aptly gets confused when secret key is available in gnupg2, but not in gnupg1.

[vi]

aptly publish ... started failing.

Context

strace shows that aptly publish calls gpg --version (for me gpg (GnuPG) 2.2.12 libgcrypt 1.8.4), then gpg1 --version (for me gpg (GnuPG) 1.4.23), then settles on continuing with gpg1.

Finally it comes to gpg1 -o /tmp/aptly024000720/Release.gpg --digest-algo SHA256 --armor --yes -u 0xD4...3A --detach-sign /tmp/aptly024000720/Release, which fails with gpg: signing failed: secret key not available. If I manually execute the command line, but with gpg1 changed to gpg2, then it works.

Possible Implementation

Use gpg2 / gpg when gpg1 fails with secret key not available, or at least use it by default instead of explicitly calling gpg1.

Your Environment

After updating from Debian Stretch to Debian Buster (amd64) aptly publish stopped working.

Workaround

• Uninstalling or temporarily disabling gnupg1 and gpgv1.
• Exporting the secret key from gpg2 and importing to gpg1 (not checked).

[smira]

Looks like documentation is outdated (https://www.aptly.info/doc/feature/pgp-providers/), but the story is that aptly for a long time supported only GnuPG 1, and preferred that by default. When support for different gpg providers landed, aptly still prefers gpg1 to stay compatible with older versions. If you want to use gpg2, just add gpgProvider: gpg2` to your aptly config, and aptly will stick with gpg2.

I created aptly-dev/www.aptly.info#78 to track docs update

[vi]

I tried gpgProvider: gpg2 and it said that gpg2 is not in the list of known providers (or something like that). It was on previous version although.

[smira]

It's part of the latest release, 1.4.0 https://github.com/aptly-dev/aptly/releases/tag/v1.4.0

You can get it from www.aptly.info/download/