[pkg-gnupg-maint] Bug#796931: Bug#796931: gnupg-agent: no longer writes $GNUPGHOME/gpg-agent-info-$(hostname) file

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Feb 17 19:45:28 UTC 2016 

severity 796931 normal
thanks

On Tue 2015-08-25 17:29:05 -0400, Thorsten Glaser wrote:
> since one of the recent upgrades, gpg-agent no longer writes its
> environment file. This is a rather bad regression for my setup,
> which uses the env file for sharing a gpg-agent across all (both
> SSH and local console or X11) sessions of one user (i.e. that
> particular sharing now becomes impossible).

For GnuPG's modern suite (2.1.x), the gpg-agent will always be
automatically launched, and will be shared by users on the system
system.  There is no need for $GNUPGHOME/gpg-agent-info-$(hostname),
because they will all use $GNUPGHOME/S.gpg-agent as the standard socket.

Trying to pair this with gpg from the "classic" suite (1.4.x) is
slightly more awkward, because:

 a) gpg 1.4.x does not auto-launch the agent, and
 b) gpg 1.4.x relies on GPG_AGENT_INFO to be explicitly set

I don't want to overengineer solutions for gpg 1.4.x because the plan
for gpg 1.4.x is to make it gpg1, and have /usr/bin/gpg supplied
directly by the modern gpg.  That said, all that's needed for gpg 1.4.x
to work (assuming "use-agent" has been set in gpg.conf) is to ensure the
agent is running (e.g. "gpg-connect-agent /bye" or "gpgconf --launch
gpg-agent"), and to ensure that GPG_AGENT_INFO is set explicitly to
$GNUPGHOME/S.gpg-agent:0:1

For ssh, the situation is similar: a standard socket will be used
($GNUPGHOME/S.gpg-agent.ssh), and the OpenSSH tools need to be informed
about it via the SSH_AUTH_SOCK environment variable.

So I think all of this boils down to:

 gpgconf --launch gpg-agent
 export GPG_AGENT_INFO=$HOME/.gnupg/S.gpg-agent:0:1
 if [ -n "$(gpgconf --list-options gpg-agent | awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
    export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
 fi

I think this is a plausible workaround for the use cases described in
this bug, and it should be pretty simple.

Please let me know how this works for you.  I don't think anyone should
need any gpg-agent-info-$(hostname) file at all to support the use case
you describe.

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160217/7613f9b1/attachment.sig>

More information about the pkg-gnupg-maint mailing list