[pkg-gnupg-maint] Bug#855868: Bug#855868: GPG_AGENT_INFO and SSH_AUTH_SOCK not set in wayland sessions
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 22 20:21:05 UTC 2017
On Wed 2017-02-22 11:17:59 -0500, Laurent Bigonville wrote:
> In X11 session, GPG_AGENT_INFO (and SSH_AUTH_SOCK) are set in the user
> environment.
SSH_AUTH_SOCK should only be set in the user environment by gpg-agent if
enable-ssh-support is set in ~/.gnupg/gpg-agent.conf (see
/etc/X11/Xsession.d/90gpg-agent for details).
GPG_AGENT_INFO is only necessary for users of the of GnuPG's 1.4 and 2.0
branches, which upstream describes as "in deep maintenance mode" and
"EOL at the end of 2017", respectively. stretch will not ship the GnuPG
2.0 branch at all, and will ship the 1.4 branch only as gnupg1, which is
explicitly deprecated.
> With GNOME running a wayland session, this is not set.
>
> So the question is, what are the concequence of these environment
> variable not being set? And what should be the solution? Should all the
> software stop relying on these environment variables? Or should the
> compositors export that to the user environment.
I'm happy if users of modern systems like wayland completely ignore
archaisms like GPG_AGENT_INFO. So we can check that one off :)
ssh will continue to rely on SSH_AUTH_SOCK to decide which agent to use,
of course. And modern versions of gpg-agent will always have the
ssh-agent authentication socket available by default (regardless of the
enable-ssh-support setting) in the "standard socket" location of:
/run/user/$(id -u)/gnupg/S.gpg-agent.ssh
The question is whether the gpg-agent package ought to try to set the
environment variable, or whether some other part of wayland session
initiation should take care of it. if OpenSSH's ssh-agent is installed
on a system that doesn't have enable-ssh-support set, does it ssh-agent
itself get launched?
Currently we're only setting SSH_AUTH_SOCK in the gpg-agent package
because it has been historically set based on older invocations of
gpg-agent (which used randomized socket paths). With the modern
gpg-agent arrangement and the standard socket path, i'm less convinced
that this variable should be controlled by settings in
~/.gnupg/gpg-agent.conf, except for the fact that people might
historically expect it. Maybe switching to Wayland is a good
opportunity for people to switch over to some more sensible
configuration mechanism, but i don't know what that would be
specifically.
If someone wants to propose such a mechanism, i'm happy to review it.
Thanks for your attention to these details, Laurent!
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170222/4ad8755d/attachment.sig>
More information about the pkg-gnupg-maint
mailing list