Skip to content
Browse files

services.xserver.startGnuPGAgent: remove obsolete NixOS option

GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no
longer requires (or even supports) the "start everything as a child of the
agent" scheme we've implemented in NixOS for older versions.

To configure the gpg-agent for your X session, add the following code to
~/.xsession or some other appropriate place that's sourced at start-up:

    gpg-connect-agent /bye
    export GPG_TTY

If you want to use gpg-agent for SSH, too, also add the settings

    unset SSH_AGENT_PID
    export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"

and make sure that


is included in your ~/.gnupg/gpg-agent.conf.

The gpg-agent(1) man page has more details about this subject, i.e. in the
"EXAMPLES" section.
  • Loading branch information
peti committed Mar 18, 2016
1 parent 9c10ac9 commit 5391882ebd781149e213e8817fba6ac3c503740c
@@ -37,7 +37,6 @@ with lib;
services.openssh.enable = false;
services.lshd.enable = true;
programs.ssh.startAgent = false;
services.xserver.startGnuPGAgent = true;

# TODO: GNU dico.
# TODO: GNU Inetutils' inetd.
@@ -111,6 +111,7 @@ with lib;
(mkRemovedOptionModule [ "services" "openvpn" "enable" ])
(mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ])
(mkRemovedOptionModule [ "services" "printing" "cupsdConf" ])
(mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ])

@@ -49,17 +49,6 @@ let
${optionalString cfg.startGnuPGAgent ''
if test -z "$SSH_AUTH_SOCK"; then
# Restart this script as a child of the GnuPG agent.
exec "${pkgs.gnupg}/bin/gpg-agent" \
--enable-ssh-support --daemon \
--pinentry-program "${pkgs.pinentry}/bin/pinentry-gtk-2" \
--write-env-file "$HOME/.gpg-agent-info" \
"$0" "$sessionType"
# Handle being called by kdm.
if test "''${1:0:1}" = /; then eval exec "$1"; fi
@@ -219,17 +219,6 @@ in

startGnuPGAgent = mkOption {
type = types.bool;
default = false;
description = ''
Whether to start the GnuPG agent when you log in. The GnuPG agent
remembers private keys for you so that you don't have to type in
passphrases every time you make an SSH connection or sign/encrypt
data. Use <command>ssh-add</command> to add a key to the agent.

startDbusSession = mkOption {
type = types.bool;
default = true;
@@ -444,14 +433,7 @@ in
in optional (driver != null) ({ inherit name; driverName = name; } // driver));

assertions =
[ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent);
message =
The OpenSSH agent and GnuPG agent cannot be started both. Please
choose between ‘programs.ssh.startAgent’ and ‘services.xserver.startGnuPGAgent’.
{ assertion =;
[ { assertion =;
message = "X11 requires Polkit to be enabled (‘security.polkit.enable = true’).";

4 comments on commit 5391882


This comment has been minimized.

Copy link

@jagajaga jagajaga replied Mar 26, 2016

That was a very useful option..


This comment has been minimized.

Copy link

@sternenseemann sternenseemann replied Mar 27, 2016

Wouldn't it be possible to add an option to add the commands to displayManager.sessionCommands?


This comment has been minimized.

Copy link

@sternenseemann sternenseemann replied Mar 27, 2016

Okay that does not work :\


This comment has been minimized.

Copy link

@cstrahan cstrahan replied Oct 1, 2016

Note that gpg 2.1.13 changed the directory for IPC sockets, so you'd need something like this instead:

export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"

Please sign in to comment.
You can’t perform that action at this time.