Bug#1079246: gcr4: Environment variable SSH_AUTH_SOCK is hijacked by gcr-ssh-agent

Raphael Hertzog hertzog at debian.org
Mon Nov 10 13:48:01 GMT 2025 

Package: gcr4
Version: 4.4.0.1-7
Followup-For: Bug #1079246
Control: severity -1 important

gcr4 goes to great length to actually override the SSH_AUTH_SOCK set by
gpg-agent-ssh but that's not a useful thing to do.

I refer specifically to this change that landed this summer:
"Add proposed patch to ensure gcr4 is the default ssh-agent provider" by
Alessandro:
https://salsa.debian.org/gnome-team/gcr4/-/commit/2f9e7e82f03b985e7ccbb8218ead0a15e0bc5660

--- a/gcr/gcr-ssh-agent.socket.in
+++ b/gcr/gcr-ssh-agent.socket.in
@@ -1,5 +1,7 @@
 [Unit]
 Description=GCR ssh-agent wrapper
+# If gcr is installed, take priority in setting SSH_AUTH_SOCK over gpg-agent
+After=gpg-agent-ssh.socket


The ssh-agent provided by gpg-agent is disabled by default. The user needs
to add enable-ssh-agent in ~/.gnupg/gpg-agent.conf to actually enable it. When
the user does this, we ought to try to respect his choice instead of
voluntarily override it.

My reason to use gpg-agent is because my SSH key is a GPG subkey in a Yubikey.

Please let me use it without having to resort to complicated hacks. It
took me multiple tries until I figured out how to get this properly
disabled. Hint:
* "systemctl --user disable gcr-ssh-agent.socket" does not work because
  it's enabled globally via some links in
  /etc/systemd/user/grapgraphical-session-pre.target.wants/
* then you figure out that you need the same command under sudo with "--global"
  instead of "--user", but it still does not work
* so I try again with "systemctl --user disable" and it's now accepted but
  it still doesn't help because
  /usr/lib/systemd/user/gnome-session at gnome.target.d/gnome.session.conf
  has Wants=gcr-ssh-agent.socket
* finally I figure out that I really need to "systemctl --global
  mask gcr-ssh-agent.socket" to have something that works to not execute
  the code that overrides SSH_AUTH_SOCK

So my suggestion at this point is to actually do the opposite and use
"Before=gpg-agent-ssh.socket" because gpg-agent-ssh.socket is a no-op in
the default case, and when it's not a no-op, it's best to respect the
user's choice.

-- System Information:
Debian Release: forky/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldstable-security'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.17.7+deb14+1-amd64 (SMP w/24 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gcr4 depends on:
ii  dbus-user-session [default-dbus-session-bus]  1.16.2-2
ii  gcr                                           3.41.2-5
ii  init-system-helpers                           1.69
ii  libc6                                         2.41-12
ii  libgck-2-2                                    4.4.0.1-7
ii  libgcr-4-4                                    4.4.0.1-7
ii  libglib2.0-0t64                               2.86.1-2
ii  libgtk-4-1                                    4.20.2+ds-2
ii  libpango-1.0-0                                1.56.3-2
ii  libsecret-1-0                                 0.21.7-2
ii  libsystemd0                                   258.1-2

gcr4 recommends no packages.

gcr4 suggests no packages.

-- no debconf information

-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <hertzog at debian.org>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS

More information about the pkg-gnome-maintainers mailing list