From 1d597a2ac3c26960844a5df935d32cfb9dd04f74 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 11 Aug 2021 22:06:36 +0200 Subject: [PATCH] pinentry: remove multiple outputs package fixes #133156 #124753 --- nixos/modules/config/no-x-libs.nix | 2 +- nixos/modules/programs/gnupg.nix | 56 ++--- nixos/modules/programs/wayland/sway.nix | 5 + .../services/security/yubikey-agent.nix | 12 +- .../services/x11/desktop-managers/deepin.nix | 1 + .../services/x11/desktop-managers/lxqt.nix | 2 + .../services/x11/desktop-managers/plasma5.nix | 1 + .../services/x11/desktop-managers/xfce.nix | 1 + nixos/modules/services/x11/xserver.nix | 2 + nixos/tests/pass-secret-service.nix | 1 - pkgs/tools/security/pinentry/default.nix | 202 ++++++++++-------- pkgs/top-level/aliases.nix | 11 + pkgs/top-level/all-packages.nix | 14 +- 13 files changed, 164 insertions(+), 146 deletions(-) diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 4727e5b85ef22b4..6ef6fb5f1109180 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -64,7 +64,7 @@ with lib; networkmanager-sstp = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; pango = super.pango.override { x11Support = false; }; - pinentry = super.pinentry.override { enabledFlavors = [ "curses" "tty" "emacs" ]; withLibsecret = false; }; + pinentry-curses = super.pinentry-curses.override { withLibsecret = false; }; pipewire = super.pipewire.override { x11Support = false; }; pythonPackagesExtensions = super.pythonPackagesExtensions ++ [ (python-final: python-prev: { diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index 8f82de033666749..ad729386b23af13 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -1,8 +1,7 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) mkRemovedOptionModule mkOption mkPackageOption types mkIf optionalString; cfg = config.programs.gnupg; @@ -10,23 +9,11 @@ let mkKeyValue = lib.generators.mkKeyValueDefault { } " "; }; - xserverCfg = config.services.xserver; - - defaultPinentryFlavor = - if xserverCfg.desktopManager.lxqt.enable - || xserverCfg.desktopManager.plasma5.enable - || xserverCfg.desktopManager.deepin.enable then - "qt" - else if xserverCfg.desktopManager.xfce.enable then - "gtk2" - else if xserverCfg.enable || config.programs.sway.enable then - "gnome3" - else - "curses"; - in - { + imports = [ + (mkRemovedOptionModule [ "programs" "gnupg" "agent" "pinentryFlavor" ] "Use programs.gnupg.agent.pinentryPackage instead") + ]; options.programs.gnupg = { package = mkPackageOption pkgs "gnupg" { }; @@ -65,17 +52,17 @@ in ''; }; - agent.pinentryFlavor = mkOption { - type = types.nullOr (types.enum pkgs.pinentry.flavors); - example = "gnome3"; - default = defaultPinentryFlavor; - defaultText = literalMD ''matching the configured desktop environment''; + agent.pinentryPackage = mkOption { + type = types.nullOr types.package; + example = lib.literalMD "pkgs.pinentry-gnome3"; + default = pkgs.pinentry-curses; + defaultText = lib.literalMD "matching the configured desktop environment or `pkgs.pinentry-curses`"; description = lib.mdDoc '' - Which pinentry interface to use. If not null, the path to the - pinentry binary will be set in /etc/gnupg/gpg-agent.conf. - If not set at all, it'll pick an appropriate flavor depending on the - system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce - 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). + Which pinentry package to use. The path to the mainProgram as defined in + the package's meta attriutes will be set in /etc/gnupg/gpg-agent.conf. + If not set by the user, it'll pick an appropriate flavor depending on the + system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce, + gnome3 on all other systems with X enabled, curses otherwise). ''; }; @@ -101,9 +88,8 @@ in }; config = mkIf cfg.agent.enable { - programs.gnupg.agent.settings = { - pinentry-program = lib.mkIf (cfg.agent.pinentryFlavor != null) - "${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry"; + programs.gnupg.agent.settings = mkIf (cfg.agent.pinentryPackage != null) { + pinentry-program = lib.getExe cfg.agent.pinentryPackage; }; environment.etc."gnupg/gpg-agent.conf".source = @@ -206,9 +192,9 @@ in wantedBy = [ "sockets.target" ]; }; - services.dbus.packages = mkIf (cfg.agent.pinentryFlavor == "gnome3") [ pkgs.gcr ]; + services.dbus.packages = mkIf (lib.elem "gnome3" (cfg.agent.pinentryPackage.flavors or [])) [ pkgs.gcr ]; - environment.systemPackages = with pkgs; [ cfg.package ]; + environment.systemPackages = [ cfg.package ]; environment.interactiveShellInit = '' # Bind gpg-agent to this TTY if gpg commands are used. @@ -229,12 +215,10 @@ in ''; assertions = [ - { assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent; + { + assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent; message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!"; } ]; }; - - # uses attributes of the linked package - meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/programs/wayland/sway.nix b/nixos/modules/programs/wayland/sway.nix index 57ee629b2881020..806d8b8721269ed 100644 --- a/nixos/modules/programs/wayland/sway.nix +++ b/nixos/modules/programs/wayland/sway.nix @@ -152,6 +152,7 @@ in { ''; } ]; + environment = { systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages; # Needed for the default wallpaper: @@ -166,8 +167,12 @@ in { "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config"; }; }; + + programs.gnupg.agent.pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3; + # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 xdg.portal.config.sway.default = mkDefault [ "wlr" "gtk" ]; + # To make a Sway session available if a display manager like SDDM is enabled: services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; } (import ./wayland-session.nix { inherit lib pkgs; }) diff --git a/nixos/modules/services/security/yubikey-agent.nix b/nixos/modules/services/security/yubikey-agent.nix index a9f15e4405f2309..bf8432a00238fe8 100644 --- a/nixos/modules/services/security/yubikey-agent.nix +++ b/nixos/modules/services/security/yubikey-agent.nix @@ -6,9 +6,6 @@ with lib; let cfg = config.services.yubikey-agent; - - # reuse the pinentryFlavor option from the gnupg module - pinentryFlavor = config.programs.gnupg.agent.pinentryFlavor; in { ###### interface @@ -41,13 +38,8 @@ in # This overrides the systemd user unit shipped with the # yubikey-agent package systemd.user.services.yubikey-agent = mkIf (pinentryFlavor != null) { - path = [ pkgs.pinentry.${pinentryFlavor} ]; - wantedBy = [ - (if pinentryFlavor == "tty" || pinentryFlavor == "curses" then - "default.target" - else - "graphical-session.target") - ]; + path = [ config.programs.gnupg.agent.pinentryPackage ]; + wantedBy = [ "default.target" ]; }; # Yubikey-agent expects pcsd to be running in order to function. diff --git a/nixos/modules/services/x11/desktop-managers/deepin.nix b/nixos/modules/services/x11/desktop-managers/deepin.nix index 7fdd50b1ed26386..13cbc8943ae1248 100644 --- a/nixos/modules/services/x11/desktop-managers/deepin.nix +++ b/nixos/modules/services/x11/desktop-managers/deepin.nix @@ -66,6 +66,7 @@ in services.upower.enable = mkDefault config.powerManagement.enable; networking.networkmanager.enable = mkDefault true; programs.dconf.enable = mkDefault true; + programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt; fonts.packages = with pkgs; [ noto-fonts ]; xdg.mime.enable = true; diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index 50ad72dc7388d48..d3bdc4326a90886 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -62,6 +62,8 @@ in # Link some extra directories in /run/current-system/software/share environment.pathsToLink = [ "/share" ]; + programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt; + # virtual file systems support for PCManFM-QT services.gvfs.enable = true; diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index fc9de2500ba4608..3159db0eb7ada71 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -331,6 +331,7 @@ in serif = [ "Noto Serif" ]; }; + programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt; programs.ssh.askPassword = mkDefault "${pkgs.plasma5Packages.ksshaskpass.out}/bin/ksshaskpass"; # Enable helpful DBus services. diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index e28486bcc12d89a..6bc964f4c6ed7b1 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -131,6 +131,7 @@ in xfdesktop ] ++ optional cfg.enableScreensaver xfce4-screensaver) excludePackages; + programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2; programs.xfconf.enable = true; programs.thunar.enable = true; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 4a8f2f61caaf419..30c70dc1c9b6246 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -749,6 +749,8 @@ in boot.kernel.sysctl."fs.inotify.max_user_instances" = mkDefault 524288; boot.kernel.sysctl."fs.inotify.max_user_watches" = mkDefault 524288; + programs.gnupg.agent.pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3; + systemd.defaultUnit = mkIf cfg.autorun "graphical.target"; systemd.services.display-manager = diff --git a/nixos/tests/pass-secret-service.nix b/nixos/tests/pass-secret-service.nix index e0dddf0ad29e204..cdbdaa52dbc0a86 100644 --- a/nixos/tests/pass-secret-service.nix +++ b/nixos/tests/pass-secret-service.nix @@ -26,7 +26,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { programs.gnupg = { agent.enable = true; - agent.pinentryFlavor = "tty"; dirmngr.enable = true; }; }; diff --git a/pkgs/tools/security/pinentry/default.nix b/pkgs/tools/security/pinentry/default.nix index baa78521f3456bd..dd66a38481920b4 100644 --- a/pkgs/tools/security/pinentry/default.nix +++ b/pkgs/tools/security/pinentry/default.nix @@ -1,100 +1,120 @@ -{ fetchurl, mkDerivation, fetchpatch, stdenv, lib, pkg-config, autoreconfHook, wrapGAppsHook -, libgpg-error, libassuan, qtbase, wrapQtAppsHook -, ncurses, gtk2, gcr -, withLibsecret ? true, libsecret -, enabledFlavors ? [ "curses" "tty" "gtk2" "emacs" ] - ++ lib.optionals stdenv.isLinux [ "gnome3" ] - ++ lib.optionals (!stdenv.isDarwin) [ "qt" ] +{ stdenv +, lib +, fetchurl +, fetchpatch +, pkg-config +, autoreconfHook +, wrapGAppsHook +, libgpg-error +, libassuan +, libsForQt5 +, ncurses +, gtk2 +, gcr +, withLibsecret ? true +, libsecret }: -assert lib.isList enabledFlavors && enabledFlavors != []; - let - pinentryMkDerivation = - if (builtins.elem "qt" enabledFlavors) - then mkDerivation - else stdenv.mkDerivation; - - enableFeaturePinentry = f: - let - flag = flavorInfo.${f}.flag or null; - in - lib.optionalString (flag != null) - (lib.enableFeature (lib.elem f enabledFlavors) ("pinentry-" + flag)); - flavorInfo = { - curses = { bin = "curses"; flag = "curses"; buildInputs = [ ncurses ]; }; - tty = { bin = "tty"; flag = "tty"; }; - gtk2 = { bin = "gtk-2"; flag = "gtk2"; buildInputs = [ gtk2 ]; }; - gnome3 = { bin = "gnome3"; flag = "gnome3"; buildInputs = [ gcr ]; nativeBuildInputs = [ wrapGAppsHook ]; }; - qt = { bin = "qt"; flag = "qt"; buildInputs = [ qtbase ]; nativeBuildInputs = [ wrapQtAppsHook ]; }; - emacs = { bin = "emacs"; flag = "emacs"; buildInputs = []; }; - }; - -in - -pinentryMkDerivation rec { - pname = "pinentry"; - version = "1.2.1"; - - src = fetchurl { - url = "mirror://gnupg/pinentry/${pname}-${version}.tar.bz2"; - sha256 = "sha256-RXoYXlqFI4+5RalV3GNSq5YtyLSHILYvyfpIx1QKQGc="; + tty = { flag = "tty"; }; + curses = { + flag = "curses"; + buildInputs = [ ncurses ]; + }; + gtk2 = { + flag = "gtk2"; + buildInputs = [ gtk2 ]; + }; + gnome3 = { + flag = "gnome3"; + buildInputs = [ gcr ]; + nativeBuildInputs = [ wrapGAppsHook ]; + }; + qt = { + flag = "qt"; + buildInputs = [ libsForQt5.qtbase ]; + nativeBuildInputs = [ libsForQt5.wrapQtAppsHook ]; + }; + emacs = { flag = "emacs"; }; }; - nativeBuildInputs = [ pkg-config autoreconfHook ] - ++ lib.concatMap(f: flavorInfo.