YubiKey-Guide icon indicating copy to clipboard operation
YubiKey-Guide copied to clipboard
verified publisher icon drduh

NixOS live USB: GPG Error: No pinentry

Open catleeball opened this issue 4 years ago • 1 comments

Using the .nix config in the README to make a live USB, it looks like GPG fails on most interactive commands with GPG Error: No pinentry.

It looks like this issue might be from NixOS disabling pinentry by default more recently:

  • https://github.com/NixOS/nixpkgs/commit/3d832dee59ed0338db4afb83b4c481a062163771

With further discussion in:

  • https://github.com/NixOS/nixpkgs/issues/72597
  • https://discourse.nixos.org/t/updated-after-3-week-vacation-gnupg-says-no-pinentry/4731
  • https://discourse.nixos.org/t/how-to-make-gpg-use-the-agent-from-programs-gnupg-agent/11834

Trying earlier, restarting GPG agent didn't seem to help, but someone in the above discussion pointed to this commit that works around the issue in their nixconfig:

  • https://github.com/jtojnar/nixfiles/commit/ebd6118dccf5762955aff75b6033fc142d282ae8

I haven't tested that yet, but will a little later today probably. I'll send a PR if I get things working. 🙂 I'm pretty new to NixOS though, so if an onlooker knows better than me, feel free to write a PR yourself or comment here with your feedback.

P.S. thanks for the great guide, @drduh !

catleeball avatar Aug 20 '21 22:08 catleeball

A bit late response.

If you are doing this manually, you can check the location of the pinentry program with:

which pinentry-curses

and then add it as pinentry-program in $GNUPGHOME/gpg-agent.conf.

You should be able to add something like this to your config:

# yubikey-installer.nix
{ nixpkgs ? <nixpkgs>, system ? "x86_64-linux" } :

let
  config = { pkgs, ... }: with pkgs;
  let
    gpg-agent-conf = pkgs.writeText "gpg-agent.conf" ''
      pinentry-program ${pkgs.pinentry-curses}/bin/pinentry-curses
    '';
  in {
    imports = [ <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix> ];

    boot.kernelPackages = linuxPackages_latest;

    services.pcscd.enable = true;
    services.udev.packages = [ yubikey-personalization ];

    environment.systemPackages = [ gnupg pinentry-curses pinentry-qt paperkey wget ];

    programs = {
      ssh.startAgent = false;
      gnupg.agent = {
        enable = true;
        enableSSHSupport = true;
      };
    };

    environment.interactiveShellInit = ''
      unset HISTFILE
      export GNUPGHOME=/run/user/$(id -u)/gnupg
      [ -d $GNUPGHOME ] || install -m 0700 -d $GNUPGHOME
      cp ${gpg-agent-conf}  $GNUPGHOME/gpg-agent.conf
      echo "\$GNUPGHOME is $GNUPGHOME"
    '';
  };

  evalNixos = configuration: import <nixpkgs/nixos> {
    inherit system configuration;
  };

in {
  iso = (evalNixos config).config.system.build.isoImage;
}

You can automate more parts of the setup as seen here:

  • https://github.com/dhess/nixos-yubikey
  • (or my personal one) https://github.com/terlar/nix-config/blob/main/nixos/installer/yubikey/default.nix

terlar avatar Apr 11 '22 21:04 terlar

Let us know if you still have trouble after the recent update.

drduh avatar Dec 26 '22 18:12 drduh