Gpg: pubring.db always locked after reboot

Hi guys,

I currently have a problem with my gpg config. After a clean shutdown and reboot, gpg --list-keys waits for a lock on the pubring.db:

> gpg --list-keys
gpg: Note: database_open 134217901 waiting for lock (held by 687) ...
gpg: Note: database_open 134217901 waiting for lock (held by 687) ...
> cat  .gnupg/public-keys.d/pubring.db.lock
       687
(none)
> ps -f 687
UID          PID    PPID  C STIME TTY      STAT   TIME CMD
root         687       1  0 19:44 ?        Ss     0:00 keyboxd --homedir /home/leo/.gnupg --daemon
> ps -ef | grep keyboxd
root         687       1  0 19:44 ?        00:00:00 keyboxd --homedir /home/leo/.gnupg --daemon
leo         2093       1  0 19:45 ?        00:00:00 keyboxd --homedir /home/leo/.gnupg --daemon

After manually removing the lock or killing the root keyboxd instance, gpg commands work fine.

However I want to find out what the issue is.

Keyboxd seems to be some daemon process from gpg. The ppid of 1 suggests, that systemd starts it at boot time but I cant find the systemd unit that starts it (rg keyboxd /etc/systemd → no results).

Why do I even have 2 instances of keyboxd? I suppose the keyboxd instance from my user should be enough. Then only my instance locks the db and everything should be fine.

I’m using gpg and gpg-agent from home-manager with following config:

programs.gpg = {
      enable = true;
      mutableKeys = true;
    };

    services.gpg-agent = {
      enable = true;
      enableFishIntegration = true;
      enableScDaemon = false;
      pinentryPackage = pkgs.pinentry-curses;
    };

I dont explicitly set any gpg options in my system config, only with home-manager. However I use sops-nix with my pgp key.

What starts keyboxd as root? How to find out what configures that?

Any Idea how to further debug this?

Problem solved.

I had sops-nix configured in my NixOS config to encrypt the main user password hash. It was also using my pgp key so it installed gpg.
My home-manager config also installed sops-nix with gpg
→ two instances running and racing for the lock

After removing sops-nix from my NixOS config everything worked fine again.

Only minor issue is that I switched back to mutable users again. I mean I could just put the pw hash in the config without encrypting it, but I’m to paranoid for this and it really doesnt matter much to have to configure the pw manually once.