[pkg-gnupg-maint] Bug#796931: Bug#796931: gnupg-agent: no longer writes $GNUPGHOME/gpg-agent-info-$(hostname) file
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 17 19:45:28 UTC 2016
severity 796931 normal
thanks
On Tue 2015-08-25 17:29:05 -0400, Thorsten Glaser wrote:
> since one of the recent upgrades, gpg-agent no longer writes its
> environment file. This is a rather bad regression for my setup,
> which uses the env file for sharing a gpg-agent across all (both
> SSH and local console or X11) sessions of one user (i.e. that
> particular sharing now becomes impossible).
For GnuPG's modern suite (2.1.x), the gpg-agent will always be
automatically launched, and will be shared by users on the system
system. There is no need for $GNUPGHOME/gpg-agent-info-$(hostname),
because they will all use $GNUPGHOME/S.gpg-agent as the standard socket.
Trying to pair this with gpg from the "classic" suite (1.4.x) is
slightly more awkward, because:
a) gpg 1.4.x does not auto-launch the agent, and
b) gpg 1.4.x relies on GPG_AGENT_INFO to be explicitly set
I don't want to overengineer solutions for gpg 1.4.x because the plan
for gpg 1.4.x is to make it gpg1, and have /usr/bin/gpg supplied
directly by the modern gpg. That said, all that's needed for gpg 1.4.x
to work (assuming "use-agent" has been set in gpg.conf) is to ensure the
agent is running (e.g. "gpg-connect-agent /bye" or "gpgconf --launch
gpg-agent"), and to ensure that GPG_AGENT_INFO is set explicitly to
$GNUPGHOME/S.gpg-agent:0:1
For ssh, the situation is similar: a standard socket will be used
($GNUPGHOME/S.gpg-agent.ssh), and the OpenSSH tools need to be informed
about it via the SSH_AUTH_SOCK environment variable.
So I think all of this boils down to:
gpgconf --launch gpg-agent
export GPG_AGENT_INFO=$HOME/.gnupg/S.gpg-agent:0:1
if [ -n "$(gpgconf --list-options gpg-agent | awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh
fi
I think this is a plausible workaround for the use cases described in
this bug, and it should be pretty simple.
Please let me know how this works for you. I don't think anyone should
need any gpg-agent-info-$(hostname) file at all to support the use case
you describe.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160217/7613f9b1/attachment.sig>
More information about the pkg-gnupg-maint
mailing list