RT::Crypt::GPG with gpg-agent

Hello all,
just trying to figure how to setup RT with use of gpg-agent.

Tried to start gpg-agent this way:

root@server:~# gpg-agent --daemon --pinentry-program
/usr/bin/pinentry-curses --home /opt/rt4/var/data/GnuPG

And then in RT_SiteConfig.pm:
Set( %GnuPG,
Enable => 1,
OutgoingMessagesFormat => ‘RFC’,
AllowEncryptDataInDB => 0
);

Set( %GnuPGOptions,
‘digest-algo’ => ‘SHA512’,
‘use-agent’ => undef,
‘gpg-agent-info’=> ‘/opt/rt4/var/data/GnuPG/.agent-socket’,
‘no-permission-warning’ => undef,
‘homedir’ => ‘/opt/rt4/var/data/GnuPG’
);

Set( @MailPlugins =>
“Auth::MailFrom”,
“Auth::Crypt”
);

Unfortunately it didn’t work.

The gpg-agent-info option need to have the values which change with
every gpg-agent execution.

It could be possible to use write-env-file option and then read the
file by RT. Is it possible to extend the RT_SiteConfig.pm that way it
will read the file and fill the gpg-agent-info value in GnuPGOptions
hash?

Any other thoughts?

We are running GnuPG version 1.4.12, GnuPG agent version 2.0.19 and
latest release of RT 4.2.

Peter

Hello all,
just trying to figure how to setup RT with use of gpg-agent.

Tried to start gpg-agent this way:

root@server:~# gpg-agent --daemon --pinentry-program
/usr/bin/pinentry-curses --home /opt/rt4/var/data/GnuPG

And then in RT_SiteConfig.pm:
Set( %GnuPG,
Enable => 1,
OutgoingMessagesFormat => ‘RFC’,
AllowEncryptDataInDB => 0
);

Set( %GnuPGOptions,
‘digest-algo’ => ‘SHA512’,
‘use-agent’ => undef,
‘gpg-agent-info’=> ‘/opt/rt4/var/data/GnuPG/.agent-socket’,
‘no-permission-warning’ => undef,
‘homedir’ => ‘/opt/rt4/var/data/GnuPG’
);

Set( @MailPlugins =>
“Auth::MailFrom”,
“Auth::Crypt”
);

Unfortunately it didn’t work.

The gpg-agent-info option need to have the values which change with
every gpg-agent execution.

It could be possible to use write-env-file option and then read the
file by RT. Is it possible to extend the RT_SiteConfig.pm that way it
will read the file and fill the gpg-agent-info value in GnuPGOptions
hash?

Any other thoughts?

We are running GnuPG version 1.4.12, GnuPG agent version 2.0.19 and
latest release of RT 4.2.

I think the use-standard-socket option is another approach. The value is
then consistent each time. This has become the default in version 2.

Hello all,
just trying to figure how to setup RT with use of gpg-agent.

Tried to start gpg-agent this way:

root@server:~# gpg-agent --daemon --pinentry-program
/usr/bin/pinentry-curses --home /opt/rt4/var/data/GnuPG

And then in RT_SiteConfig.pm:
Set( %GnuPG,
Enable => 1,
OutgoingMessagesFormat => ‘RFC’,
AllowEncryptDataInDB => 0
);

Set( %GnuPGOptions,
‘digest-algo’ => ‘SHA512’,
‘use-agent’ => undef,
‘gpg-agent-info’=> ‘/opt/rt4/var/data/GnuPG/.agent-socket’,
‘no-permission-warning’ => undef,
‘homedir’ => ‘/opt/rt4/var/data/GnuPG’
);

Set( @MailPlugins =>
“Auth::MailFrom”,
“Auth::Crypt”
);

Unfortunately it didn’t work.

The gpg-agent-info option need to have the values which change with
every gpg-agent execution.

It could be possible to use write-env-file option and then read the
file by RT. Is it possible to extend the RT_SiteConfig.pm that way it
will read the file and fill the gpg-agent-info value in GnuPGOptions
hash?

Any other thoughts?

We are running GnuPG version 1.4.12, GnuPG agent version 2.0.19 and
latest release of RT 4.2.

I think the use-standard-socket option is another approach. The value is
then consistent each time. This has become the default in version 2.

RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Washington DC - May 23 & 24, 2016

Thank you - got it working this way:

in rc.local:

start GPG agent for Request Tracker

/usr/local/bin/rt-gpg-agent

File /usr/local/bin/rt-gpg-agent (possible to extend it to standard
SysVinit script):
#!/bin/sh

RT_GPG_HOME=/opt/rt4/var/data/GnuPG/

[ -f “${RT_GPG_HOME}/S.gpg-agent” ] && rm -f “${RT_GPG_HOME}/S.gpg-agent”

with cache TTL of 30 days

/usr/bin/gpg-agent --daemon --pinentry-program
/usr/bin/pinentry-curses --home “${RT_GPG_HOME}” --use-standard-socket
–default-cache-ttl 2592000 --max-cache-ttl 2592000

chmod 770 "${RT_GPG_HOME}/S.gpg-agent"
chgrp www-data “${RT_GPG_HOME}/S.gpg-agent”

cp /etc/hosts /tmp
gpg --use-agent --no-permission-warning --home
/opt/rt4/var/data/GnuPG/ -r security@eset.sk -e /tmp/hosts

this will ask gpg-agent for a passphrase and will cache it for RT

gpg --use-agent --no-permission-warning --home
/opt/rt4/var/data/GnuPG/ -r security@eset.sk -d /tmp/hosts.gpg

EOF

Entries for GPG in RT_SiteConfig.pm:
Set( %GnuPG,
Enable => 1,
OutgoingMessagesFormat => ‘RFC’,
AllowEncryptDataInDB => 0
);

Set( %GnuPGOptions,
‘digest-algo’ => ‘SHA512’,
‘use-agent’ => undef,
‘gpg-agent-info’=> ‘/opt/rt4/var/data/GnuPG/S.gpg-agent’,
‘no-permission-warning’ => undef,
‘homedir’ => ‘/opt/rt4/var/data/GnuPG’
);

Set( @MailPlugins =>
“Auth::MailFrom”,
“Auth::Crypt”
);

Hope it will help somebody.
Peter

Hi

Thank you for the example - this apporach works for me in with RT 4.4 on centos 7.3

One note though:
In RT 4.4 having CheckMoreMSMailHeaders enabled in the config could mess up the newline between the armor header and pgp encrypted message causing the decrypt to fail (with a very cryptic failure message).

best regards,
Ole Kristoffer