From ffb5d3d10595919aa447ee46eb768ef46dfc0058 Mon Sep 17 00:00:00 2001 From: David McFarland Date: Fri, 12 May 2023 07:50:00 -0300 Subject: [PATCH 1/4] gnupg: fix tests --- pkgs/tools/security/gnupg/24.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index 691c7c5a720..9955d8bddbd 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -6,6 +6,7 @@ , withPcsc ? !enableMinimal, pcsclite , guiSupport ? stdenv.isDarwin, pinentry , withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss +, nixosTests }: assert guiSupport -> enableMinimal == false; @@ -85,7 +86,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - passthru.tests.connman = lib.nixosTests.gnupg; + passthru.tests.connman = nixosTests.gnupg; meta = with lib; { homepage = "https://gnupg.org"; From 960a5142aa812a2df307a6fab65b25ad698e13b5 Mon Sep 17 00:00:00 2001 From: David McFarland Date: Wed, 10 May 2023 13:23:18 -0300 Subject: [PATCH 2/4] nixos/gnupg: add systemd configuration This depended on the systemd user configuration provided upstream in doc/examples. However, this was all removed in: https://github.com/gpg/gnupg/commit/eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed --- nixos/modules/programs/gnupg.nix | 81 ++++++++++++++++++++++++++++++-- 1 file changed, 76 insertions(+), 5 deletions(-) diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index cb8d0ecff4c..0ca159bdad0 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -95,36 +95,107 @@ in config = mkIf cfg.agent.enable { # This overrides the systemd user unit shipped with the gnupg package systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { - serviceConfig.ExecStart = [ "" '' - ${cfg.package}/bin/gpg-agent --supervised \ - --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry - '' ]; + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache"; + Documentation = "man:gpg-agent(1)"; + Requires = [ "gpg-agent.socket" ]; + }; + serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/gpg-agent --supervised \ + --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry + ''; + ExecReload = "${cfg.package}/bin/gpgconf --reload gpg-agent"; + }; }; systemd.user.sockets.gpg-agent = { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache"; + Documentation = "man:gpg-agent(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent"; + FileDescriptorName = "std"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport { + unitConfig = { + Description = "GnuPG cryptographic agent (ssh-agent emulation)"; + Documentation = "man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent.ssh"; + FileDescriptorName = "ssh"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache (restricted)"; + Documentation = "man:gpg-agent(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent.extra"; + FileDescriptorName = "extra"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache (access for web browsers)"; + Documentation = "man:gpg-agent(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent.browser"; + FileDescriptorName = "browser"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; + systemd.user.services.dirmngr = mkIf cfg.dirmngr.enable { + unitConfig = { + Description = "GnuPG network certificate management daemon"; + Documentation = "man:dirmngr(8)"; + Requires = "dirmngr.socket"; + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/dirmngr --supervised"; + ExecReload = "${cfg.package}/bin/gpgconf --reload dirmngr"; + }; + }; + systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable { + unitConfig = { + Description = "GnuPG network certificate management daemon"; + Documentation = "man:dirmngr(8)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.dirmngr"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; services.dbus.packages = mkIf (cfg.agent.pinentryFlavor == "gnome3") [ pkgs.gcr ]; environment.systemPackages = with pkgs; [ cfg.package ]; - systemd.packages = [ cfg.package ]; environment.interactiveShellInit = '' # Bind gpg-agent to this TTY if gpg commands are used. From 51fd00925fe9b068070616a1ec119de297fc1171 Mon Sep 17 00:00:00 2001 From: David McFarland Date: Sun, 11 Jun 2023 19:34:59 -0300 Subject: [PATCH 3/4] gnupg: fix test attribute key --- pkgs/tools/security/gnupg/22.nix | 2 +- pkgs/tools/security/gnupg/24.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index 6c2ffe12354..78f4af894a3 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -80,7 +80,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - passthru.tests.connman = lib.nixosTests.gnupg; + passthru.tests = lib.nixosTests.gnupg; meta = with lib; { homepage = "https://gnupg.org"; diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index 9955d8bddbd..aeb69663247 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -86,7 +86,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - passthru.tests.connman = nixosTests.gnupg; + passthru.tests = nixosTests.gnupg; meta = with lib; { homepage = "https://gnupg.org"; From 8ea644997f7d92cac129ddbfab14b33997038dae Mon Sep 17 00:00:00 2001 From: David McFarland Date: Thu, 15 Jun 2023 10:17:43 -0300 Subject: [PATCH 4/4] nixos/gpg-agent: move pinentry-program to /etc/gnupg/gpg-agent.conf --- nixos/modules/programs/gnupg.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index 0ca159bdad0..cc82849003f 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -93,6 +93,10 @@ in }; config = mkIf cfg.agent.enable { + environment.etc."gnupg/gpg-agent.conf".text = '' + pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry + ''; + # This overrides the systemd user unit shipped with the gnupg package systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { unitConfig = { @@ -101,10 +105,7 @@ in Requires = [ "gpg-agent.socket" ]; }; serviceConfig = { - ExecStart = '' - ${cfg.package}/bin/gpg-agent --supervised \ - --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry - ''; + ExecStart = "${cfg.package}/bin/gpg-agent --supervised"; ExecReload = "${cfg.package}/bin/gpgconf --reload gpg-agent"; }; };