[pkg-gnupg-maint] Bug#1078787: gpg-agent-ssh.socket ignores enable-ssh-support, stomps on SSH_AUTH_SOCK from ssh-agent.service

[Andreas Metzler]

On 2024-08-16 Richard Hansen <rhansen at rhansen.org> wrote:
> On 8/16/24 05:55, Andreas Metzler wrote:
> > I think I will revert
> > https://salsa.debian.org/debian/gnupg2/-/commit/2ed898c22475d25dbc874b9cdc82063c31c4e603

> That would work, although I wonder:  If the user has enable-ssh-support in
> their ~/.gnupg/gpg-agent.conf and disables the gpg-agent-ssh.socket unit
> file, wouldn't that environment generator still set SSH_AUTH_SOCK? Wouldn't
> it be better to never set SSH_AUTH_SOCK if gpg-agent-ssh.socket is disabled?

Hello,

hm, afaict systemd does not offer dependencies between
environment-generators and units (otherwise afaict BindsTo with After
would do the trick).

One could document that changing/enabling the unit also might require
changes to the generator.

BTW two questions:
Is it necessary to use 
ExecStartPost=sh -c '[ -z "$$(gpgconf --list-options gpg-agent | awk -F: \'/^enable-ssh-support:/{print$$10}\')" ] || systemctl --user set-environment "$$@"' - "SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh"

instead of the simpler
ExecStartPost=sh -c '[ -z "$$(gpgconf --list-options gpg-agent | awk -F: \'/^enable-ssh-support:/{print$$10}\')" ] || systemctl --user set-environment "SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh"'

I could not find whether single quotes in systemd files prevent % (or
even $)-expansion, perhaps you can help me. - TIA

The generator checked the "okay" field in 'gpgconf --check-options
gpg-agent'. I guess you left that out in the socket file because the
ExecStartPost command will only run if the agent started successfully.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'