663142 – app-crypt/gnupg-2: add --enable-run-gnupg-user-socket configure option

Bug 663142 - app-crypt/gnupg-2: add --enable-run-gnupg-user-socket configure option

Summary: app-crypt/gnupg-2: add --enable-run-gnupg-user-socket configure option

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement
Assignee:	Kristian Fiskerstrand (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-08 06:34 UTC by BT
Modified:	2018-10-21 12:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description BT 2018-08-08 06:34:03 UTC

gnupg-2.2.4[1] added the '--enable-run-gnupg-user-socket' configure option. This option allows gpg-agent to use '/run/gnupg/user/<uid>' for sockets if it exists. Otherwise it will use the default '/run/user/<uid>'.

This is useful for me because I'm starting gpg-agent via pam_exec right after user authentication to preset the agent passphrase. Starting gpg-agent this early means there is no '/run/user/<uid>' yet, so the sockets are created in '~/.gnupg'. This is okay except when another gpg-agent process is started. The new gpg-agent process will create sockets in '/run/user/<uid>', which now exists. The '--enable-run-gnupg-user-socket' option prevents the issue of having multiple instances of gpg-agent.

I have tested this by adding '--enable-run-gnupg-user-socket' to the gnupg-2.2.8 ebuild. Please consider enabling this option.

[1] https://lists.gnupg.org/pipermail/gnupg-announce/2017q4/000419.html

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2018-08-08 08:36:13 UTC

Several pinentry variants have support for libsecret / libwallet and can as such use the keyring for the window manager you use, have you looked into whether this option for password cache can be appropriate for your situation?

Unless you need SSH connectivity early on I don't necessarily see a reason for such an early start. For OpenPGP operations gpg-agent will be auto-started so it doesn't need an explicit launch. Admittedly I've mostly just used a gpg-connect-agent /bye in .bashrc to ensure it is available also for SSH agent ( export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) ).

Comment 2 BT 2018-08-08 09:37:17 UTC

I need the early start so I can use the auth token (i.e. login password) from pam_exec to auto unlock my kwallet, which is GPG encrypted. kwallet only supports auto unlocking if the wallet is Blowfish encrypted. I tried using the GnuPG socket redirection feature, but that doesn't prevent multiple gpg-agent processes from starting.

Comment 3 BT 2018-10-08 04:51:07 UTC

Is there any plan to make this change to the gnupg ebuild?

Comment 4 Larry the Git Cow gentoo-dev

2018-10-21 12:04:00 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0f0401e5098b6f4e0a0f85ce24de3acda1bcb68

commit d0f0401e5098b6f4e0a0f85ce24de3acda1bcb68
Author:     Kristian Fiskerstrand <k_f@gentoo.org>
AuthorDate: 2018-10-21 11:50:57 +0000
Commit:     Kristian Fiskerstrand <k_f@gentoo.org>
CommitDate: 2018-10-21 12:03:51 +0000

    app-crypt/gnupg: Add user-socket USE flag
    
    The user-socket USE flag enables --enable-run-gnupg-user-socket.
    
    Closes: https://bugs.gentoo.org/663142
    Signed-off-by: Kristian Fiskerstrand <k_f@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11

 .../gnupg/{gnupg-2.2.10-r1.ebuild => gnupg-2.2.10-r2.ebuild}     | 9 +++++++--
 app-crypt/gnupg/metadata.xml                                     | 3 +++
 2 files changed, 10 insertions(+), 2 deletions(-)