podman and gpg-agent

[matejvasek]

Hi all,

I run podman 5.3.1 on Fedora 40 and I use smartcard (yubikey) for GPG. I also use GPG also for git authorization/commit signing.

It appears that podman image sign launches its own gpg-agent process. This is an issue for me since it conflicts with already running gpg-agent launched by gpg CLI (either directly by calling gpg command or indirectly by calling git).

It means I have to restart the pcscd.service (smartcard) service each time different agent access the smartcard.

Observations:

• The gpg-agent launched by gpg/git is started as /usr/bin/gpg-agent --supervised and it has sockets under $XDG_RUNTIME_DIR/gnupg.
• The gpg-agent launched by podman is started as gpg-agent --homedir $HOME/.gnupg --use-standard-socket --daemon and it has sockets under $HOME/.gnupg.

Weirdest thing is that when I try do what podman does it correctly indicates that some gpg-agent is already running.

~> gpg-agent --homedir /home/mvasek/.gnupg --use-standard-socket --daemon
gpg-agent[78165]: WARNING: "--use-standard-socket" is an obsolete option - it has no effect
gpg-agent: a gpg-agent is already running - not starting a new one

This makes absolutely no sense to me.

Is this intended behaviour? Am I doing anything wrong? Can I fix it, so podman uses the already running gpg-agent?

[matejvasek]

Probably related #23659

[matejvasek]

For now I have a symlink workaround:

cd ~/.gnupg 
for i in S.gpg-agent.ssh S.gpg-agent.extra S.gpg-agent.browser S.gpg-agent S.scdaemon; do
  ln -s "${XDG_RUNTIME_DIR}/gnupg/$i" "$i";
done