| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
The pinentry_* variants are all aliases and the actual packages are
separated with a dash instead. Since NixOS VM tests no longer allow
aliases, we need to use the real package name instead to avoid
evaluation errors.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is another alias which got introduced in 2018, because the actual
command is "pkg-config" and so the package name containing a dash is
more reasonable.
The reason why I'm doing this is because NixOS VM tests now disallow
aliases and while the evaluation error in question only affected the
"gnupg" test, I decided to change all occurences in the event that we
might want to disallow aliases for things other than VM tests.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @sternenseemann for "opam-env"
|
| |
|
|
|
| |
Since we pass the config, the home directory config isn’t picked up
anymore, so I need to pass it via `extraConfig`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GnuPG version 2.2.26 got a refactor of the option parser and now no
longer preserves options set via command line flags when sending the HUP
signal.
I think this is an upstream regression and ideally we should submit a
bug report and or patch upstream, so this should be treated as a
workaround since I currently have limited time and just wanted fix our
integration module.
Since the config file is actually reloaded on HUP, we're now simply
passing the same options via file rather than via arguments.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
| |
Module for the foot (wayland) terminal emulator. Approach for this
module is to take advantage of toINI and freeform module types to allow
users to freely set any option while still offering some higher level
representations for fields where plain strings would be inconvenient.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A recent change[1] has removed the lib output from the systemd package,
so our GnuPG agent wrapper no longer compiles.
Using getLib falls back to the "out" output if the "lib" output is
unavailable and should be backwards- and forwards-compatible (in case
the "lib" output is added back someday).
[1]: https://github.com/NixOS/nixpkgs/commit/b68bddfbda2092c5fde2c4cece2
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Using "with lib;" over such a broad scope makes it more difficult to
detect early evaluation errors since we need to evaluate the whole
system to check whether a non-existing attribute set is actually using
the "lib" fallback or whether it really exists in the current scope.
This makes "nix-instantiate --parse" feasible for detecting typos early
on.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
| |
Prior to NixOS/nixpkgs@cb0adc11ffb0926adae7aa2ed22835c4f9ea971c, the
"pinentry" attribute defaulted to the GTK 2 flavour, but with the
mentioned commit, the default has changed to the ncurses one.
To make sure we have the same behaviour in our VM test as we had before
that change, I explicitly changed our default pinentry to pinentry_gtk2.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
| |
The function invocation apparently got less lenient, the function name *must*
come first now, before any arguments.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See the release announcement at:
https://lists.gnupg.org/pipermail/gnupg-announce/2016q4/000398.html
Unfortunately we still need the wrapper, because we need to pick up the
PID of the socket endpoint in order to gather various information we can
pass to pinentry (which then for example can recognize that the actual
SSH client is using X or is using a particular TTY).
On the upside however, this is a step into a direction I didn't imagine
to happen anytime soon, given the following statement from Werner Koch
back then:
https://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029104.html
However I don't think the way I'm picking up the PID and doing
inspection of /proc/PID is going to happen in upstream GnuPG anytime
soon. But after cleaning up and doing it as a patch I might now consider
upstreaming it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
|
|
| |
Since NixOS/nixpkgs@97bfc2fac92d90c668ae1ec078356d0bd0a9ddb7, runCommand
uses stdenvNoCC, so we don't have a compiler available anymore.
However, there is now a runCommandCC function which does exactly what we
want.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
| |
The systemd library has been splitted off into a different output in
NixOS/nixpkgs@78178d5854901e1b17a14bce3fe43515984b7b91.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using systemctl restart or systemctl stop on any of the GnuPG
services, the sockets were closed and removed.
However we are using socket activation, so a simple restart of for
example the agent would cause the socket to be closed and removed and
afterwards the gpg-agent service is unable to pick up the socket again,
thus failing to start.
This in turn has led to GnuPG starting the agent by its own, entirely
bypassing socket activation and our shiny service module.
In order to cope with this, we need to provide LD_PRELOAD wrappers also
for remove() and close(), so that we can prevent GnuPG from closing the
systemd file descriptors.
I've also added a small subtest to ensure this won't happen again in the
future.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since GnuPG version 2.1.13 (NixOS/nixpkgs@b586b00), there is support for
XDG_RUNTIME_DIR so the sockets are in /run/user/gnupg instead of
~/.gnupg.
The full announcement can be found here:
https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000390.html
Unfortunately the fix is a bit more complicated, because if GNUPGHOME is
set to a non-default location, the sockets are to be found within the
directory specified in $GNUPGHOME instead.
So we also need to check the version of GnuPG so that we can properly
split up the socket directory from the GNUPGHOME.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
| |
Add simple fasd integration for fish.
A command `z` directly jumps to the most “frecent” folder fitting its
argument.
|
| |
|
|
|
|
|
|
| |
It doesn't make sense to pollute the system with additional environment
variables if we're using the defaults anyway, so only set it if it's not
"~/.gnupg".
