From 6808da56ad6ecd8c1ebf7ca6a39495df4f7ebbd2 Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Tue, 20 Feb 2018 22:34:56 +0800 Subject: gpg: rewrite gpg-agent handling with zsh * do not hack to force to use `pinentry-curses` with custom `pinentry` and `gpg2-x11` shims * explain to use the `pinentry-gtk-2`, which will fallback to text mode * simply launch `gpg-agent` with `gpgconf --launch` --- _zlogin | 2 +- _zsh/80-gpg.zsh | 67 +++++++++++---------------------------------------------- bin/gpg2-x11 | 18 ---------------- bin/pinentry | 34 ----------------------------- 4 files changed, 13 insertions(+), 108 deletions(-) delete mode 100755 bin/gpg2-x11 delete mode 100755 bin/pinentry diff --git a/_zlogin b/_zlogin index 27eb391..65a0364 100644 --- a/_zlogin +++ b/_zlogin @@ -14,7 +14,7 @@ ## Start `gpg-agent' on login (non-SSH connections) GPG_AGENT_SOCKET="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent" if [[ -z ${SSH_CONNECTION} ]] && [[ ! -S "${GPG_AGENT_SOCKET}" ]]; then - restart-gpg-agent + gpgconf --launch gpg-agent fi ## Auto start X if login on tty6 diff --git a/_zsh/80-gpg.zsh b/_zsh/80-gpg.zsh index ef1f153..d9d5dbb 100644 --- a/_zsh/80-gpg.zsh +++ b/_zsh/80-gpg.zsh @@ -3,75 +3,32 @@ # # NOTE: -# ZSH is configured to launch `gpg-agent' on login, so it may be necessary -# to disable its launch by systemd, e.g., -# $ systemctl --global --user mask --now \ -# gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket \ -# gpg-agent-extra.socket gpg-agent-browser.socket +# Install both the `pinentry-gtk-2' and `pinentry-curses', and symlink +# `pinentry-gtk-2' to `pinentry' as the default pinentry program, which +# will fallback to the text mode when X11 is not avaiable (i.e., +# `$DISPLAY' is not set), e.g., through SSH logins. +# `pinentry-gnome3' seems to have problem that cannot fallback to the +# text mode ... (for reason unkown ...) # This `GPG_TTY' variable should be set to the correct TTY where the shell # is running. See `gpg-agent(1)' for more details. export GPG_TTY=$(tty) -# Set SSH to use `gpg-agent' as the SSH agent support is enabled -# See `gpg-agent(1)' for more details. +# Make SSH to use `gpg-agent'. unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi -# Restart `gpg-agent' -restart-gpg-agent() { - local pinentry_arg - [ -x "${HOME}/bin/pinentry" ] && \ - pinentry_arg="--pinentry-program ${HOME}/bin/pinentry" || \ - pinentry_arg="" - gpgconf --kill gpg-agent >/dev/null - gpg-agent --daemon --enable-ssh-support ${pinentry_arg} >/dev/null -} - -# Let pinentry know which console to display in for `ssh-agent'. -# -# Since the 'ssh-agent' protocol does not contain a mechanism for telling -# the agent on which terminal/display it is running, gpg-agent's -# ssh-support can just use the TTY or X display when `gpg-agent' has been -# started, which may be before the X session startup. Therefore, when the -# switched to the X session, or login remotely through SSH, the `pinentry' -# will get popped up on whatever display the `gpg-agent' has been started -# or may just fail. In this case, a manual update is necessary. -# -# This will set startup TTY and X11 DISPLAY variables to the values of -# this session. -# -# Credits: -# * GnuPG: Commonly Seen Problems -# https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html -# * `gpg-agent(1)': option `--enable-ssh-support' -# -update-gpg-tty() { - gpg-connect-agent updatestartuptty /bye >/dev/null 2>&1 -} - -update-pinentry-app() { - echo "term" > ${XDG_RUNTIME_DIR}/pinentry-app -} - -# Hook the above functions to be exec'ed before every command execuation -# -# Credit: http://blog.mrloop.com/workflow/2017/02/09/pin-entry.html -# -autoload -U add-zsh-hook -zsh-preexec() { - update-gpg-tty && update-pinentry-app || true -} -add-zsh-hook preexec zsh-preexec - +# Use curses-based pinentry for SSH logins +# Credit: https://wiki.gentoo.org/wiki/GnuPG +if [ -n "${SSH_CONNECTION}" ] ;then + export PINENTRY_USER_DATA="USE_CURSES=1" +fi # Delete all identities from the `gpg-agent', which is similar to # `ssh-add -D`. -# # Credit: http://blog.mrloop.com/workflow/2017/02/09/pin-entry.html -# ssh-delete() { grep -o '^[A-Z0-9]*' ${HOME}/.gnupg/sshcontrol | \ xargs -I'%' rm ${HOME}/.gnupg/private-keys-v1.d/'%'.key diff --git a/bin/gpg2-x11 b/bin/gpg2-x11 deleted file mode 100755 index db0d53f..0000000 --- a/bin/gpg2-x11 +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -# -# `gpg2` shim to support force use the graphical pinentry. -# See also: `~/bin/pinentry-app' -# -# Credit: http://blog.mrloop.com/workflow/2017/02/09/pin-entry.html -# -# Aaron LI -# 2018-01-13 -# - - -GPG2=$(which gpg2) -CFG=${XDG_RUNTIME_DIR}/pinentry-app -echo "x11" > ${CFG} -exec ${GPG2} "$@" - -# vim: set ts=8 sw=4 tw=0 fenc=utf-8 ft=sh: # diff --git a/bin/pinentry b/bin/pinentry deleted file mode 100755 index 524bc59..0000000 --- a/bin/pinentry +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# -# PINentry shim to support both terminal and graphical usages. -# -# Credit: http://blog.mrloop.com/workflow/2017/02/09/pin-entry.html -# -# Aaron LI -# 2018-01-13 -# - -# GPG2 shim to support force use the graphical pinentry (`~/bin/gpg2-x11`). -# ------------------------------------------------------------------>8 -# #!/bin/sh -# GPG2=$(which gpg2) || exit 1 -# CFG=${XDG_RUNTIME_DIR}/pinentry-app -# echo "x11" > ${CFG} -# exec ${GPG2} "$@" -# ------------------------------------------------------------------>8 - -ENTRY_TERM="curses" # PIN entry variant for terminal (and default) -ENTRY_X11="gtk-2" # for X11 usage - -CFG=${XDG_RUNTIME_DIR}/pinentry-app -TYPE=$([ -f ${CFG} ] && cat ${CFG}) -if [ -n "${TYPE}" ] && [ "${TYPE}" = "x11" ]; then - ENTRY="${ENTRY_X11}" -else - ENTRY="${ENTRY_TERM}" -fi - -PINENTRY=$(which "pinentry-${ENTRY}") || exit 1 -exec ${PINENTRY} "$@" - -# vim: set ts=8 sw=4 tw=0 fenc=utf-8 ft=sh: # -- cgit v1.2.2