Skip to content
Latchkey

GNUPGHOME: An Ephemeral GnuPG Home in CI

GNUPGHOME sets the directory where GnuPG keeps keyrings, trust, and the agent socket, letting CI use a throwaway home.

A clean, ephemeral GNUPGHOME per job keeps keys from leaking across builds and avoids stale agent sockets. It must be chmod 700 or gpg complains.

What it does

GNUPGHOME overrides the default ~/.gnupg location. Pointing it at a fresh temp directory gives the job its own keyrings, owner trust, gpg.conf, and gpg-agent socket, isolated from any other user or build on the runner.

Common usage

Terminal
# isolated, ephemeral GnuPG home for the job
export GNUPGHOME="$(mktemp -d)"
chmod 700 "$GNUPGHOME"
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
# ... sign / verify ...
gpgconf --kill gpg-agent
rm -rf "$GNUPGHOME"

Options

Setting / stepWhat it does
GNUPGHOME=<dir>Where GnuPG keeps keyrings, trust, and the agent socket
chmod 700 "$GNUPGHOME"Required permissions; gpg warns otherwise
mktemp -dCreate a unique throwaway directory
gpgconf --kill gpg-agentStop the agent before removing the home
rm -rf "$GNUPGHOME"Discard all key material at job end

In CI

Always chmod 700 the directory; GnuPG refuses to fully trust a world- or group-readable home and prints a warning. Kill the agent with gpgconf --kill gpg-agent before deleting the directory so no socket dangles. A fresh GNUPGHOME per job is the cleanest way to avoid cross-build key leakage.

Common errors in CI

"gpg: WARNING: unsafe permissions on homedir" means GNUPGHOME is not chmod 700; tighten it. "gpg: failed to create temporary file" or "can't connect to the agent" usually means the path is not writable or too long for the agent socket (keep GNUPGHOME paths short). A leftover socket from a reused directory causes "a gpg-agent is already running".

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →