Raspberry Pi gnugp-agent not working

HartmannsgruberBen · July 2, 2025, 5:46am

Hey guys,

I installed NixOS on my Raspberry PI and it works fine.
I wanted to download my configurations from github.
So i installed git and gnupg since I have a gpg-key an some subkeys for authentication. The keys are present in my github account.

I tried “echo $SSH_AUTH_SOCK” which leads to no output.
Then I tried “ssh -vvv -T git@github.com”, which leads to Trying private key: /home/admin/.ssh/id_rsa
no such identity: /home/admin/.ssh/id_rsa: No such file or directory
gpgconf --list-dirs agent-ssh-socket → /run/user/1004/gnupg/S.gpg-agent.ssh
systemctl --user status gpg-agent-ssh.socket → active(running)
systemctl --user status gpg-agent.service → active(running)

my configuration.nix:

programs = {
  gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
};

does anyone know why this doesn’t work?
Thanks

rvl · July 3, 2025, 2:31am

You might need to enable the smart card reader driver:

services.pcscd.enable = true;

HartmannsgruberBen · July 3, 2025, 10:21am

I have finally found the solution.
The configuration was correct, but I had overlooked/forgotten an essential step.
I had not written my gpg subkey for authentication in the ~/.gnupg/sshcontrol file.

My complete settings in the configuration.nix:

environment.systemPackages = with pkgs; {
  gnupg
  pinentry-tty
};

programs = {
  gnupg.agent = {
    enable = true;
    pinentryPackage = pkgs.pinentry-tty;
    enableSSHSupport = true;
  };
};

I acted according to the following steps:

add the above settings to configuration.nix

-> edit configuration.nix
sudo nixos-rebuild switch --flake . (flakes activated)
sudo nixos-rebuild switch (no flakes)

create a GPG key

gpg --expert --full-generate-key
-> 11 (ECC - set your own capabilities)
-> Current allowed actions: Certify
-> ... custom settings

create a subkey for authentication

gpg --list-keys
gpg --expert --edit-key KEY-ID
gpg> addKey
-> 8 (RSA - set your own capabilites)
-> Current allowed actions: Authentication
-> ... custom settings
gpg --list-secret-keys --keyid-format LONG
-> One masterkey with setting [C] (Certify)
-> One subkey with setting [A] (authentication)

adding the subkey in ~/.gnupg/sshcontrol

gpg -K --with-keygrip
gpg --list-keys echo KEYGRIP >> ~/.gnupg/sshcontrol