Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: programs.gpg.settings should never have default algo SHA512 #5383

Open
2 tasks done
Cryolitia opened this issue May 7, 2024 · 2 comments · May be fixed by #5386
Open
2 tasks done

bug: programs.gpg.settings should never have default algo SHA512 #5383

Cryolitia opened this issue May 7, 2024 · 2 comments · May be fixed by #5386
Assignees
@rycee @sumnerevans @berbiche
Labels
bug triage Issues or feature request that have not been triaged yet

Comments

@Cryolitia
Copy link

Cryolitia commented May 7, 2024
edited

Are you following the right branch?

  • My Nixpkgs and Home Manager versions are in sync

Is there an existing issue for this?

  • I have searched the existing issues

Issue description

when enabling programs.gpg.enable, this module will have a set of even hide settings:

home-manager/modules/programs/gpg.nix

Lines 243 to 263 in 6e277d9

programs.gpg.settings = {
personal-cipher-preferences = mkDefault "AES256 AES192 AES";
personal-digest-preferences = mkDefault "SHA512 SHA384 SHA256";
personal-compress-preferences = mkDefault "ZLIB BZIP2 ZIP Uncompressed";
default-preference-list = mkDefault
"SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
cert-digest-algo = mkDefault "SHA512";
s2k-digest-algo = mkDefault "SHA512";
s2k-cipher-algo = mkDefault "AES256";
charset = mkDefault "utf-8";
fixed-list-mode = mkDefault true;
no-comments = mkDefault true;
no-emit-version = mkDefault true;
keyid-format = mkDefault "0xlong";
list-options = mkDefault "show-uid-validity";
verify-options = mkDefault "show-uid-validity";
with-fingerprint = mkDefault true;
require-cross-certification = mkDefault true;
no-symkey-cache = mkDefault true;
use-agent = mkDefault true;
};

Even these settings is not documented

home-manager/modules/programs/gpg.nix

Lines 153 to 171 in 6e277d9

settings = mkOption {
type =
types.attrsOf (types.either primitiveType (types.listOf types.str));
example = literalExpression ''
{
no-comments = false;
s2k-cipher-algo = "AES128";
}
'';
description = ''
GnuPG configuration options. Available options are described
in
[
{manpage}`gpg(1)`
](https://gnupg.org/documentation/manpage.html).
Note that lists are converted to duplicate keys.
'';
};

The algo SHA512 in the hide settings, is hardly supported by almost all hardware TPM, including my AMD Ryzen 7840U. This will immediately cause gpg sign fault and hard to find out.

We should never provide default settings, but leave it to gpg itself.

Related: https://lists.gnupg.org/pipermail/gnupg-devel/2021-December/035018.html

Maintainer CC

No maintainer, CC blame: @offlinehacker

System information

- system: `"x86_64-linux"`
 - host os: `Linux 6.8.6-zen1, NixOS, 24.05 (Uakari), 24.05.20240505.25865a4`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - channels(root): `"nixos, nixpkgs"`
 - nixpkgs: `/home/cryolitia/.nix-defexpr/channels/nixpkgs`
@Cryolitia Cryolitia added bug triage Issues or feature request that have not been triaged yet labels May 7, 2024
@Cryolitia Cryolitia reopened this May 7, 2024
@rycee
Copy link
Member

rycee commented May 7, 2024

Thanks for opening the issue. I'm inclined to agree. I assume that the GnuPG upstream defaults are well chosen nowadays so well worth to revisit.

Cryolitia added a commit to Cryolitia/home-manager that referenced this issue May 8, 2024
@Cryolitia
gpg: delete default settings
144c015 
fix nix-community#5383
@Cryolitia Cryolitia linked a pull request May 8, 2024 that will close this issue
Open
6 tasks
@Cryolitia
Copy link
Author

Cryolitia commented May 8, 2024
edited

I have opened a PR for it and more ^_^ #5386

Cryolitia added a commit to Cryolitia/home-manager that referenced this issue May 8, 2024
@Cryolitia
gpg: delete default settings
f37049e 
fix nix-community#5383
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rycee rycee

@sumnerevans sumnerevans

@berbiche berbiche

Labels
bug triage Issues or feature request that have not been triaged yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gpg: delete default settings, add dirmngrSettings, add maintainer Cryolitia/home-manager
4 participants
@rycee @sumnerevans @berbiche @Cryolitia