Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split pinentry flavours and enable udisks2 on install media again #49270

Closed
wants to merge 4 commits into from
Closed

Split pinentry flavours and enable udisks2 on install media again #49270

wants to merge 4 commits into from

Conversation

fpletz
Copy link
Member

@fpletz fpletz commented Oct 27, 2018
edited

Motivation for this change

Due to the udisks2 update in #41723 its closure size exploded and was subsequently disabled on installation media. This PR refactors the pinentry derivation to be able to split out the different flavours and adds a NixOS option to select the desired flavour with a sensible fallback depending on the configured desktop environment.

Also this disables GUI support in GnuPG by default to resolve the dependency cycle in gcr. This way we won't have two versions of GnuPG in all systems closures that include gcr (i.e. due to udisks2).

Finally, we can enable udisks2 on install mediums again.

Everything except the breaking GnuPG change can and should be backported to 18.03 imho.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@fpletz fpletz added this to the 19.03 milestone Oct 27, 2018
@fpletz fpletz mentioned this pull request Oct 27, 2018
Merged
8 tasks
@fpletz fpletz changed the title Split pinentry flavours and enable udisks2 on install mediums again Split pinentry flavours and enable udisks2 on install media again Oct 27, 2018
@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnupg, pinentry

Partial log (click to expand)

checking for references to /build in /nix/store/9fngglrik447154ij4aiz2wg47y15h6z-pinentry-1.1.0-gnome3...
shrinking RPATHs of ELF executables and libraries in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs
shrinking /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs/bin/pinentry-emacs
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs/bin
patching script interpreter paths in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs
checking for references to /build in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs...
postPatchMkspecs
/nix/store/ma2ns8m274f84ic9i2w2rdn0d4n04qzh-gnupg-2.2.10
/nix/store/bcm7g5xs9g4pikdjq50miiczhywq8m8r-pinentry-1.1.0

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnupg, pinentry

Partial log (click to expand)

checking for references to /build in /nix/store/qih13s7bkzxli6y0m16dnrhdr5lr1rjz-pinentry-1.1.0-gnome3...
shrinking RPATHs of ELF executables and libraries in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs
shrinking /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs/bin/pinentry-emacs
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs/bin
patching script interpreter paths in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs
checking for references to /build in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs...
postPatchMkspecs
/nix/store/m93misi8xklnnz6p5r231r9vyzyz9m7x-gnupg-2.2.10
/nix/store/5yb8czmnxvm8jb5x9dk8z95ah0cv2d1n-pinentry-1.1.0

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: gnupg

The following builds were skipped because they don't evaluate on x86_64-darwin: pinentry

Partial log (click to expand)

make[1]: Leaving directory '/private/tmp/nix-build-gnupg-2.2.10.drv-0/gnupg-2.2.10'
post-installation fixup
gzipping man pages under /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/share/man/
strip is /nix/store/g5r4apl0za012ffs6ladinwa5w0m1l3k-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/lib  /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/libexec  /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/bin  /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/sbin
patching script interpreter paths in /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10
/nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/sbin/addgnupghome: interpreter directive changed from "/bin/sh" to "/nix/store/n9hba031gjky8hpjgx9fnlaxhidyzxbz-bash-4.4-p23/bin/sh"
/nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/sbin/applygnupgdefaults: interpreter directive changed from "/bin/sh" to "/nix/store/n9hba031gjky8hpjgx9fnlaxhidyzxbz-bash-4.4-p23/bin/sh"
moving /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/sbin/* to /nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10/bin
/nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10

@fpletz
nixos/gnupg: add option for setting pinentry flavours
7c67829
@fpletz
gnupg: disable gui/pinentry support by default
e91b0dc 
This solves the dependency cycle in gcr alternatively so there won't be
two gnupg store paths in a standard NixOS system which has udisks2 enabled
by default.

NixOS users are expected to use the gpg-agent user service to pull in the
appropriate pinentry flavour or install it on their systemPackages and set
it in their local gnupg agent config instead.
@fpletz
Revert "installer: Disable udisks"
f6d6ba5 
This reverts commit 571fb74.

