| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The pinentry_* variants are all aliases and the actual packages are
separated with a dash instead. Since NixOS VM tests no longer allow
aliases, we need to use the real package name instead to avoid
evaluation errors.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is another alias which got introduced in 2018, because the actual
command is "pkg-config" and so the package name containing a dash is
more reasonable.
The reason why I'm doing this is because NixOS VM tests now disallow
aliases and while the evaluation error in question only affected the
"gnupg" test, I decided to change all occurences in the event that we
might want to disallow aliases for things other than VM tests.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @sternenseemann for "opam-env"
|
| |
|
|
|
| |
Since we pass the config, the home directory config isn’t picked up
anymore, so I need to pass it via `extraConfig`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GnuPG version 2.2.26 got a refactor of the option parser and now no
longer preserves options set via command line flags when sending the HUP
signal.
I think this is an upstream regression and ideally we should submit a
bug report and or patch upstream, so this should be treated as a
workaround since I currently have limited time and just wanted fix our
integration module.
Since the config file is actually reloaded on HUP, we're now simply
passing the same options via file rather than via arguments.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A recent change[1] has removed the lib output from the systemd package,
so our GnuPG agent wrapper no longer compiles.
Using getLib falls back to the "out" output if the "lib" output is
unavailable and should be backwards- and forwards-compatible (in case
the "lib" output is added back someday).
[1]: https://github.com/NixOS/nixpkgs/commit/b68bddfbda2092c5fde2c4cece2
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Using "with lib;" over such a broad scope makes it more difficult to
detect early evaluation errors since we need to evaluate the whole
system to check whether a non-existing attribute set is actually using
the "lib" fallback or whether it really exists in the current scope.
This makes "nix-instantiate --parse" feasible for detecting typos early
on.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
| |
Prior to NixOS/nixpkgs@cb0adc11ffb0926adae7aa2ed22835c4f9ea971c, the
"pinentry" attribute defaulted to the GTK 2 flavour, but with the
mentioned commit, the default has changed to the ncurses one.
To make sure we have the same behaviour in our VM test as we had before
that change, I explicitly changed our default pinentry to pinentry_gtk2.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See the release announcement at:
https://lists.gnupg.org/pipermail/gnupg-announce/2016q4/000398.html
Unfortunately we still need the wrapper, because we need to pick up the
PID of the socket endpoint in order to gather various information we can
pass to pinentry (which then for example can recognize that the actual
SSH client is using X or is using a particular TTY).
On the upside however, this is a step into a direction I didn't imagine
to happen anytime soon, given the following statement from Werner Koch
back then:
https://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029104.html
However I don't think the way I'm picking up the PID and doing
inspection of /proc/PID is going to happen in upstream GnuPG anytime
soon. But after cleaning up and doing it as a patch I might now consider
upstreaming it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
|
|
| |
Since NixOS/nixpkgs@97bfc2fac92d90c668ae1ec078356d0bd0a9ddb7, runCommand
uses stdenvNoCC, so we don't have a compiler available anymore.
However, there is now a runCommandCC function which does exactly what we
want.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
| |
The systemd library has been splitted off into a different output in
NixOS/nixpkgs@78178d5854901e1b17a14bce3fe43515984b7b91.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using systemctl restart or systemctl stop on any of the GnuPG
services, the sockets were closed and removed.
However we are using socket activation, so a simple restart of for
example the agent would cause the socket to be closed and removed and
afterwards the gpg-agent service is unable to pick up the socket again,
thus failing to start.
This in turn has led to GnuPG starting the agent by its own, entirely
bypassing socket activation and our shiny service module.
In order to cope with this, we need to provide LD_PRELOAD wrappers also
for remove() and close(), so that we can prevent GnuPG from closing the
systemd file descriptors.
I've also added a small subtest to ensure this won't happen again in the
future.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since GnuPG version 2.1.13 (NixOS/nixpkgs@b586b00), there is support for
XDG_RUNTIME_DIR so the sockets are in /run/user/gnupg instead of
~/.gnupg.
The full announcement can be found here:
https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000390.html
Unfortunately the fix is a bit more complicated, because if GNUPGHOME is
set to a non-default location, the sockets are to be found within the
directory specified in $GNUPGHOME instead.
So we also need to check the version of GnuPG so that we can properly
split up the socket directory from the GNUPGHOME.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
| |
It doesn't make sense to pollute the system with additional environment
variables if we're using the defaults anyway, so only set it if it's not
"~/.gnupg".
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
|
We do things such as placing gnupg into environment.systemPackages, so
calling this just "programs.gpg-agent" doesn't fit that. Especially if
we really want to have a way to specify configuration values in case I'm
getting masochistic someday ;-)
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
