gpg --gen-key and --full-generate-key
gpg --full-generate-key creates a new OpenPGP keypair with full control over algorithm and expiry.
You rarely generate keys in CI, but tests sometimes need a throwaway key. The unattended batch form with a parameter file is the only way to do it without prompts.
What it does
gpg --gen-key runs a short interactive wizard; gpg --full-generate-key offers full control over key type, size, and expiry. With --batch and a parameter file (or here-doc), generation is fully unattended, which is what a pipeline needs.
Common usage
# unattended generation in CI via a parameter block
gpg --batch --pinentry-mode loopback --passphrase '' \
--full-generate-key <<'EOF'
%no-protection
Key-Type: eddsa
Key-Curve: ed25519
Subkey-Type: ecdh
Subkey-Curve: cv25519
Name-Real: CI Test Key
Name-Email: ci@example.com
Expire-Date: 1d
%commit
EOFOptions
| Flag / parameter | What it does |
|---|---|
| --gen-key | Short interactive key wizard |
| --full-generate-key | Full interactive control over the key |
| --batch ... <params> | Unattended generation from a parameter file |
| %no-protection | Generate a key with no passphrase (tests only) |
| Expire-Date <n>d | Set expiry, e.g. 1d for a throwaway key |
| %commit | End the parameter block and create the key |
In CI
Use --batch with a parameter block for any unattended generation. Add %no-protection (or supply --passphrase) so it does not prompt. Set a short Expire-Date for throwaway test keys, and generate into an ephemeral GNUPGHOME so the key disappears with the job. Key generation needs entropy; on minimal images install rng-tools or haveged if it stalls.
Common errors in CI
"gpg: agent_genkey failed: Inappropriate ioctl for device" means it tried to prompt for a passphrase; add --pinentry-mode loopback and either --passphrase or %no-protection. Generation that hangs is usually waiting on entropy on a headless runner. "Key-Type: invalid" means a misspelled parameter in the batch block.