gpg-agent access causing failures in AWS Python lambdas
writeson opened this issue · 3 comments
Describe the bug
I'm using python-gnupg in an AWS Python (3.12) lambda function and it fails because has a dependency on the gpg-agent command line tool. The code seems to get the the key and create the gpg instance fine, but fails when trying to decrypt the file.
To Reproduce
Create a Python 3.12 AWS lambda function that has this code:
logger.debug("about to initialize the gnupg")
gpg = gnupg.GPG(verbose=True)
logger.debug("done initializing the gnupg")
import_result = gpg.import_keys(pgp_private_key)
if not import_result or not import_result.count:
logger.error("Failed to import PGP key", text=import_result.results)
raise PGPImportKeysException(
f"Failed to import PGP key, {import_result.results}"
)
And try to use it to decrypt a file.
Expected behavior
I want to get a decrypted version of an encrypted file
Screenshots
This is the list of log lines in the AWS Cloudwatch attached to my lambda function
| 2024-03-08T16:20:24.793-05:00 | gpg: keybox '/tmp/pubring.kbx' created
| 2024-03-08T16:20:24.793-05:00 | [GNUPG:] KEY_CONSIDERED B36E14B450ADDBE58ADC156EEAAAC4D57801087C 0
| 2024-03-08T16:20:24.793-05:00 | gpg: key EAAAC4D57801087C: public key "wallet_import_keys" imported
| 2024-03-08T16:20:24.793-05:00 | [GNUPG:] IMPORTED EAAAC4D57801087C wallet_import_keys
| 2024-03-08T16:20:24.793-05:00 | [GNUPG:] IMPORT_OK 1 B36E14B450ADDBE58ADC156EEAAAC4D57801087C
| 2024-03-08T16:20:24.793-05:00 | [GNUPG:] KEY_CONSIDERED B36E14B450ADDBE58ADC156EEAAAC4D57801087C 0
| 2024-03-08T16:20:24.793-05:00 | gpg: error running '/usr/bin/gpg-agent': probably not installed
| 2024-03-08T16:20:24.793-05:00 | gpg: failed to start gpg-agent '/usr/bin/gpg-agent': Configuration error
| 2024-03-08T16:20:24.793-05:00 | gpg: can't connect to the gpg-agent: Configuration error
| 2024-03-08T16:20:24.793-05:00 | gpg: error getting the KEK: No agent running
| 2024-03-08T16:20:24.793-05:00 | gpg: error reading '[stdin]': No agent running
| 2024-03-08T16:20:24.793-05:00 | gpg: import from '[stdin]' failed: No agent running
| 2024-03-08T16:20:24.793-05:00 | gpg: Total number processed: 0
| 2024-03-08T16:20:24.793-05:00 | gpg: imported: 1
| 2024-03-08T16:20:24.793-05:00 | gpg: secret keys read: 1
| 2024-03-08T16:20:24.793-05:00 | [GNUPG:] IMPORT_RES 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0
| 2024-03-08T16:20:24.794-05:00[WARNING] 2024-03-08T21:20:24.794Z 92563ee6-2ea2-4d18-9f86-ed2bdf8cad5b gpg returned a non-zero error code: 2Copy | [WARNING] 2024-03-08T21:20:24.794Z 92563ee6-2ea2-4d18-9f86-ed2bdf8cad5b gpg returned a non-zero error code: 2
Environment
AWS X86 execution environment
Python 3.12
python-gnupg version 0.5.2
Additional information
Add any other information about the problem here.
I don't believe this is a python-gnupg bug - it's gpg that is expecting gpg-agent to be there. Any reason why it isn't? Perhaps try with a different version of GnuPG? It's not clear which version of that you're using.
vsajip,
You're right, the python-gnupg library is a wrapper around the underlying use of the GnuPG binaries, which the library doesn't include. On my develop Mac I have version gpg (GnuPG/MacGPG2) 2.2.41 installed. This isn't in the AWS Lambda execution environment. Is there a way to add GnuPG binaries to the lambda execution environment?
I believe you can, though I'm not an AWS Lambda user myself. There are online resources available which may be helpful, e.g. on Stack Overflow.