Home-manager gpg-agent, keeps showing pinentry every few minutes

kvtb · August 12, 2023, 12:42pm

Situation: I’m running mbsync every few minutes (configured using home-manager), which uses pass to retrieve the imap password. Pass needs to decrypt, so it depends on GnuPG

GPG and gpg-agent are also configured using home-manager

  services.mbsync.enable = true;

  programs.gpg.enable = true;
  services.gpg-agent = {
    enable = true;
    defaultCacheTtl = 34560000;
    maxCacheTtl = 34560000;
    pinentryFlavor = "qt";
    enableScDaemon = false;
  };

despite the large cacheTtl values, a pinentry dialog shows up every few minutes, making working with my system unusable, as if there is no gpg-agent to cache the entry.

Output of journalctl --user show gpg-agent is restarted continuously, esp the lines:

gpg-agent[7939]: socket is now serviced by another server
gpg-agent[7939]: this process is useless - shutting down
gpg-agent[7939]: gpg-agent (GnuPG) 2.4.0 stopped

journalctl --user output

aug 12 13:45:11 laptop systemd[1816]: Starting mbsync mailbox synchronization…
aug 12 13:45:11 laptop systemd[1816]: Started GnuPG cryptographic agent and passphrase cache.
aug 12 13:45:11 laptop gpg-agent[7939]: gpg-agent[7939]: WARNING: “–supervised” is a deprecated option
aug 12 13:45:11 laptop gpg-agent[7939]: gpg-agent (GnuPG) 2.4.0 starting in supervised mode.
aug 12 13:45:11 laptop gpg-agent[7939]: using fd 3 for std socket (/run/user/10001/gnupg/S.gpg-agent)
aug 12 13:45:11 laptop gpg-agent[7939]: using fd 4 for ssh socket (/run/user/10001/gnupg/S.gpg-agent.ssh)
aug 12 13:45:11 laptop gpg-agent[7939]: listening on: std=3 extra=-1 browser=-1 ssh=4
aug 12 13:45:11 laptop gpg-agent[7941]: Loading the “qt_” catalog failed for locale QLocale(English, Latin, United States)
aug 12 13:45:11 laptop gpg-agent[7941]: Loading the “qt_” catalog failed for locale QLocale(English, Latin, United States)
aug 12 13:45:11 laptop gpg-agent[7941]: Loading the “qtbase_” catalog failed for locale QLocale(English, Latin, United States)
aug 12 13:45:11 laptop gpg-agent[7941]: Failed to lookup password for key n/DA15C6C0060FE420647B68CBFE0C369B8456318A with secret service: The name org.freedesktop.secrets was not provided by any .service files
aug 12 13:45:11 laptop gpg-agent[7941]: Checking for Caps Lock not possible on unsupported platform: “xcb”
aug 12 13:45:19 laptop systemd[1816]: Finished mbsync mailbox synchronization.
aug 12 13:46:15 laptop gpg-agent[7939]: socket is now serviced by another server
aug 12 13:46:15 laptop gpg-agent[7939]: this process is useless - shutting down
aug 12 13:46:19 laptop gpg-agent[7939]: gpg-agent (GnuPG) 2.4.0 stopped
aug 12 13:50:11 laptop systemd[1816]: Starting mbsync mailbox synchronization…
aug 12 13:50:11 laptop systemd[1816]: Started GnuPG cryptographic agent and passphrase cache.
aug 12 13:50:11 laptop gpg-agent[8818]: gpg-agent[8818]: WARNING: “–supervised” is a deprecated option
aug 12 13:50:11 laptop gpg-agent[8818]: gpg-agent (GnuPG) 2.4.0 starting in supervised mode.
aug 12 13:50:11 laptop gpg-agent[8818]: using fd 3 for std socket (/run/user/10001/gnupg/S.gpg-agent)
aug 12 13:50:11 laptop gpg-agent[8818]: using fd 4 for ssh socket (/run/user/10001/gnupg/S.gpg-agent.ssh)
aug 12 13:50:11 laptop gpg-agent[8818]: listening on: std=3 extra=-1 browser=-1 ssh=4
aug 12 13:50:11 laptop gpg-agent[8821]: Loading the “qt_” catalog failed for locale QLocale(English, Latin, United States)
aug 12 13:50:11 laptop gpg-agent[8821]: Loading the “qt_” catalog failed for locale QLocale(English, Latin, United States)
aug 12 13:50:11 laptop gpg-agent[8821]: Loading the “qtbase_” catalog failed for locale QLocale(English, Latin, United States)
aug 12 13:50:11 laptop gpg-agent[8821]: Failed to lookup password for key n/DA15C6C0060FE420647B68CBFE0C369B8456318A with secret service: The name org.freedesktop.secrets was not provided by any .service files
aug 12 13:50:11 laptop gpg-agent[8821]: Checking for Caps Lock not possible on unsupported platform: “xcb”
aug 12 13:50:20 laptop systemd[1816]: Finished mbsync mailbox synchronization.
aug 12 13:51:15 laptop gpg-agent[8818]: socket is now serviced by another server
aug 12 13:51:15 laptop gpg-agent[8818]: this process is useless - shutting down
aug 12 13:51:19 laptop gpg-agent[8818]: gpg-agent (GnuPG) 2.4.0 stopped
aug 12 13:55:11 laptop systemd[1816]: Starting mbsync mailbox synchronization…
aug 12 13:55:11 laptop systemd[1816]: Started GnuPG cryptographic agent and passphrase cache.
aug 12 13:55:11 laptop gpg-agent[24539]: gpg-agent[24539]: WARNING: “–supervised” is a deprecated option
aug 12 13:55:11 laptop gpg-agent[24539]: gpg-agent (GnuPG) 2.4.0 starting in supervised mode.
aug 12 13:55:11 laptop gpg-agent[24539]: using fd 3 for std socket (/run/user/10001/gnupg/S.gpg-agent)
aug 12 13:55:11 laptop gpg-agent[24539]: using fd 4 for ssh socket (/run/user/10001/gnupg/S.gpg-agent.ssh)
aug 12 13:55:11 laptop gpg-agent[24539]: listening on: std=3 extra=-1 browser=-1 ssh=4
aug 12 13:55:21 laptop systemd[1816]: Finished mbsync mailbox synchronization.
aug 12 13:56:15 laptop gpg-agent[24539]: socket is now serviced by another server
aug 12 13:56:15 laptop gpg-agent[24539]: this process is useless - shutting down
aug 12 13:56:19 laptop gpg-agent[24539]: gpg-agent (GnuPG) 2.4.0 stopped

