Updated after 3 week vacation. gnupg says "no pinentry"

pimiddy · November 10, 2019, 7:35pm

Like the title says, I upgraded my nixos-unstable after 3 weeks and now gpg -d foo.gpg tells me:

gpg: public key decryption failed: No pinentry
gpg: decryption failed: No secret key

Did anything change with regards to gpg or pinentry?

lilyball · November 10, 2019, 10:22pm

pinentry has been disabled by default. The commit includes a release note saying

GnuPG is now built without support for a graphical passphrase entry by default. Please enable the gpg-agent user service via the NixOS option programs.gnupg.agent.enable. Note that upstream recommends using gpg-agent and will spawn a gpg-agent on the first invocation of GnuPG anyway.

pimiddy · November 11, 2019, 8:16am

@lilyball Yep, thanks, that worked perfectly!

NobbZ · November 27, 2020, 2:32pm

This doesn’t change anything for me, despite of programs.gnupg.agent.enables value, I get the pinentry error.

srghma · December 12, 2020, 11:41am

this worked after reboot

ppenguin · January 17, 2021, 12:11pm

Just installed nixos and for me it has never worked.
The problem appears to be that no matter what I say in configuration.nix, the gpg-agent ignores my ~/.gnupg/gnupg-agent.conf and only looks for the pinentry in the same store path where gpg itself resides.

Which renders me completely unable to get any prompt (no matter whether it’s graphical or tty).

A workaround was to disable gpg-agent system wide and manually start the agent with everything user-installed (i.e. pinentry and gnupg)

toastal · June 29, 2023, 4:21am

@ppenguin Did you ever solve this? I found a helpful post online

But this sucks. A better solution is to install pinentry-curses (put it in your systemPackages in your NixOS configuration), and then modify $HOME/.gnupg/gpg-agent.conf to contain the following:
pinentry-program /run/current-system/sw/bin/pinentry-curses
You may need to reload the running gpg-agent to make it pick up the change:
$ gpgconf --reload gpg-agent

ppenguin · June 30, 2023, 6:27pm

When switching WMs it has always been a PITA, especially when not using a display manager for login to take care of the session env. But I’ve been using home-manager in combination with services.gnome-keyring and start my wayland compositor like this:

    zsh.loginExtra = ''
            if [ "$(tty)" = "/dev/tty1" ]; then
              QT_QPA_PLATFORM=wayland
              LIBSEAT_BACKEND=logind
              TERMINAL=alacritty
      	      export QT_QPA_PLATFORM LIBSEAT_BACKEND TERMINAL
              SSH_AUTH_SOCK=/run/user/$UID/keyring/ssh
      	      export SSH_AUTH_SOCK
              dbus-update-activation-environment --systemd --all
              echo "$(date -Is): starting Hyprland..." >> $HOME/.wsession.log
              Hyprland &> /dev/null
              echo "$(date -Is): Hyprland stopped" >> $HOME/.wsession.log
              systemctl --user stop hyprland-session.target
      	      logout
            fi
    '';

and in configuration.nix I have

  security = {
    pam.services = {
      login = {
        # startSession = true;
        enableGnomeKeyring = true;
      };
      # gnome keyring even without display manager
      logind.enableGnomeKeyring = true;
      # sshd.enableGnomeKeyring = true;
    };
    polkit = {
      enable = true;
    };
  };

and that makes it work. I’m not sure whether/where there is overlap there, and I really hate how messy and unclear this all is, but I’m reluctant to touch it again

EDIT:
Oops, of course most of that was actually for the ssh-agent, I also have gpg-agent via home-manager. Go figure.

  services.gpg-agent = {
    enable = true;
    defaultCacheTtl = 1800;
    enableSshSupport = false; # we want the normal SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
    pinentryFlavor = "gnome3";
  };

but come to think of it I haven’t seen a popup in ages, so I guess that means gnome-keyring is actually doing its job?

In the end I wouldn’t settle for anything less than having my keyring unlocked by logging into my user session and never having to enter gpg or ssh passwords during a normal session.

dacr · November 12, 2023, 8:42am

Thank you, it works fine although I’ve encountered this issue :

[info] gpg: signing failed: Inappropriate ioctl for device
[info] gpg: signing failed: Inappropriate ioctl for device
[error] java.lang.RuntimeException: Failure running 'gpg --detach-sign ...

because in my case gpg is run in background… execution controlled by the build tool. I’ve executed the command by hand in order to have the passphrase being taken into account and restart the full build tool process.

I’ll have to switch to the gtk3 approach I guess

dacr · November 12, 2023, 9:08am

Added in ~/.gnupg/gpg-agent.conf :

pinentry-program /run/current-system/sw/bin/pinentry-gtk-2

Use nix configuration :

  services.pcscd.enable = true;
  programs.gnupg.agent = {
    enable = true;
    #pinentryFlavor = "curses";
    pinentryFlavor = "gtk2";
    enableSSHSupport = true;
  };

With the following packages installed : gnupg pinentry-curses pinentry-gtk2 (I kept pinentry-curses as I will use it for other purposes)