The dependencay on gtk2 was removed.
@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: gnupg

The following builds were skipped because they don't evaluate on x86_64-darwin: pinentry

Partial log (click to expand)

a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnsupportedSystem = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowUnsupportedSystem = true; }
to ~/.config/nixpkgs/config.nix.


/nix/store/nxggndlhnd0nbbj1jb6j9lshrhl7144f-gnupg-2.2.10

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: gnupg, pinentry

Partial log (click to expand)

stripping (with command strip and flags -S) in /nix/store/qih13s7bkzxli6y0m16dnrhdr5lr1rjz-pinentry-1.1.0-gnome3/bin
patching script interpreter paths in /nix/store/qih13s7bkzxli6y0m16dnrhdr5lr1rjz-pinentry-1.1.0-gnome3
checking for references to /build in /nix/store/qih13s7bkzxli6y0m16dnrhdr5lr1rjz-pinentry-1.1.0-gnome3...
shrinking RPATHs of ELF executables and libraries in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs
shrinking /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs/bin/pinentry-emacs
strip is /nix/store/vcc4svb8gy29g4pam2zja6llkbcwsyiq-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs/bin
patching script interpreter paths in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs
checking for references to /build in /nix/store/8bs47idc4dbkk3ng9mffn978fy92wqk4-pinentry-1.1.0-emacs...
postPatchMkspecs

@dezgeg
Copy link
Contributor

dezgeg commented Oct 27, 2018

Is there an use case for having udisks2 in the installer anyway? The only user available is root and even if it weren't you'd have to use sudo anyway to run nixos-install.

Pinentry closure size drop is of course nice regardless.

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: gnupg, pinentry

Partial log (click to expand)

checking for references to /build in /nix/store/9fngglrik447154ij4aiz2wg47y15h6z-pinentry-1.1.0-gnome3...
shrinking RPATHs of ELF executables and libraries in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs
shrinking /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs/bin/pinentry-emacs
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs/bin
patching script interpreter paths in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs
checking for references to /build in /nix/store/sn3f9lyag1i12zjldls8bcaqsy7dyshi-pinentry-1.1.0-emacs...
postPatchMkspecs
/nix/store/ma2ns8m274f84ic9i2w2rdn0d4n04qzh-gnupg-2.2.10
/nix/store/bcm7g5xs9g4pikdjq50miiczhywq8m8r-pinentry-1.1.0

jtojnar
jtojnar reviewed Oct 27, 2018
View reviewed changes
pkgs/tools/security/pinentry/default.nix
info = flavourInfo.${f};
inputs = info.buildInputs or [];
flag = flavourInfo.${f}.flag or null;
inputsSatifsfied = inputs == [] || all (f: !(isNull f)) inputs;
Copy link
Contributor

@jtojnar jtojnar Oct 27, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
inputsSatifsfied = inputs == [] || all (f: !(isNull f)) inputs;
inputsSatisfied = all (f: !(isNull f)) inputs;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And !(isNull f) == ! isNull f

jtojnar
jtojnar reviewed Oct 27, 2018
View reviewed changes
pkgs/tools/security/pinentry/default.nix
, libgpgerror, libassuan
, ncurses, gtk2, qt
, libcap ? null, libsecret ? null, gcr ? null
, flavours ? [ "curses" "tty" "gtk2" "qt" "gnome3" "emacs" ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe use enabledFlavours or something?

jtojnar
jtojnar reviewed Oct 27, 2018
View reviewed changes
pkgs/tools/security/pinentry/default.nix
'';
nativeBuildInputs = [ pkgconfig ];
buildInputs = [ libgpgerror libassuan libcap libsecret ]
++ flatten (flip map flavours (f: flavourInfo.${f}.buildInputs or []));
Copy link
Contributor

@jtojnar jtojnar Oct 27, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just

Suggested change
++ flatten (flip map flavours (f: flavourInfo.${f}.buildInputs or []));
++ concatMap (f: flavourInfo.${f}.buildInputs or []) flavours;

Hopefully, there will not be multiple levels of nested lists.

