GNUPGHOME: An Ephemeral GnuPG Home in CI
GNUPGHOME sets the directory where GnuPG keeps keyrings, trust, and the agent socket, letting CI use a throwaway home.
A clean, ephemeral GNUPGHOME per job keeps keys from leaking across builds and avoids stale agent sockets. It must be chmod 700 or gpg complains.
What it does
GNUPGHOME overrides the default ~/.gnupg location. Pointing it at a fresh temp directory gives the job its own keyrings, owner trust, gpg.conf, and gpg-agent socket, isolated from any other user or build on the runner.
Common usage
# isolated, ephemeral GnuPG home for the job
export GNUPGHOME="$(mktemp -d)"
chmod 700 "$GNUPGHOME"
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
# ... sign / verify ...
gpgconf --kill gpg-agent
rm -rf "$GNUPGHOME"Options
| Setting / step | What it does |
|---|---|
| GNUPGHOME=<dir> | Where GnuPG keeps keyrings, trust, and the agent socket |
| chmod 700 "$GNUPGHOME" | Required permissions; gpg warns otherwise |
| mktemp -d | Create a unique throwaway directory |
| gpgconf --kill gpg-agent | Stop the agent before removing the home |
| rm -rf "$GNUPGHOME" | Discard all key material at job end |
In CI
Always chmod 700 the directory; GnuPG refuses to fully trust a world- or group-readable home and prints a warning. Kill the agent with gpgconf --kill gpg-agent before deleting the directory so no socket dangles. A fresh GNUPGHOME per job is the cleanest way to avoid cross-build key leakage.
Common errors in CI
"gpg: WARNING: unsafe permissions on homedir" means GNUPGHOME is not chmod 700; tighten it. "gpg: failed to create temporary file" or "can't connect to the agent" usually means the path is not writable or too long for the agent socket (keep GNUPGHOME paths short). A leftover socket from a reused directory causes "a gpg-agent is already running".