fix(gpg): remove --pinentry-mode loopback from key import

cdalvaro · cdalvaro · commit 307abf0d217d · 2026-06-02T16:25:32.000+02:00
loopback mode corrupts the at-rest storage of passphrase-less cv25519
secret keys under GnuPG 2.4.x: the keygrip is listed as present but
unusable for pkdecrypt, so pillar decryption fails at render time with
"Bad secret key" while the master still starts cleanly. loopback does
not bypass gpg-agent and is pointless for passphrase-less keys;
--batch --no-tty already covers the non-interactive CI case.
diff --git a/assets/runtime/functions.sh b/assets/runtime/functions.sh
@@ -556,9 +556,7 @@ function _setup_gpgkeys() {
   chmod 700 "${SALT_GPGKEYS_DIR}"
 
   local GPG_COMMON_OPTS=(
-    --no-tty
-    --batch                         # non-interactive mode
-    --pinentry-mode loopback        # do not use gpg-agent
+    --no-tty --batch # non-interactive mode
     --homedir="${SALT_GPGKEYS_DIR}"
   )
 

Original file line number	Diff line number	Diff line change
`@@ -556,9 +556,7 @@ function _setup_gpgkeys() {`
`556`	`556`	`chmod 700 "${SALT_GPGKEYS_DIR}"`
`557`	`557`
`558`	`558`	`local GPG_COMMON_OPTS=(`
`559`		`- --no-tty`
`560`		`- --batch # non-interactive mode`
`561`		`- --pinentry-mode loopback # do not use gpg-agent`
	`559`	`+ --no-tty --batch # non-interactive mode`
`562`	`560`	`--homedir="${SALT_GPGKEYS_DIR}"`
`563`	`561`	`)`
`564`	`562`