aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-02-20 22:34:56 +0800
committerAaron LI <aly@aaronly.me>2018-02-20 22:34:56 +0800
commit6808da56ad6ecd8c1ebf7ca6a39495df4f7ebbd2 (patch)
tree80142bdab04ebf9d3de3398e912ffda275556659
parent3f80c4abe8f866d6ed730518af2289a51b5097a5 (diff)
downloaddotfiles-6808da56ad6ecd8c1ebf7ca6a39495df4f7ebbd2.tar.bz2
gpg: rewrite gpg-agent handling with zsh
* do not hack to force to use `pinentry-curses` with custom `pinentry` and `gpg2-x11` shims * explain to use the `pinentry-gtk-2`, which will fallback to text mode * simply launch `gpg-agent` with `gpgconf --launch`
-rw-r--r--_zlogin2
-rw-r--r--_zsh/80-gpg.zsh67
-rwxr-xr-xbin/gpg2-x1118
-rwxr-xr-xbin/pinentry34
4 files changed, 13 insertions, 108 deletions
diff --git a/_zlogin b/_zlogin
index 27eb391..65a0364 100644
--- a/_zlogin
+++ b/_zlogin
@@ -14,7 +14,7 @@
## Start `gpg-agent' on login (non-SSH connections)
GPG_AGENT_SOCKET="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent"
if [[ -z ${SSH_CONNECTION} ]] && [[ ! -S "${GPG_AGENT_SOCKET}" ]]; then
- restart-gpg-agent
+ gpgconf --launch gpg-agent
fi
## Auto start X if login on tty6
diff --git a/_zsh/80-gpg.zsh b/_zsh/80-gpg.zsh
index ef1f153..d9d5dbb 100644
--- a/_zsh/80-gpg.zsh
+++ b/_zsh/80-gpg.zsh
@@ -3,75 +3,32 @@
#
# NOTE:
-# ZSH is configured to launch `gpg-agent' on login, so it may be necessary
-# to disable its launch by systemd, e.g.,
-# $ systemctl --global --user mask --now \
-# gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket \
-# gpg-agent-extra.socket gpg-agent-browser.socket
+# Install both the `pinentry-gtk-2' and `pinentry-curses', and symlink
+# `pinentry-gtk-2' to `pinentry' as the default pinentry program, which
+# will fallback to the text mode when X11 is not avaiable (i.e.,
+# `$DISPLAY' is not set), e.g., through SSH logins.
+# `pinentry-gnome3' seems to have problem that cannot fallback to the
+# text mode ... (for reason unkown ...)
# This `GPG_TTY' variable should be set to the correct TTY where the shell
# is running. See `gpg-agent(1)' for more details.
export GPG_TTY=$(tty)
-# Set SSH to use `gpg-agent' as the SSH agent support is enabled
-# See `gpg-agent(1)' for more details.
+# Make SSH to use `gpg-agent'.
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
-# Restart `gpg-agent'
-restart-gpg-agent() {
- local pinentry_arg
- [ -x "${HOME}/bin/pinentry" ] && \
- pinentry_arg="--pinentry-program ${HOME}/bin/pinentry" || \
- pinentry_arg=""
- gpgconf --kill gpg-agent >/dev/null
- gpg-agent --daemon --enable-ssh-support ${pinentry_arg} >/dev/null
-}
-
-# Let pinentry know which console to display in for `ssh-agent'.
-#
-# Since the 'ssh-agent' protocol does not contain a mechanism for telling
-# the agent on which terminal/display it is running, gpg-agent's
-# ssh-support can just use the TTY or X display when `gpg-agent' has been
-# started, which may be before the X session startup. Therefore, when the
-# switched to the X session, or login remotely through SSH, the `pinentry'
-# will get popped up on whatever display the `gpg-agent' has been started
-# or may just fail. In this case, a manual update is necessary.
-#
-# This will set startup TTY and X11 DISPLAY variables to the values of
-# this session.
-#
-# Credits:
-# * GnuPG: Commonly Seen Problems
-# https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html
-# * `gpg-agent(1)': option `--enable-ssh-support'
-#
-update-gpg-tty() {
- gpg-connect-agent updatestartuptty /bye >/dev/null 2>&1
-}
-
-update-pinentry-app() {
- echo "term" > ${XDG_RUNTIME_DIR}/pinentry-app
-}
-
-# Hook the above functions to be exec'ed before every command execuation
-#
-# Credit: http://blog.mrloop.com/workflow/2017/02/09/pin-entry.html
-#
-autoload -U add-zsh-hook
-zsh-preexec() {
- update-gpg-tty && update-pinentry-app || true
-}
-add-zsh-hook preexec zsh-preexec
-
+# Use curses-based pinentry for SSH logins
+# Credit: https://wiki.gentoo.org/wiki/GnuPG
+if [ -n "${SSH_CONNECTION}" ] ;then
+ export PINENTRY_USER_DATA="USE_CURSES=1"
+fi
# Delete all identities from the `gpg-agent', which is similar to
# `ssh-add -D`.
-#
# Credit: http://blog.mrloop.com/workflow/2017/02/09/pin-entry.html
-#
ssh-delete() {
grep -o '^[A-Z0-9]*' ${HOME}/.gnupg/sshcontrol | \
xargs -I'%' rm ${HOME}/.gnupg/private-keys-v1.d/'%'.key
diff --git a/bin/gpg2-x11 b/bin/gpg2-x11
deleted file mode 100755
index db0d53f..0000000
--- a/bin/gpg2-x11
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-#
-# `gpg2` shim to support force use the graphical pinentry.
-# See also: `~/bin/pinentry-app'
-#
-# Credit: http://blog.mrloop.com/workflow/2017/02/09/pin-entry.html
-#
-# Aaron LI
-# 2018-01-13
-#
-
-
-GPG2=$(which gpg2)
-CFG=${XDG_RUNTIME_DIR}/pinentry-app
-echo "x11" > ${CFG}
-exec ${GPG2} "$@"
-
-# vim: set ts=8 sw=4 tw=0 fenc=utf-8 ft=sh: #
diff --git a/bin/pinentry b/bin/pinentry
deleted file mode 100755
index 524bc59..0000000
--- a/bin/pinentry
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/sh
-#
-# PINentry shim to support both terminal and graphical usages.
-#
-# Credit: http://blog.mrloop.com/workflow/2017/02/09/pin-entry.html
-#
-# Aaron LI
-# 2018-01-13
-#
-
-# GPG2 shim to support force use the graphical pinentry (`~/bin/gpg2-x11`).
-# ------------------------------------------------------------------>8
-# #!/bin/sh
-# GPG2=$(which gpg2) || exit 1
-# CFG=${XDG_RUNTIME_DIR}/pinentry-app
-# echo "x11" > ${CFG}
-# exec ${GPG2} "$@"
-# ------------------------------------------------------------------>8
-
-ENTRY_TERM="curses" # PIN entry variant for terminal (and default)
-ENTRY_X11="gtk-2" # for X11 usage
-
-CFG=${XDG_RUNTIME_DIR}/pinentry-app
-TYPE=$([ -f ${CFG} ] && cat ${CFG})
-if [ -n "${TYPE}" ] && [ "${TYPE}" = "x11" ]; then
- ENTRY="${ENTRY_X11}"
-else
- ENTRY="${ENTRY_TERM}"
-fi
-
-PINENTRY=$(which "pinentry-${ENTRY}") || exit 1
-exec ${PINENTRY} "$@"
-
-# vim: set ts=8 sw=4 tw=0 fenc=utf-8 ft=sh: #