Permalink
Browse files

services.xserver.startGnuPGAgent: remove obsolete NixOS option

GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no
longer requires (or even supports) the "start everything as a child of the
agent" scheme we've implemented in NixOS for older versions.

To configure the gpg-agent for your X session, add the following code to
~/.xsession or some other appropriate place that's sourced at start-up:

    gpg-connect-agent /bye
    GPG_TTY=$(tty)
    export GPG_TTY

If you want to use gpg-agent for SSH, too, also add the settings

    unset SSH_AGENT_PID
    export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"

and make sure that

    enable-ssh-support

is included in your ~/.gnupg/gpg-agent.conf.

The gpg-agent(1) man page has more details about this subject, i.e. in the
"EXAMPLES" section.
  • Loading branch information...
1 parent 9c10ac9 commit 5391882ebd781149e213e8817fba6ac3c503740c @peti peti committed Mar 18, 2016
@@ -37,7 +37,6 @@ with lib;
services.openssh.enable = false;
services.lshd.enable = true;
programs.ssh.startAgent = false;
- services.xserver.startGnuPGAgent = true;
# TODO: GNU dico.
# TODO: GNU Inetutils' inetd.
@@ -111,6 +111,7 @@ with lib;
(mkRemovedOptionModule [ "services" "openvpn" "enable" ])
(mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ])
(mkRemovedOptionModule [ "services" "printing" "cupsdConf" ])
+ (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ])
];
}
@@ -49,17 +49,6 @@ let
fi
''}
- ${optionalString cfg.startGnuPGAgent ''
- if test -z "$SSH_AUTH_SOCK"; then
- # Restart this script as a child of the GnuPG agent.
- exec "${pkgs.gnupg}/bin/gpg-agent" \
- --enable-ssh-support --daemon \
- --pinentry-program "${pkgs.pinentry}/bin/pinentry-gtk-2" \
- --write-env-file "$HOME/.gpg-agent-info" \
- "$0" "$sessionType"
- fi
- ''}
-
# Handle being called by kdm.
if test "''${1:0:1}" = /; then eval exec "$1"; fi
@@ -219,17 +219,6 @@ in
'';
};
- startGnuPGAgent = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Whether to start the GnuPG agent when you log in. The GnuPG agent
- remembers private keys for you so that you don't have to type in
- passphrases every time you make an SSH connection or sign/encrypt
- data. Use <command>ssh-add</command> to add a key to the agent.
- '';
- };
-
startDbusSession = mkOption {
type = types.bool;
default = true;
@@ -444,14 +433,7 @@ in
in optional (driver != null) ({ inherit name; driverName = name; } // driver));
assertions =
- [ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent);
- message =
- ''
- The OpenSSH agent and GnuPG agent cannot be started both. Please
- choose between ‘programs.ssh.startAgent’ and ‘services.xserver.startGnuPGAgent’.
- '';
- }
- { assertion = config.security.polkit.enable;
+ [ { assertion = config.security.polkit.enable;
message = "X11 requires Polkit to be enabled (‘security.polkit.enable = true’).";
}
];

4 comments on commit 5391882

@jagajaga
Member

That was a very useful option..

@sternenseemann
Contributor

Wouldn't it be possible to add an option to add the commands to displayManager.sessionCommands?

@sternenseemann
Contributor

Okay that does not work :\

@cstrahan
Contributor

Note that gpg 2.1.13 changed the directory for IPC sockets, so you'd need something like this instead:

export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"

https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000390.html

Please sign in to comment.