth

My GPG private and secret keys have been placed at /opt/rt5/var/data/gpg/ with the .asc file extension. Since Apache runs as www-data, I’ve set the user and group in that folder accordingly.

In RT_SiteConfig.pm I’ve set GnuPG’s Passphrase => 'mypassword', and disabled S/MIME for now with Enable => 0,

Upon restarting apache and/or editing the appropr. queue, RT created pubring.kbx and trustdb.gpg inside the data/gpg folder, which makes me assume that the general mechanism is working. However in the queue settings it says Couldn't get GnuPG keys information inside the Private key(s) for myemail@mydomain.net window.

Could someone point me into the right direction please?

Can you show your got config without the pass phrase?

RT_SiteConfig.pm

use utf8;
    
Set( $rtname, 'Org Support');
Set($Organization, "Org");
Set($WebDomain, "support.org.net");
Set($Timezone, "UTC");
Set( $WebPort, 443);

Set(%GnuPG,
Enable                 => 1,
#GnuPG                  => 'gpg',
GnuPG                  => '/usr/bin/gpg',
Passphrase             => 'secretpassword',
OutgoingMessagesFormat => "RFC", # Inline
FileExtensions         => [ 'pgp', 'gpg', 'asc' ],
);

Set(%GnuPGOptions,
homedir => q{var/data/gpg},

# URL of a keyserver
keyserver => 'hkp://eu.pool.sks-keyservers.net',

# enables the automatic retrieving of keys when verifying signatures
'keyserver-options' => 'auto-key-retrieve',
);

# Disable S/MIME
Set( %SMIME,
Enable => 0,
OpenSSL => 'openssl',
Keyring => q{var/data/smime},
CAPath => undef,
AcceptUntrustedCAs => undef,
Passphrase => undef,
);



# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them:
#     Plugin( "RT::Authen::ExternalAuth" );

1;

gpg directory

root@support:/opt/rt5/var/data/gpg# ls -la
total 100
drwxr-xr-x 2 www-data www-data  4096 Feb 25 10:29 .
drwxr-xr-x 3 www-data www-data  4096 Feb 25 09:43 ..
-rw-r--r-- 1 www-data www-data 39035 Feb 25 09:45 mail@org.net_public.asc
-rw-r--r-- 1 www-data www-data 42656 Feb 25 09:45 mail@org.net_secret.asc
-rw------- 1 www-data www-data    32 Feb 25 09:49 pubring.kbx
-rw------- 1 www-data www-data  1200 Feb 25 09:49 trustdb.gpg

Can you gpg --list-keys that directory ( I am not sure the command to do it )

No user on that machine uses gnupg.

sudo /usr/bin/gpg --homedir /opt/rt5/var/data/gpg --list-keys

root@support:/opt/rt5/var/data/gpg# gpg --homedir /opt/rt5/var/data/gpg --list-keys
gpg: WARNING: unsafe ownership on homedir '/opt/rt5/var/data/gpg'

It seems like you haven’t imported the key, you can try:

gpg --homedir /opt/rt5/var/data/gpg --import key.asc

and then try listing the keys again

root@support:/opt/rt5/var/data/gpg# gpg --homedir /opt/rt5/var/data/gpg --list-keys
gpg: WARNING: unsafe ownership on homedir '/opt/rt5/var/data/gpg'
/opt/rt5/var/data/gpg/pubring.kbx
---------------------------------
pub   rsa4096 2013-02-04 [SC] [expires: 2032-11-29]
      XYZ123
uid           [ unknown] Orgs (General Contact) <mail@org>
uid           [ unknown] Org (General Contact) <mail@org>

Ha does your key show-up in the RT UI now? ( It may not let you sign with it due to trust being set to unknown )

No, it’s still the same as before.

Anything in the RT log?

yep:

Feb 25 14:42:08 support RT: [1188] gpg: error reading key: No secret key

What happens if you do --list-secret-keys on that directory? I am not sure if the output from that command is sensitive or not so you may not want to put it here

That happens:

root@support:/opt/rt5/var/data/gpg# gpg --homedir /opt/rt5/var/data/gpg --list-secret-keys
gpg: WARNING: unsafe ownership on homedir '/opt/rt5/var/data/gpg'

Directory:

root@support:/opt/rt5/var/data/gpg# ls -altr
total 136
drwxr-xr-x 3 www-data www-data  4096 Feb 25 09:43 ..
-rw-r----- 1 www-data www-data 39035 Feb 25 09:45 mail@org.net_public.asc
-rw-r----- 1 www-data www-data 42656 Feb 25 09:45 mail@org.net_secret.asc
-rw------- 1 www-data www-data    32 Feb 25 09:49 pubring.kbx~
-rw-r--r-- 1 root     root     29231 Feb 25 14:34 pubring.kbx
-rw------- 1 www-data www-data  1200 Feb 25 14:34 trustdb.gpg
drwx------ 2 root     root      4096 Feb 25 14:35 private-keys-v1.d
srwx------ 1 www-data www-data     0 Feb 25 14:35 S.gpg-agent.ssh
srwx------ 1 www-data www-data     0 Feb 25 14:35 S.gpg-agent.extra
srwx------ 1 www-data www-data     0 Feb 25 14:35 S.gpg-agent.browser
srwx------ 1 www-data www-data     0 Feb 25 14:35 S.gpg-agent
drwx------ 3 www-data www-data  4096 Feb 25 14:35 .

So no secret key was imported

Thanks for your efforts.

I do think there’s something off with the file rights and ownership, unfortunately I’m not aware of what RT expects in …/gpg. Anyone?

I see you have two files:

mail@org.net_public.asc
mail@org.net_secret.asc

Were both imported into gpg or perhaps only the public key?

I imported both. Secret key:

gpg: key 12345qwertyu: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

upon importing the public key I got:

gpg: WARNING: unsafe ownership on homedir '/opt/rt5/var/data/gpg'
gpg: key 12345qwertyu: 2 signatures not checked due to missing keys
gpg: key 12345qwertyu: "Contact <mail@org.net>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

When I try importing the secret key again (as root, as always), this happens:

gpg: key 12345qwertyu:  error sending to agent: Permission denied
gpg: error building skey array: Permission denied
gpg: error reading 'mail@org.net_secret.asc': Permission denied
gpg: import from 'mail@org.net_secret.asc' failed: Permission denied

Has anyone configured RT with GPG? What are the required file ownerships for this to work?