On Tue, Aug 30, 2016 at 02:14:12AM -0400, Daniel Kahn Gillmor wrote: > On Mon 2016-08-29 21:59:30 -0400, brian m. carlson wrote: > > genre ok % gpg-connect-agent 'getinfo std_startup_env' /bye > > OK > > interesting that this is empty for you. I'm assuming that your agent is > started as a systemd user service, right? > > that is, can you show me: > > systemctl --user status gpg-agent > gpg-connect-agent 'getinfo pid' /bye > > To verify that we're seeing the same pid?
Yup. Both show the same PID.
> > # Saving a passphrase here makes this work automatically when run for a
> > # second time.
> > genre ok % env -i DISPLAY=:0
> > DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS pinentry <<EOF
> > option allow-external-password-cache
> > setkeyinfo testkey-for-pinentry
> > getpin
> > EOF
> >
> > OK Pleased to meet you
> > OK
> > OK
> > D 123456
> > OK
>
> I'm assuming that the second time here produces an "S
> PASSWORD_FROM_CACHE" status line as well, right?
Yes, there is.
> So, if you do:
>
> gpg-connect-agent updatestartuptty /bye
>
> and then:
>
> gpg-connect-agent 'getinfo std_startup_env' /bye
>
> do you see some results?
I see output after this, but my SSH agent still doesn't work:
genre ok % gpg-connect-agent updatestartuptty /bye
OK
genre ok % gpg-connect-agent 'getinfo std_startup_env' /bye
D GPG_TTY=/dev/pts/19
D TERM=screen-256color
D DISPLAY=:0
D XAUTHORITY=/home/bmc/.Xauthority
D
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-cuRTQOMM9V,guid=13a091ac51e469798129363057c4e491
OK
genre ok % git push def HEAD
sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
> > I don't have dbus-user-session installed.
> >
> > Based on the description of the package, I don't think I want it
> > installed, either.
>
> You are trying to use gpg-agent with your login session as ssh-agent,
> and you want gpg-agent to be able to talk to the gnome-keyring part of
> your login session, which is done over dbus.
>
> AIUI, you also want gpg-agent to be started when you need it for ssh.
>
> you don't say why you don't want dbus-user-session installed -- do you
> want multiple X11 sessions to run concurretly that are isolated from one
> another?
I want my TTY sessions to be completely isolated from my X11 session.
If I'm logging into a non-X11 session, my system is in a bad state and
I'm trying to fix it. Shared state is not helpful there, and I
certainly don't want D-Bus involved at all in a TTY session.
Also, philosophically, init should start and stop services, not manage
IPC, run cron jobs, handle NTP, or other unrelated tasks.
> If you don't want or need multiple X11 sessions to run separately from
> each other, I see two options here:
>
> a) if you don't care about gpg-agent being shut down when you log out,
> and you don't mind having gpg-agent running well before need it,
> then you should disable the systemd user service, and ensure that
> your X11 login process invokes:
>
> gpg-connect-agent updatestartuptty /bye
>
> b) install dbus-user-session
Can we have gpg-agent ship an entry in /etc/xdg/autostart that starts it
automatically (e.g. gpg-connect-agent /bye)? That seems to be the most
robust solution. The systemd solution seems too brittle. Specifically,
we want gpg-agent to inherit all of the user's environment, and systemd
wants desperately to isolate processes from it.
This would work equally well with the dbus-user-session model, and a lot
better for the single-X11-session model.
What I'm doing now is this in my .zshenv (which is revolting and clearly
the wrong place, but it works):
setup_ssh_agent () {
local i
is_ssh_session && return
grep enable-ssh-support ~/.gnupg/gpg-agent.conf 2>/dev/null | \
grep -qsv '^#' || return
gpg-connect-agent /bye >/dev/null 2>&1
for i in "$(gpgconf --list-dirs | grep '^agent-socket:' | cut -d: -f2)"
\
"$HOME/.gnupg/S.gpg-agent" \
"/run/user/$(id -u)/gnupg/S.gpg-agent"
do
[[ -S "$i.ssh" ]] && export SSH_AUTH_SOCK="$i.ssh"
done
}
My .Xsession invokes (roughly) zsh -c mate-session.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature
