Gpg-agent not receiving keys upon ssh

heitorpb · December 2, 2022, 5:02pm

Hello! I am migrating my dev server to NixOs as a way to learn Nix. What I am struggling right now is to setup gpg-agent forwarding from my laptop to the server.

The laptop is running ArchLinux at the moment (might change in the future), and I can use gpg (2.2.40) to sign stuff. My ~/.ssh/config has the bits to forward the socket:

# home server
Host server
	Hostname 192.168.1.13
	Port 22
	User h
	IdentityFile ~/.ssh/id_ed25519
	#IdentitiesOnly yes
	ForwardAgent yes
	RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra

The dev server is running NixOs. I have this stuff on my configuration.nix:

  # Configure GnuPG agent
  programs.gnupg.agent = {
    enable = true;
    enableExtraSocket = true;
    enableSSHSupport = true; # Make GPG through SSH work
    pinentryFlavor = "curses"; # Options: "curses", "tty", "gtk2", "qt"
  };

And this in my user’s home-manager configuration:

  programs.gpg = {
    enable = true;
    publicKeys = [
      {source = ./heitor.asc; trust = 5;}
    ];
  };

When I ssh into the dev box, I can see my public gpg key, but the gpg-agent.service is not enabled and I see some weird errors when trying to sign anything:

$ gpg --list-public-keys
/home/h/.gnupg/pubring.kbx
--------------------------
pub   rsa2048/0xC591DE99BDDCBBD2 2018-08-28 [SC]
      Key fingerprint = 295E 499C 134B 4C0B 642D  DFAB C591 DE99 BDDC BBD2
uid                   [ultimate] Me <my@email>
sub   rsa2048/0xBFCF198C5D141837 2018-08-28 [E]
sub   rsa2048/0x2DD9C1566E2774A2 2018-08-29 [S]

$ gpg --list-secret-keys
gpg: WARNING: server 'gpg-agent' is older than us (2.2.40 < 2.3.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with fast path key listing: IPC parameter error - ignored
/home/h/.gnupg/pubring.kbx
--------------------------
sec#  rsa2048/0xC591DE99BDDCBBD2 2018-08-28 [SC]
      Key fingerprint = 295E 499C 134B 4C0B 642D  DFAB C591 DE99 BDDC BBD2
uid                   [ultimate] Me <my@email>
ssb#  rsa2048/0xBFCF198C5D141837 2018-08-28 [E]
ssb#  rsa2048/0x2DD9C1566E2774A2 2018-08-29 [S]

$ echo bla | gpg --clearsign
gpg: WARNING: server 'gpg-agent' is older than us (2.2.40 < 2.3.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: problem with fast path key listing: IPC parameter error - ignored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

bla
gpg: signing failed: No secret key
gpg: [stdin]: clear-sign failed: No secret key

Starting the user service gpg-agent.service on the dev server makes no difference.

What am I missing here? Could someone help me understand and fix this please?

heitorpb · December 4, 2022, 6:33pm

Warnings are not errors, but they shouldn’t be ignored.

I downgraded the gnupg package on NixOs to 2.2.27 with an overlay and now everything is working fine.