Bug#1079246: gcr4: Environment variable SSH_AUTH_SOCK is hijacked by gcr-ssh-agent
Raphael Hertzog
hertzog at debian.org
Mon Nov 10 15:18:49 GMT 2025
On Mon, 10 Nov 2025, Raphael Hertzog wrote:
> So my suggestion at this point is to actually do the opposite and use
> "Before=gpg-agent-ssh.socket" because gpg-agent-ssh.socket is a no-op in
> the default case, and when it's not a no-op, it's best to respect the
> user's choice.
FWIW I tried this and it seems to work but only if gcr-ssh-agent.socket is
explicitly enabled (as is the case by default). Otherwise it's started as
a dependency of gcr-agent.service and again overwrites the operation
performed by gpg-agent-ssh.socket.
Note that with the suggested "Before" setting I get this ordering (it's in
chronological order):
nov. 10 16:08:39 fr13-buxy systemd[26418]: Starting dbus.socket - D-Bus User Message Bus Socket...
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on dirmngr.socket - GnuPG network certificate management daemon.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Starting gcr-ssh-agent.socket - GCR ssh-agent wrapper...
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on gnome-keyring-daemon.socket - GNOME Keyring daemon.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on gpg-agent-browser.socket - GnuPG cryptographic agent and passphrase cache (access for web browsers).
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on gpg-agent-extra.socket - GnuPG cryptographic agent and passphrase cache (restricted).
nov. 10 16:08:39 fr13-buxy systemd[26418]: Starting gpg-agent.socket - GnuPG cryptographic agent and passphrase cache...
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on keyboxd.socket - GnuPG public key management service.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on pipewire-pulse.socket - PipeWire PulseAudio.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on pipewire.socket - PipeWire Multimedia System Sockets.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on pk-debconf-helper.socket - debconf communication socket.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on snapd.session-agent.socket - REST API socket for snapd user session agent.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on speech-dispatcher.socket - Speech Dispatcher Socket.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Starting ssh-agent.socket - OpenSSH Agent socket...
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on systemd-ask-password.socket - Query the User Interactively for a Password.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on yubikey-touch-detector.socket - Unix socket activation for YubiKey touch detector service.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on dbus.socket - D-Bus User Message Bus Socket.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on gcr-ssh-agent.socket - GCR ssh-agent wrapper.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on ssh-agent.socket - OpenSSH Agent socket.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on gpg-agent.socket - GnuPG cryptographic agent and passphrase cache.
nov. 10 16:08:39 fr13-buxy systemd[26418]: Starting gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation)...
nov. 10 16:08:39 fr13-buxy systemd[26418]: Listening on gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation).
nov. 10 16:08:39 fr13-buxy systemd[26418]: Reached target sockets.target - Sockets.
It shows that gpg-agent.socket would also overwrite SSH_AUTH_SOCK, so
maybe you want to add an extra "After=ssh-agent.socket" since that one
is not smarter than the gcr one and overwrites the same variable
unconditionally.
Cheers,
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hertzog at debian.org>
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS
More information about the pkg-gnome-maintainers
mailing list