Bug#1051793: simple-cdd: GNUPGHOME is not always passed correctly to gpg

[Jonathan Hettwer (bauen1)]

Package: simple-cdd
Version: 0.6.9
Severity: normal
X-Debbugs-Cc: j24...@gmail.com, j24...@gmail.com

Dear simple-cdd Authors and/or Maintainers,

When `GNUPGHOME` is not set, simple-cdd defaults it to `$PWD/tmp/gpg-keyring`, 
this is
done in 
<https://salsa.debian.org/debian/simple-cdd/-/blob/e94dd3303ef9c3ae6815bb3df76355613296cd40/build-simple-cdd#L165-167>.

However if `GNUPGHOME` is set internally like this, then it is not always 
passed along to all calls to `gpg` in 
<https://salsa.debian.org/debian/simple-cdd/-/blob/e94dd3303ef9c3ae6815bb3df76355613296cd40/simple_cdd/gnupg.py>.

For example running `simple-cdd` in a rootless podman container where only 
parts of my home directory are mounted in, leaving ~ as
a read-only empty directory.

Because `GNUPGHOME` is not passed a long in at least 
<https://salsa.debian.org/debian/simple-cdd/-/blob/e94dd3303ef9c3ae6815bb3df76355613296cd40/simple_cdd/gnupg.py#L82-88>,
 this results in the following error:

> gpg: Fatal: can't create directory '/home/jh/.gnupg': Read-only file system
> Traceback (most recent call last):
>   File "/usr/bin/simple-cdd", line 674, in <module>
>     scdd.read_configuration()
>   File "/usr/bin/simple-cdd", line 179, in read_configuration
>     verify_release_keys.extend(gnupg.list_valid_keys(keyring_file))
>   File "/usr/lib/python3/dist-packages/simple_cdd/gnupg.py", line 82, in 
> list_valid_keys
>     keys_raw = subprocess.check_output(["gpg",
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3.11/subprocess.py", line 466, in check_output
>     return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3.11/subprocess.py", line 571, in run
>     raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['gpg', '--batch', 
> '--no-default-keyring', '--keyring', 
> '/usr/share/keyrings/debian-archive-keyring.gpg', '--list-keys', 
> '--with-colons']' returned non-zero exit status 2.

I suspect the same is also true for 
<https://salsa.debian.org/debian/simple-cdd/-/blob/e94dd3303ef9c3ae6815bb3df76355613296cd40/simple_cdd/gnupg.py#L40>.

Thanks a lot, Jonathan Hettwer (bauen1)

-- System Information:
Debian Release: 12.0
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: bauen1-policy