Automated GPG Key Generation: Solving the Unattended Keygen Hanging Issue


1 views

When attempting to automate GPG key generation for CI/CD pipelines or automated deployment scripts, many developers encounter the process hanging indefinitely. The official documentation suggests using a batch file approach, but the implementation often fails silently.

The hanging typically occurs because the system lacks sufficient entropy. GPG needs random data for cryptographic operations, and when running in automated environments, there often isn't enough system entropy available.

# Check available entropy on Linux
cat /proc/sys/kernel/random/entropy_avail

Here's a robust implementation that addresses all common pitfalls:

#!/usr/bin/env bash
GNUPGHOME="$(mktemp -d)"
export GNUPGHOME

cat <<EOF > "$GNUPGHOME"/keygen-config
%echo Generating OpenPGP key
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: Automated Key
Name-Email: auto@example.com
Expire-Date: 365
Passphrase: super-secret-passphrase
%commit
%echo done
EOF

# Install haveged if not present (for entropy)
if ! command -v haveged >/dev/null; then
    sudo apt-get install -y haveged  # Debian/Ubuntu
    # sudo yum install -y haveged    # RHEL/CentOS
fi

# Generate key without interaction
gpg --batch --gen-key "$GNUPGHOME"/keygen-config

# Export keys
gpg --armor --export Automated Key > public.key
gpg --armor --export-secret-keys Automated Key > private.key

# Cleanup
rm -rf "$GNUPGHOME"

For systems where installing haveged isn't possible:

# Using rng-tools instead
sudo apt-get install -y rng-tools
sudo rngd -r /dev/urandom

# Or create entropy manually (for testing only)
dd if=/dev/random of=~/random.bin bs=1024 count=1

If the process still hangs, try these diagnostic commands:

# Check gpg-agent status
gpgconf --kill gpg-agent
gpg-connect-agent --verbose /bye

# Enable debug output
GPG_DEBUG=1 gpg --verbose --batch --gen-key keygen-config

For security-sensitive environments:

  • Always use strong passphrases (consider generating them randomly)
  • Set appropriate key expiration dates
  • Store generated keys securely (never commit to version control)
  • Consider using a dedicated key server for production environments

Many developers need to automate GPG key generation for CI/CD pipelines, container builds, or testing environments. The official GnuPG documentation suggests using --batch mode with a configuration file, but as you've discovered, this doesn't always work as expected.

The hanging behavior typically occurs because:

  • The gpg-agent requires sufficient entropy (try installing haveged or rng-tools)
  • Older GPG2 versions (like 2.0.26) have known issues with batch mode
  • The key generation process might be waiting for random number generation

Here's an improved version that works reliably across most environments:

#!/bin/bash
rm -rf ~/.gnupg
mkdir -m 700 ~/.gnupg
gpg --batch --gen-key <<EOF
Key-Type: RSA
Key-Length: 2048
Subkey-Type: RSA
Subkey-Length: 2048
Name-Real: Automated Key
Name-Email: auto@example.com
Expire-Date: 0
Passphrase: super-secret-passphrase
%commit
%echo done
EOF

For more control over key generation, consider these additional parameters:

%no-protection
%transient-key
Preferences: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

If you still encounter problems:

  1. Check system entropy: cat /proc/sys/kernel/random/entropy_avail
  2. Update to GPG 2.2+ if possible
  3. Add --pinentry-mode loopback to your gpg command
  4. Set use-agent in your gpg.conf

For Docker containers or CI systems where you need immediate keys:

apt-get install -y rng-tools
rngd -r /dev/urandom
gpg --batch --generate-key config.file