GPG signed commits not working

[otherguy]

Describe the bug

I assumed, since it's mentioned in the documentation, that GPG signing would already be possible.

Since I'm using the ArgoCD image updater Helm chart, I added my key via a secret and imported it into the keyring via an init container.

Unfortunately, that doesn't seem to be enough and ultimately, it fails. See below for logs.

There seems to be some work in #427 but it looks abandoned

To Reproduce
Steps to reproduce the behavior:

1. Run image updater via the Helm chart and enable the following config:

     config:
       gitCommitSignOff: true
       gitCommitSigningMethod: openpgp
       gitCommitSigningKey: XXXXXXXXXXXX
     extraEnv:
       - name: GNUPGHOME # needed, otherwise it assumes /dev/null
         value: /app/.gnupg
     volumes:
       - name: gpg-key
         secret:
           secretName: argocd-image-updater-secret
       - name: gpg-home
         emptyDir: {}
   
     volumeMounts:
       - name: gpg-home
         mountPath: /app/.gnupg
    initContainers:
      - name: gpg-init
        image: alpine:latest
        command:
          - /bin/sh
          - -c
          - |
            apk --update --no-cache add gpg gpg-agent
            gpg --import /root/gpg-XXXXXXXXX.asc
            chown -R 1000:1000 /root/.gnupg
            chmod -R 700 /root/.gnupg
        volumeMounts:
          - name: gpg-key
            mountPath: /root/gpg-XXXXXXXXX.asc
            subPath: gpg-E96614F7.asc
            readOnly: true
          - name: gpg-home
            mountPath: /root/.gnupg

2. Let the image updater update any image

Expected behavior
The commit should be signed.

Version

• Helm chart 0.11.3
• Image Updater: 0.15.1

Logs

time="2024-12-19T11:31:45Z" level=error msg=" `git -c gpg.format=openpgp commit -a -XXXXXXXXXXXX -s -F /tmp/image-updater-commit-msg320098422` failed exit status 128: error: gpg failed to sign the data:\ngpg: error running '/usr/bin/gpg-agent': probably not installed\ngpg: failed to start gpg-agent '/usr/bin/gpg-agent': Configuration error\ngpg: can't connect to the gpg-agent: Configuration error\ngpg: keydb_search failed: No agent running\ngpg: skipped \"XXXXXXXXXXXX\": No agent running\n[GNUPG:] INV_SGNR 0 XXXXXXXXXXXX\n[GNUPG:] FAILURE sign 33554509\ngpg: signing failed: No agent running\n\nfatal: failed to write commit object"

[jannfis]

Weird. It seems Alpine's gpg package doesn't contain gpg-agent anymore. Submitted #978 to fix that.

[otherguy]

Neat, that was fast! Thank you so much! I’m super happy and appreciative of all the renewed effort being put into Image Updater!

Do you have a release planned that contains this fix?

[jannfis]

I think we can cherry pick this PR and put out 0.15.2 pretty soon.

@chengfang are there other fixes you can think of that should go into a 0.15.2?

[chengfang]

We can cherry-pick these fixes to 0.15.2:
#978 (this issue)
#970
#965

[chengfang]

I've sent 3 PRs to release-0.15 branch: #979 #980 #981 for the above 3 issues cherry-pick. Please review and check if they are suitable for the upcoming 0.15.2 release.

[chengfang]

0.15.2 was released on 2025-01-06: https://github.com/argoproj-labs/argocd-image-updater/releases

[otherguy]

@chengfang thank you! I can confirm that commits are now properly signed:

argocd-image-updater v0.15.2+abc0072 starting [loglevel:INFO, interval:2m0s, healthport:8080]
Loaded 2 registry configurations from /app/config/registries.conf
ArgoCD configuration: [apiKind=argocd, server=argocd-server.argocd.svc.cluster.local, auth_token=true, insecure=true, grpc_web=true, plaintext=true]
Starting health probe server TCP port=8080
Starting metrics server on TCP port=8081
Warming up image cache
Finished cache warm-up, pre-loaded 1 meta data entries from 7 registries
Starting image update cycle, considering 65 annotated application(s) for update
Processing results: applications=65 images_considered=126 images_skipped=2 images_updated=0 errors=0
Starting image update cycle, considering 65 annotated application(s) for update
Setting new image to xxx:1.21.10-beta.202501070903" alias=image application=xxx image_name=xxx image_tag=1.21.10-beta.202501010617 registry=xxx
Successfully updated image 'xxx:1.21.10-beta.202501010617' to 'xxx:1.21.10-beta.202501070903', but pending spec update (dry run=false)" alias=image application=xxx image_name=xxx image_tag=1.21.10-beta.202501010617 registry=xxx
Committing 1 parameter update(s) for application xxx" application=xxx
Initializing https://github.com/xxx/xxx to /tmp/git-xxx3707958314
[...]
"git -c gpg.format=openpgp commit -a -SXXXXXXXXXXXXX -s -F /tmp/image-updater-commit-msg335898704" dir=/tmp/git-xxx3707958314 execID=201c7
Trace args="[git -c gpg.format=openpgp commit -a -SXXXXXXXXXXXXX -s -F /tmp/image-updater-commit-msg335898704]" dir=/tmp/git-xxx3707958314 operation_name="exec git" time_ms=120.37528
"git push origin main" dir=/tmp/git-xxx3707958314 execID=5a847
Trace args="[git push origin main]" dir=/tmp/git-xxx3707958314 operation_name="exec git" time_ms=1482.797595
"Successfully updated the live application spec" application=xxx

Happy new year! 🎆