fix(gpg resource): add passphrase to command line

Since the update of the gpg binary, the passphrase now needs to be passed into it (the agent no longer remembers the passphrase from creating the key in the first place). Needs an additional `--pinentry-mode=loopback` flag to allow the gpg command to honor the `--passsphrase` flag, otherwise it must always pop up a user dialog (and that won't be possible).
cdklabs · Jul 29, 2024 · f46418b · f46418b
1 parent 071dec5
commit f46418b
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/custom-resource-handlers/src/pgp-secret.ts b/lib/custom-resource-handlers/src/pgp-secret.ts
@@ -93,7 +93,8 @@ async function _createNewKey(event: cfn.CreateEvent | cfn.UpdateEvent, context:
 
     const gpgCommonArgs = [`--homedir=${tempDir}`, '--agent-program=/opt/gpg-agent'];
     await _exec(GPG_BIN, ...gpgCommonArgs, '--batch', '--gen-key', keyConfig);
-    const keyMaterial = await _exec(GPG_BIN, ...gpgCommonArgs, '--batch', '--yes', '--export-secret-keys', '--armor');
+    // Need the passphrase to export the private key
+    const keyMaterial = await _exec(GPG_BIN, ...gpgCommonArgs, '--batch', '--yes', '--export-secret-keys', '--armor', '--pinentry-mode=loopback', `--passphrase=${passPhrase}`);
     const publicKey = await _exec(GPG_BIN, ...gpgCommonArgs, '--batch', '--yes', '--export', '--armor');
     const secretOpts = {
       ClientRequestToken: context.awsRequestId,