RT::Crypt::GPG with gpg-agent

RT Users
1

Hello all,
just trying to figure how to setup RT with use of gpg-agent.

Tried to start gpg-agent this way:

root@server:~# gpg-agent --daemon --pinentry-program
/usr/bin/pinentry-curses --home /opt/rt4/var/data/GnuPG

And then in RT_SiteConfig.pm:
Set( %GnuPG,
Enable => 1,
OutgoingMessagesFormat => ‘RFC’,
AllowEncryptDataInDB => 0
);

Set( %GnuPGOptions,
‘digest-algo’ => ‘SHA512’,
‘use-agent’ => undef,
‘gpg-agent-info’=> ‘/opt/rt4/var/data/GnuPG/.agent-socket’,
‘no-permission-warning’ => undef,
‘homedir’ => ‘/opt/rt4/var/data/GnuPG’
);

Set( @MailPlugins =>
“Auth::MailFrom”,
“Auth::Crypt”
);

Unfortunately it didn’t work.

The gpg-agent-info option need to have the values which change with
every gpg-agent execution.

It could be possible to use write-env-file option and then read the
file by RT. Is it possible to extend the RT_SiteConfig.pm that way it
will read the file and fill the gpg-agent-info value in GnuPGOptions
hash?

Any other thoughts?

We are running GnuPG version 1.4.12, GnuPG agent version 2.0.19 and
latest release of RT 4.2.

Peter

2

Hello all,
just trying to figure how to setup RT with use of gpg-agent.

Tried to start gpg-agent this way:

root@server:~# gpg-agent --daemon --pinentry-program
/usr/bin/pinentry-curses --home /opt/rt4/var/data/GnuPG

And then in RT_SiteConfig.pm:
Set( %GnuPG,
Enable => 1,
OutgoingMessagesFormat => ‘RFC’,
AllowEncryptDataInDB => 0
);

Set( %GnuPGOptions,
‘digest-algo’ => ‘SHA512’,
‘use-agent’ => undef,
‘gpg-agent-info’=> ‘/opt/rt4/var/data/GnuPG/.agent-socket’,
‘no-permission-warning’ => undef,
‘homedir’ => ‘/opt/rt4/var/data/GnuPG’
);

Set( @MailPlugins =>
“Auth::MailFrom”,
“Auth::Crypt”
);

Unfortunately it didn’t work.

The gpg-agent-info option need to have the values which change with
every gpg-agent execution.

It could be possible to use write-env-file option and then read the
file by RT. Is it possible to extend the RT_SiteConfig.pm that way it
will read the file and fill the gpg-agent-info value in GnuPGOptions
hash?

Any other thoughts?

We are running GnuPG version 1.4.12, GnuPG agent version 2.0.19 and
latest release of RT 4.2.

I think the use-standard-socket option is another approach. The value is
then consistent each time. This has become the default in version 2.

3

Hello all,
just trying to figure how to setup RT with use of gpg-agent.

Tried to start gpg-agent this way:

root@server:~# gpg-agent --daemon --pinentry-program
/usr/bin/pinentry-curses --home /opt/rt4/var/data/GnuPG

And then in RT_SiteConfig.pm:
Set( %GnuPG,
Enable => 1,
OutgoingMessagesFormat => ‘RFC’,
AllowEncryptDataInDB => 0
);

Set( %GnuPGOptions,
‘digest-algo’ => ‘SHA512’,
‘use-agent’ => undef,
‘gpg-agent-info’=> ‘/opt/rt4/var/data/GnuPG/.agent-socket’,
‘no-permission-warning’ => undef,
‘homedir’ => ‘/opt/rt4/var/data/GnuPG’
);

Set( @MailPlugins =>
“Auth::MailFrom”,
“Auth::Crypt”
);

Unfortunately it didn’t work.

The gpg-agent-info option need to have the values which change with
every gpg-agent execution.

It could be possible to use write-env-file option and then read the
file by RT. Is it possible to extend the RT_SiteConfig.pm that way it
will read the file and fill the gpg-agent-info value in GnuPGOptions
hash?

Any other thoughts?

We are running GnuPG version 1.4.12, GnuPG agent version 2.0.19 and
latest release of RT 4.2.

I think the use-standard-socket option is another approach. The value is
then consistent each time. This has become the default in version 2.

RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Washington DC - May 23 & 24, 2016

Thank you - got it working this way:

in rc.local:

start GPG agent for Request Tracker

/usr/local/bin/rt-gpg-agent

File /usr/local/bin/rt-gpg-agent (possible to extend it to standard
SysVinit script):
#!/bin/sh

RT_GPG_HOME=/opt/rt4/var/data/GnuPG/

[ -f “${RT_GPG_HOME}/S.gpg-agent” ] && rm -f “${RT_GPG_HOME}/S.gpg-agent”

with cache TTL of 30 days

/usr/bin/gpg-agent --daemon --pinentry-program
/usr/bin/pinentry-curses --home “${RT_GPG_HOME}” --use-standard-socket
–default-cache-ttl 2592000 --max-cache-ttl 2592000

chmod 770 “${RT_GPG_HOME}/S.gpg-agent”
chgrp www-data “${RT_GPG_HOME}/S.gpg-agent”

cp /etc/hosts /tmp
gpg --use-agent --no-permission-warning --home
/opt/rt4/var/data/GnuPG/ -r security@eset.sk -e /tmp/hosts

this will ask gpg-agent for a passphrase and will cache it for RT

gpg --use-agent --no-permission-warning --home
/opt/rt4/var/data/GnuPG/ -r security@eset.sk -d /tmp/hosts.gpg

EOF

Entries for GPG in RT_SiteConfig.pm:
Set( %GnuPG,
Enable => 1,
OutgoingMessagesFormat => ‘RFC’,
AllowEncryptDataInDB => 0
);

Set( %GnuPGOptions,
‘digest-algo’ => ‘SHA512’,
‘use-agent’ => undef,
‘gpg-agent-info’=> ‘/opt/rt4/var/data/GnuPG/S.gpg-agent’,
‘no-permission-warning’ => undef,
‘homedir’ => ‘/opt/rt4/var/data/GnuPG’
);

Set( @MailPlugins =>
“Auth::MailFrom”,
“Auth::Crypt”
);

Hope it will help somebody.
Peter

4

Hi

Thank you for the example - this apporach works for me in with RT 4.4 on centos 7.3

One note though:
In RT 4.4 having CheckMoreMSMailHeaders enabled in the config could mess up the newline between the armor header and pgp encrypted message causing the decrypt to fail (with a very cryptic failure message).

best regards,
Ole Kristoffer