${f}.nativeBuildInputs or []) enabledFlavors; - - buildInputs = [ libgpg-error libassuan ] - ++ lib.optional withLibsecret libsecret - ++ lib.concatMap(f: flavorInfo.${f}.buildInputs or []) enabledFlavors; - - dontWrapGApps = true; - dontWrapQtApps = true; - - patches = [ - ./autoconf-ar.patch - ] ++ lib.optionals (lib.elem "gtk2" enabledFlavors) [ - (fetchpatch { - url = "https://salsa.debian.org/debian/pinentry/raw/debian/1.1.0-1/debian/patches/0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch"; - sha256 = "15r1axby3fdlzz9wg5zx7miv7gqx2jy4immaw4xmmw5skiifnhfd"; - }) - ]; - - configureFlags = [ - "--with-libgpg-error-prefix=${libgpg-error.dev}" - "--with-libassuan-prefix=${libassuan.dev}" - (lib.enableFeature withLibsecret "libsecret") - ] ++ (map enableFeaturePinentry (lib.attrNames flavorInfo)); - - postInstall = - lib.concatStrings (lib.flip map enabledFlavors (f: - let - binary = "pinentry-" + flavorInfo.${f}.bin; - in '' - moveToOutput bin/${binary} ${placeholder f} - ln -sf ${placeholder f}/bin/${binary} ${placeholder f}/bin/pinentry - '' + lib.optionalString (f == "gnome3") '' - wrapGApp ${placeholder f}/bin/${binary} - '' + lib.optionalString (f == "qt") '' - wrapQtApp ${placeholder f}/bin/${binary} - '')) + '' - ln -sf ${placeholder (lib.head enabledFlavors)}/bin/pinentry-${flavorInfo.${lib.head enabledFlavors}.bin} $out/bin/pinentry - ''; - - outputs = [ "out" ] ++ enabledFlavors; + buildPinentry = pinentryExtraPname: buildFlavors: + let + enableFeaturePinentry = f: + lib.enableFeature (lib.elem f buildFlavors) ("pinentry-" + flavorInfo.${f}.flag); - passthru = { flavors = enabledFlavors; }; + pinentryMkDerivation = + if (lib.elem "qt" buildFlavors) + then libsForQt5.mkDerivation + else stdenv.mkDerivation; - meta = with lib; { - homepage = "http://gnupg.org/aegypten2/"; - description = "GnuPG’s interface to passphrase input"; - license = licenses.gpl2Plus; - platforms = platforms.all; - longDescription = '' - Pinentry provides a console and (optional) GTK and Qt GUIs allowing users - to enter a passphrase when `gpg' or `gpg2' is run and needs it. - ''; - maintainers = with maintainers; [ ttuegel fpletz ]; - }; + in + pinentryMkDerivation rec { + pname = "pinentry-${pinentryExtraPname}"; + version = "1.2.1"; + + src = fetchurl { + url = "mirror://gnupg/pinentry/pinentry-${version}.tar.bz2"; + hash = "sha256-RXoYXlqFI4+5RalV3GNSq5YtyLSHILYvyfpIx1QKQGc="; + }; + + nativeBuildInputs = [ pkg-config autoreconfHook ] + ++ lib.concatMap (f: flavorInfo.${f}.nativeBuildInputs or [ ]) buildFlavors; + + buildInputs = [ libgpg-error libassuan ] + ++ lib.optional withLibsecret libsecret + ++ lib.concatMap (f: flavorInfo.${f}.buildInputs or [ ]) buildFlavors; + + dontWrapGApps = true; + dontWrapQtApps = true; + + patches = [ + ./autoconf-ar.patch + ] ++ lib.optionals (lib.elem "gtk2" buildFlavors) [ + (fetchpatch { + url = "https://salsa.debian.org/debian/pinentry/raw/debian/1.1.0-1/debian/patches/0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch"; + sha256 = "15r1axby3fdlzz9wg5zx7miv7gqx2jy4immaw4xmmw5skiifnhfd"; + }) + ]; + + configureFlags = [ + "--with-libgpg-error-prefix=${libgpg-error.dev}" + "--with-libassuan-prefix=${libassuan.dev}" + (lib.enableFeature withLibsecret "libsecret") + ] ++ (map