jtojnar
jtojnar reviewed Oct 27, 2018
View reviewed changes
pkgs/tools/security/pinentry/default.nix
ln -sf ${outputVar}/bin/${binary} ${outputVar}/bin/pinentry
''))
+ ''
ln -sf ${head flavours}/bin/pinentry-${flavourInfo.${head flavours}.bin} $out/bin/pinentry
Copy link
Contributor

@jtojnar jtojnar Oct 27, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should not this be

Suggested change
ln -sf ${head flavours}/bin/pinentry-${flavourInfo.${head flavours}.bin} $out/bin/pinentry
ln -sf ${"$" + head flavours}/bin/pinentry-${flavourInfo.${head flavours}.bin} $out/bin/pinentry

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could even use placeholder now.

jtojnar
jtojnar reviewed Oct 27, 2018
View reviewed changes
nixos/modules/programs/gnupg.nix
pinentry binary will be passed to gpg-agent via commandline and
thus overrides the pinentry option in gpg-agent.conf in the user's
home directory.
'';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe also mention the default behaviour.

@flokli
Copy link
Contributor

flokli commented Oct 31, 2018

@dezgeg

Is there an use case for having udisks2 in the installer anyway? The only user available is root and even if it weren't you'd have to use sudo anyway to run nixos-install.

Pinentry closure size drop is of course nice regardless.

According to @edolstra in #41723 (comment)

No, udisks should be the default on non-graphical systems, since you may still want to do things like mount USB sticks in a uniform way. We just shouldn't have insanity like depending on GTK+.

@jtojnar jtojnar mentioned this pull request Nov 11, 2018
Closed
9 tasks
@jtojnar jtojnar mentioned this pull request Jan 16, 2019
Closed
jtojnar
jtojnar reviewed Jan 16, 2019
View reviewed changes
pkgs/top-level/all-packages.nix
};

pinentry_gnome = self.pinentry.override {
qt = qt5.qtbase;
gcr = gnome3.gcr;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gcr is now part of top-level attribute set, this can be removed.

jtojnar
jtojnar reviewed Jan 16, 2019
View reviewed changes
pkgs/top-level/all-packages.nix

pinentry_qt5 = self.pinentry.override {
qt = qt5.qtbase;
pinentry_qt4 = pinentry.override {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not need QT4 variant. #33248

@flokli flokli mentioned this pull request Apr 9, 2019
Merged
10 tasks
@jtojnar jtojnar mentioned this pull request Apr 15, 2019
Closed
@flokli
Copy link
Contributor

flokli commented May 25, 2019
edited

@fpletz can you rebase to latest master (especially #59190) and address the comments?

@jtojnar jtojnar mentioned this pull request Jun 11, 2019
Closed
@matthewbauer matthewbauer modified the milestones: 19.03, 20.03 Aug 28, 2019
@worldofpeace
Copy link
Contributor

Ooh I like this feature, and definitely want this for 20.03.
Might finish this up 👍

This was referenced Oct 11, 2019
Merged
Merged
@flokli
Copy link
Contributor

flokli commented Oct 13, 2019

Superseded by #71095.

@flokli flokli closed this Oct 13, 2019
@fpletz fpletz deleted the pinentry-cleanup branch October 14, 2019 13:19
@flokli flokli mentioned this pull request Jun 24, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtojnar jtojnar jtojnar left review comments

@infinisil infinisil infinisil left review comments

@flokli flokli flokli requested changes

@samueldr samueldr Awaiting requested review from samueldr

@lheckemann lheckemann Awaiting requested review from lheckemann

@dezgeg dezgeg Awaiting requested review from dezgeg

@vcunat vcunat Awaiting requested review from vcunat

Assignees
No one assigned
Labels
0.kind: enhancement 6.topic: closure-size 6.topic: GNOME GNOME desktop environment and its underlying platform 6.topic: nixos 8.has: changelog 8.has: clean-up 8.has: documentation 8.has: module (update) 8.has: package (new) 10.rebuild-darwin: 1-10 10.rebuild-linux: 101-500
Projects
None yet
Milestone
20.03
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@fpletz @GrahamcOfBorg @dezgeg @flokli @worldofpeace @jtojnar @infinisil @matthewbauer