Permalink
Browse files

services.xserver.startGnuPGAgent: remove obsolete NixOS option

GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no
longer requires (or even supports) the "start everything as a child of the
agent" scheme we've implemented in NixOS for older versions.

To configure the gpg-agent for your X session, add the following code to
~/.xsession or some other appropriate place that's sourced at start-up:

    gpg-connect-agent /bye
    GPG_TTY=$(tty)
    export GPG_TTY

If you want to use gpg-agent for SSH, too, also add the settings

    unset SSH_AGENT_PID
    export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"

and make sure that

    enable-ssh-support

is included in your ~/.gnupg/gpg-agent.conf.

The gpg-agent(1) man page has more details about this subject, i.e. in the
"EXAMPLES" section.
  • Loading branch information...
peti committed Mar 18, 2016
1 parent 9c10ac9 commit 5391882ebd781149e213e8817fba6ac3c503740c
@@ -37,7 +37,6 @@ with lib;
services.openssh.enable = false;
services.lshd.enable = true;
programs.ssh.startAgent = false;
services.xserver.startGnuPGAgent = true;
# TODO: GNU dico.
# TODO: GNU Inetutils' inetd.
View
@@ -111,6 +111,7 @@ with lib;
(mkRemovedOptionModule [ "services" "openvpn" "enable" ])
(mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ])
(mkRemovedOptionModule [ "services" "printing" "cupsdConf" ])
(mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ])
];
}
@@ -49,17 +49,6 @@ let
fi
''}
${optionalString cfg.startGnuPGAgent ''
if test -z "$SSH_AUTH_SOCK"; then
# Restart this script as a child of the GnuPG agent.
exec "${pkgs.gnupg}/bin/gpg-agent" \
--enable-ssh-support --daemon \
--pinentry-program "${pkgs.pinentry}/bin/pinentry-gtk-2" \
--write-env-file "$HOME/.gpg-agent-info" \
"$0" "$sessionType"
fi
''}
# Handle being called by kdm.
if test "''${1:0:1}" = /; then eval exec "$1"; fi
@@ -219,17 +219,6 @@ in
'';
};
startGnuPGAgent = mkOption {
type = types.bool;
default = false;
description = ''
Whether to start the GnuPG agent when you log in. The GnuPG agent
remembers private keys for you so that you don't have to type in
passphrases every time you make an SSH connection or sign/encrypt
data. Use <command>ssh-add</command> to add a key to the agent.
'';
};
startDbusSession = mkOption {
type = types.bool;
default = true;
@@ -444,14 +433,7 @@ in
in optional (driver != null) ({ inherit name; driverName = name; } // driver));
assertions =
[ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent);
message =
''
The OpenSSH agent and GnuPG agent cannot be started both. Please
choose between ‘programs.ssh.startAgent’ and ‘services.xserver.startGnuPGAgent’.
'';
}
{ assertion = config.security.polkit.enable;
[ { assertion = config.security.polkit.enable;
message = "X11 requires Polkit to be enabled (‘security.polkit.enable = true’).";
}
];

4 comments on commit 5391882

@jagajaga

This comment has been minimized.

Show comment
Hide comment
@jagajaga

jagajaga Mar 26, 2016

Member

That was a very useful option..

Member

jagajaga replied Mar 26, 2016

That was a very useful option..

@sternenseemann

This comment has been minimized.

Show comment
Hide comment
@sternenseemann

sternenseemann Mar 27, 2016

Contributor

Wouldn't it be possible to add an option to add the commands to displayManager.sessionCommands?

Contributor

sternenseemann replied Mar 27, 2016

Wouldn't it be possible to add an option to add the commands to displayManager.sessionCommands?

@sternenseemann

This comment has been minimized.

Show comment
Hide comment
@sternenseemann

sternenseemann Mar 27, 2016

Contributor

Okay that does not work :\

Contributor

sternenseemann replied Mar 27, 2016

Okay that does not work :\

@cstrahan

This comment has been minimized.

Show comment
Hide comment
@cstrahan

cstrahan Oct 1, 2016

Contributor

Note that gpg 2.1.13 changed the directory for IPC sockets, so you'd need something like this instead:

export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"

https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000390.html

Contributor

cstrahan replied Oct 1, 2016

Note that gpg 2.1.13 changed the directory for IPC sockets, so you'd need something like this instead:

export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"

https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000390.html

Please sign in to comment.