enableFeaturePinentry (lib.attrNames flavorInfo)); + + postInstall = + lib.optionalString (lib.elem "gnome3" buildFlavors) '' + wrapGApp $out/bin/pinentry-gnome3 + '' + lib.optionalString (lib.elem "qt" buildFlavors) '' + wrapQtApp $out/bin/pinentry-qt + ''; + + passthru = { flavors = buildFlavors; }; + + meta = with lib; { + homepage = "https://gnupg.org/software/pinentry/index.html"; + description = "GnuPG’s interface to passphrase input"; + license = licenses.gpl2Plus; + platforms = + if elem "gnome3" buildFlavors then platforms.linux else + if elem "qt" buildFlavors then (remove "aarch64-darwin" platforms.all) else + platforms.all; + longDescription = '' + Pinentry provides a console and (optional) GTK and Qt GUIs allowing users + to enter a passphrase when `gpg' or `gpg2' is run and needs it. + ''; + maintainers = with maintainers; [ fpletz ]; + mainProgram = "pinentry"; + }; + }; +in +{ + pinentry-curses = buildPinentry "curses" [ "curses" "tty" ]; + pinentry-gtk2 = buildPinentry "gtk2" [ "gtk2" "curses" "tty" ]; + pinentry-gnome3 = buildPinentry "gnome3" [ "gnome3" "curses" "tty" ]; + pinentry-qt = buildPinentry "qt" [ "qt" "curses" "tty" ]; + pinentry-emacs = buildPinentry "emacs" [ "emacs" "curses" "tty" ]; + pinentry-all = buildPinentry "all" [ "curses" "tty" "gtk2" "gnome3" "qt" "emacs" ]; } diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index b868e6123b534c0..90771c6fc9dcd55 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -816,12 +816,23 @@ mapAliases ({ timescaledb = postgresqlPackages.timescaledb; tsearch_extras = postgresqlPackages.tsearch_extras; + # pinentry was using multiple outputs, this emulates the old interface for i.e. home-manager + # soon: throw "'pinentry' has been removed. Pick an appropriate variant like 'pinentry-curses' or 'pinentry-gnome3'"; + pinentry = pinentry-all // { + curses = pinentry-curses; + gtk2 = pinentry-gtk2; + gnome2 = pinentry-gnome3; + qt = pinentry-qt; + emacs = pinentry-emacs; + flavors = [ "curses" "gtk2" "gnome2" "qt" "emacs" ]; + }; # added 2024-01-15 pinentry_curses = throw "'pinentry_curses' has been renamed to/replaced by 'pinentry-curses'"; # Converted to throw 2023-09-10 pinentry_emacs = throw "'pinentry_emacs' has been renamed to/replaced by 'pinentry-emacs'"; # Converted to throw 2023-09-10 pinentry_gnome = throw "'pinentry_gnome' has been renamed to/replaced by 'pinentry-gnome'"; # Converted to throw 2023-09-10 pinentry_gtk2 = throw "'pinentry_gtk2' has been renamed to/replaced by 'pinentry-gtk2'"; # Converted to throw 2023-09-10 pinentry_qt = throw "'pinentry_qt' has been renamed to/replaced by 'pinentry-qt'"; # Converted to throw 2023-09-10 pinentry_qt5 = pinentry-qt; # Added 2020-02-11 + PlistCpp = plistcpp; # Added 2024-01-05 poetry2nix = throw "poetry2nix is now maintained out-of-tree. Please use https://github.com/nix-community/poetry2nix/"; # Added 2023-10-26 prayer = throw "prayer has been removed from nixpkgs"; # Added 2023-11-09 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 5d156a6715ea1f4..8ef8c2a9c773879 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -12066,13 +12066,13 @@ with pkgs; piknik = callPackage ../tools/networking/piknik { }; - pinentry = libsForQt5.callPackage ../tools/security/pinentry { }; - - pinentry-curses = (lib.getOutput "curses" pinentry); - pinentry-emacs = (lib.getOutput "emacs" pinentry); - pinentry-gtk2 = (lib.getOutput "gtk2" pinentry); - pinentry-qt = (lib.getOutput "qt" pinentry); - pinentry-gnome = (lib.getOutput "gnome3" pinentry); + inherit (callPackages ../tools/security/pinentry { }) + pinentry-curses + pinentry-emacs + pinentry-gtk2 + pinentry-gnome3 + pinentry-qt + pinentry-all; pinentry_mac = callPackage ../tools/security/pinentry/mac.nix { inherit (darwin.apple_sdk.frameworks) Cocoa;