One thing I also noticed is that the sockets mentioned in the logs are different from the sockets mentioned when running gpgconf --list-dirs, e.g:
$ gpgconf --list-dirs agent-socket
/run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj/S.gpg-agent

maybe it has to do something with it (or not)?

My setup is really simple, so I truly don’t know where to look for answers

UPDATE:

I did

$ cd /run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj/
$ ln -s ../S.gpg-agent* .

and now gpg-agent does not kill itself anymore, so this looks like a temporary workaround.

So it is related to the the output of gpgconf --list-dirs being different from the sockets created by home-manager’s gpg config

The root cause is still unknown to me: bug in home-manager? bug in my own config somewhere?

TLATER · August 14, 2023, 12:53pm

Sounds to me like you simply have two gpg agents running. Is this NixOS? Do you start gpg-agent somewhere in your shell profiles? Can you confirm with ps?

kvtb · August 17, 2023, 7:10pm

thanks, indeed: without the ln -s workaround at some point there are two gpg-agents running, one supervised by systemd and the other one - I have no clue (could not see it in the process tree)

But my gpg setup and bashrc/profile is fully managed by home-manager, so I have no clue what is causing the second gpg-agent to start

TLATER · August 17, 2023, 9:21pm

Huh, did you check with ps or such or was that via a systemd feature? Finding that out would be the crux of the issue.

If you’re not on NixOS, it could well be started by some host user systemd service, or a forgotten .bash_profile (some distros add a source ~/.bash_profile to /etc/bashrc, completely defying bash’ default behavior and breaking some home-manager expectations), .xsession, .xinitrc or such.

Lots of files make up the session environment, if you can confirm that a gpg-agent is already running before the home-manager one starts that would help. Maybe disable the home-manager service for now and check if you can get gpgconf to talk to something?

kvtb · October 22, 2023, 11:13am

Found out my .bashrc contains:

GPG_TTY="$(tty)"
export GPG_TTY
/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-connect-agent update

I did not put it there, my .bashrc is fully managed by home-manager.

could it be programs.gpg.enable = true; and services.gpg-agent.enable = true are conflicting options? NixOS+HM 23.05

Update:

checked https://github.com/nix-community/home-manager/blob/07682fff75d41f18327a871088d20af2710d4744/modules/services/gpg-agent.nix

it is the option enableSshSupport that is adding this, but not sure if that is also the cause of the issues described in the opening post

could it be a timing issue?
e.g. the updatestartuptty is executed before the systemd user service for gpg-agent is started? and then there are two gpg-agent processes?

