home-manager icon indicating copy to clipboard operation
home-manager copied to clipboard
verified publisher icon nix-community

gpg-agent: fix sockets on darwin

Open aymanbagabas opened this issue 1 year ago • 6 comments

Description

This fixes a couple of issues with https://github.com/nix-community/home-manager/pull/5786 and https://github.com/nix-community/home-manager/issues/3864 that uses launchd on darwin to start the gpg-agent daemon and its sockets. In particular, the issues outlined by @cmacrae.

  1. Always export $SSH_AUTH_SOCK when using gpg-agent as ssh agent.
  2. Use canonical socket paths on darwin
  3. Replace deprecated --supervised option with --daemon using gpgconf --launch on darwin
  4. Add default-homedir gpg-agent darwin test

Fixes: https://github.com/nix-community/home-manager/issues/3864

Checklist

  • [x] Change is backwards compatible.

  • [x] Code formatted with ./format.

  • [x] Code tested through nix-shell --pure tests -A run.all or nix develop --ignore-environment .#all using Flakes.

  • [x] Test cases updated/added. See example.

  • [x] Commit messages are formatted like

    {component}: {description}

{long description}

    See CONTRIBUTING for more information and recent commit messages for examples.

  • If this PR adds a new module

    • [ ] Added myself as module maintainer. See example.

Maintainer CC

@rycee

aymanbagabas avatar Sep 27 '24 12:09 aymanbagabas

Upstream gnupg has deprecated both --supervised flag and having gpg-agent run under a service file (https://dev.gnupg.org/T6336#166815).

I suggest we remove both systemd unit and launchd service here, and attempt to start gpg-agent in user shell's init script.

Additional context: https://github.com/NixOS/nixpkgs/issues/213794

folliehiyuki avatar Oct 30 '24 18:10 folliehiyuki

What about linux (not darwin)? We have same problems with gnupg gnupg from the next configuration fails

nixpkgs.config.allowUnfree = true;  services.pcscd.enable = true;  programs.gnupg.agent = {   enable = true;   pinentryPackage = pkgs.pinentry-curses;   enableSSHSupport = true;  };  environment.systemPackages = with pkgs; [  git  rage  pass # https://search.nixos.org/packages?show=pass  gnupg  pinentry-curses  ]

gpg-agent fails with: systemctl --user status gpg-agent gpg-agent.service - GnuPG cryptographic agent and passphrase cache   Loaded: loaded (/etc/systemd/user/gpg-agent.service; static)   Active: failed (Result: exit-code) since Mon 2024-12-30 14:52:46 +08; 1s ago   Duration: 129ms   Invocation: 7243f6c768394cdf9b8a8300f64a1f5b TriggeredBy: ○ gpg-agent.socket   ○ gpg-agent-ssh.socket   Docs: man:gpg-agent(1)   Process: 19788 ExecStart=/nix/store/dx8wj5rcjvgbakxh4prx3jwkkf5vhj4z-gnupg-2.4.5/bin/gpg-agent --supervised (code=exited, status=2)   Main PID: 19788 (code=exited, status=2)   Mem peak: 1.6M   CPU: 34ms

дек 30 14:52:46 Aspire systemd[1082]: Started GnuPG cryptographic agent and passphrase cache. дек 30 14:52:46 Aspire gpg-agent[19788]: gpg-agent[19788]: WARNING: "--supervised" is a deprecated option дек 30 14:52:46 Aspire gpg-agent[19788]: gpg-agent (GnuPG) 2.4.5 starting in supervised mode. дек 30 14:52:46 Aspire gpg-agent[19788]: no LISTEN_PID environment variable found in --supervised mode (ignoring) дек 30 14:52:46 Aspire gpg-agent[19788]: no LISTEN_FDS or LISTEN_FDNAMES environment variables found in --supervised mode (assuming 1 active descriptor) дек 30 14:52:46 Aspire gpg-agent[19788]: Fatal: file descriptor 3 must be valid in --supervised mode if LISTEN_FDNAMES is not set дек 30 14:52:46 Aspire systemd[1082]: gpg-agent.service: Main process exited, code=exited, status=2/INVALIDARGUMENT дек 30 14:52:46 Aspire systemd[1082]: gpg-agent.service: Failed with result 'exit-code'.

so, gpg --full-generate-key also fails with No pinentry

AlexeiKharchev avatar Dec 30 '24 07:12 AlexeiKharchev

so while @folliehiyuki is correct & upstream has deprecated init-based supervision[^1], it looks like both the nixpkgs gnupg module & other distros such as Arch are going to step in and maintain their own service & socket definitions.

~~fwiw, I extended my config with changes roughly along the lines of this module & everything appears to work as expected; if upstream nixpkgs & other distributions are maintaining their own supervised gpg-agent services, it doesn't seem unreasonable for home-manager to provide one as well.~~

EDIT: spoke too soon, looks like something about the launchd socket setup doesn't work correctly & it locks up...

[^1]: some additional context on the commit: https://dev.gnupg.org/rGeae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed

jkachmar avatar Jan 06 '25 22:01 jkachmar

Any news here guys? Come from here: https://github.com/nix-community/home-manager/issues/5997

r4v3n6101 avatar Feb 03 '25 21:02 r4v3n6101

EDIT: spoke too soon, looks like something about the launchd socket setup doesn't work correctly & it locks up...

Reached the same conclusion :/ Need to investigate this more.

aymanbagabas avatar Feb 03 '25 21:02 aymanbagabas

Thank you for your contribution! I marked this pull request as stale due to inactivity. Please read the relevant sections below before commenting.

If you are the original author of the PR

  • GitHub sometimes doesn't notify people who commented / reviewed a PR previously when you (force) push commits. If you have addressed the reviews you can officially ask for a review from those who commented to you or anyone else.
  • If it is unfinished but you plan to finish it, please mark it as a draft.
  • If you don't expect to work on it any time soon, please consider closing it with a short comment encouraging someone else to pick up your work.
  • To get things rolling again, rebase the PR against the target branch and address valid comments.
If you are not the original author of the PR

  • If you want to pick up the work on this PR, please create a new PR and indicate that it supercedes and closes this PR.

stale[bot] avatar Jun 13 '25 06:06 stale[bot]