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
|
| |
We do things such as placing gnupg into environment.systemPackages, so
calling this just "programs.gpg-agent" doesn't fit that. Especially if
we really want to have a way to specify configuration values in case I'm
getting masochistic someday ;-)
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Latest <nixpkgs> (NixOS/nixpkgs@e899ffc as of my latest pull) causes our
preloader to load fork() from libpthread instead of using the overridden
one from the preload wrapper (without store paths to be easier to read):
binding file gpg-agent [0] to libpthread.so.0 [0]:
normal symbol `fork' [GLIBC_2.2.5]
However, at the time I've committed 8db1803, I was testing it on an
older version (NixOS/nixpkgs@81af597) and it was bound correctly:
binding file gpg-agent [0] to gpg-agent-wrapper [0]:
normal symbol `fork' [GLIBC_2.2.5]
Now after bisecting this against the latest <nixpkgs> master, it
revealed that one of the following commits could be the problem:
* NixOS/nixpkgs@559ecc9: stdenv-linux: Avoid building m4/bison twice
* NixOS/nixpkgs@817145e: binutils: 2.23.1 -> 2.26
* NixOS/nixpkgs@2040a9a: stdenv-linux: Ensure binutils comes before
bootstrapTools in $PATH
So my guess was that the binutils update changed that behaviour somehow,
so I checked against 2.23.1 (reverted NixOS/nixpkgs@817145e) and 2.25
and it worked correctly.
I didn't bisect this against the binutils source tree, but what happens
is that because we depend on libsystemd in our wrapper, libsystemd (and
thus libpthread) is loaded first and thus we can't override things
anymore which get pulled in by RTLD while loading libsystemd.
The reason why I now went with dlopen() is that even if the behaviour is
back to that of binutils 2.25, we want to make sure that even if
something in ld.so should change which affect this as well we're still
not tripping into the same problem again.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First of all, let's inline the first_fork variable, because we don't
want this variable to be exposed as a symbol, even though it doesn't
hurt (except maybe for a very very very tiny improvement in RTLD lookup
performance).
And apart from the first_fork variable, there were a few other symbols
we don't want to propagate to the RTLD chain as well:
0000000000001465 T accept
000000000000130b T bind
000000000000153e T execv
0000000000001610 T _fini
00000000000013b8 T fork
0000000000000fe0 T get_sd_fd_for
0000000000001420 T get_socket_pid
0000000000000d80 T _init
00000000000012fa T listen
00000000000012b8 T record_sockfd
So in the end we're down to:
00000000000011fb T accept
00000000000010a1 T bind
00000000000012c8 T execv
0000000000001390 T _fini
000000000000114e T fork
0000000000000b68 T _init
0000000000001090 T listen
... which is a lot more clean and even though our staff doesn't collide
with existing libraries in the chain it's better to be safe than sorry.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
| |
|
|
|
|
|
|
| |
I've used this to test compilation of the agent wrapper at an early
state of development and I've accidentally committed this along with
8db1803b5d9865b2355fabdb6bb974d879ce57cc.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
|
Since NixOS/nixpkgs@5391882 there no longer is the option to start the
agent during X session startup, which prompted me to write this module.
I was unhappy how GnuPG is handled in NixOS since a long time and wanted
to OCD all the configuration files directly into the module.
Unfortunately, this is something I eventually gave up because GnuPG's
design makes it very hard to preseed configuration. My first attempt was
to provide default configuration files in /etc/gnupg, but that wasn't
properly picked up by GnuPG.
Another way would have been to change the default configuration files,
but that would have the downside that we could only override those
configurations using command line options for each individual GnuPG
component.
The approach I tried to go for was to patch GnuPG so that all the
defaults are directly set in the source code using a giant sed
expression. It turned out that this approach doesn't work very well,
because every component has implemented its own ways how to handle
commandline arguments versus (default) configuration files.
In the end I gave up trying to OCD anything related to GnuPG
configuration and concentrated just on the agent.
And that's another beast, which unfortunately doesn't work very well
with systemd.
While searching the net for existing patches I stumbled upon one done by
@shlevy:
https://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029092.html
Unfortunately, the upstream author seems to be quite anti-systemd and
didn't want to accept that into the upstream project.
Because of this I went for using LD_PRELOAD to pick up the file
descriptors provided by the systemd sockets, because in the end I don't
want to constantly catch up with upstream and rebase the patch on every
new release.
Apart from just wrapping the agent to be socket activated, we also wrap
the pinentry program, so that we can inject a _CLIENT_PID environment
variable from the LD_PRELOAD wrapper that is picked up by the pinentry
wrapper to determine the TTY and/or display of the client communicating
with the agent.
The wrapper uses the proc filesystem to get all the relevant information
and passes it to the real pinentry.
The advantage of this is that we don't need to do things such as
"gpg-connect-agent updatestartuptty /bye" or any other workarounds and
even if we connect via SSH the agent should be able to correctly pick up
the TTY and/or display.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