Update 2:
enableSshSupport = false does not solve the issue. The .bashrc does not contain any gpg related stuff, but there are still two conflicting instances of gpg runnijg… search continues…

kvtb · October 30, 2023, 2:53pm

There is a gpg-agent using a socket /run/user/10001/gnupg/S.gpg-agent
And there is another gpg-agent using socket /run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj/S.gpg-agent

I suspect that there is a discrepancy between gpg-agent systemd socket and gpgconf.

Because gpgconf says:

$ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/bin
libexecdir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/libexec
libdir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/lib/gnupg
datadir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/share/gnupg
localedir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/share/locale
socketdir:/run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj
dirmngr-socket:/run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj/S.dirmngr
keyboxd-socket:/run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj/S.keyboxd
agent-ssh-socket:/run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj/S.gpg-agent.ssh
agent-extra-socket:/run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj/S.gpg-agent.extra
agent-browser-socket:/run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj/S.gpg-agent.browser
agent-socket:/run/user/10001/gnupg/d.66ich9kpnhpcq9knttj8qqdj/S.gpg-agent
homedir:/home/kvtb/.gnupg

Note that all socket files are in a subdirectory of gnupg with some hash.

But, looking at the gpg-agent.socket systemd file, generated by home-manager, it says:

[Install]
WantedBy=sockets.target

[Socket]
DirectoryMode=0700
FileDescriptorName=std
ListenStream=%t/gnupg/S.gpg-agent
SocketMode=0600

[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)

This file is generated by

github.com

nix-community/home-manager/blob/8e5416b478e465985eec274bc3a018024435c106/modules/services/gpg-agent.nix#L25C2-L37C1


      
          # mimic `gpgconf` output for use in `systemd` unit definitions.
          # we cannot use `gpgconf` directly because it heavily depends on system
          # state, but we need the values at build time. original:
          # https://github.com/gpg/gnupg/blob/c6702d77d936b3e9d91b34d8fdee9599ab94ee1b/common/homedir.c#L672-L681
          gpgconf = dir:
            let
              hash =
                substring 0 24 (hexStringToBase32 (builtins.hashString "sha1" homedir));
            in if homedir == options.programs.gpg.homedir.default then
              "%t/gnupg/${dir}"
            else
              "%t/gnupg/d.${hash}/${dir}";

The setting programs.gpg.homedir is unset in my config, which defaults to /home/kvtb/.gnupg in my case.

github.com

nix-community/home-manager/blob/8e5416b478e465985eec274bc3a018024435c106/modules/programs/gpg.nix#L189C1-L198C1


      
          
          
homedir = mkOption {
            type = types.path;
            example = literalExpression ''"''${config.xdg.dataHome}/gnupg"'';
            default = "${config.home.homeDirectory}/.gnupg";
            defaultText =
              literalExpression ''"''${config.home.homeDirectory}/.gnupg"'';
            description = "Directory to store keychains and configuration.";
          };

The hash subdirectory is therefore not used in the systemd socket file.

But why would gpgconf --list-dirs give different socket directories?

TLATER · October 30, 2023, 3:51pm

For reference, my config matches the systemd socket:

tlater ~ $ gpgconf --list-dirs
sysconfdir:/etc/gnupg
bindir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/bin
libexecdir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/libexec
libdir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/lib/gnupg
datadir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/share/gnupg
localedir:/nix/store/j4h0z6pw8nk51swdjy5ypbbnlmba4nz0-gnupg-2.4.0/share/locale
socketdir:/run/user/1000/gnupg
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
keyboxd-socket:/run/user/1000/gnupg/S.keyboxd
agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/tlater/.gnupg

There’s nothing in ~/.gnupg on my end that would set this, so whatever launches your first gpg instance probably has some configuration to create a tmpdir to enable spawning multiple gpg processes.

Maybe some other service you use tries to launch its own gpg, say sops-nix, an email client, editor or something like that?

kvtb · November 1, 2023, 9:00am

I’ve found the cause, but I’m not able to fix the actual root root root cause.
The cause is an incompatibility between kanidm and home-manager.

kanidm has a custom scheme to create home directories and then uses a symlink to a more friendly looking home directory name.

The problem is that GNUPGHOME is set to a value (by home-manager), but that value is not used everywhere (= root cause) causing some instances of gpg-agent to think the home directory is custom (and other instances to think it is not custom), and uses the hash version of the directory to store the sockets

For now I’ve disabled the kanidm-specific naming scheme for home directories:

  services.kanidm.unixSettings = {
      home_attr = "name";
      home_alias = "none";
  };

So, summarizing: kanidm, gnupg, home-manager are not compatible out of the box.