diff --git a/modules/nitrokey-gpg-smartcard.nix b/modules/nitrokey-gpg-smartcard.nix index d365a23..91ce040 100644 --- a/modules/nitrokey-gpg-smartcard.nix +++ b/modules/nitrokey-gpg-smartcard.nix @@ -9,8 +9,7 @@ # - smartcard should be listed # gpg --card-status # - ssh should work - # export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh - # ssh nas + # ssh yodaNas # - signed git commits should work in IntelliJ # IntelliJ IDE -> git commit -> graphical pinentry should pop-up @@ -29,8 +28,6 @@ # TODO: gpg-agent pinentry problem # https://github.com/NixOS/nixpkgs/issues/97861 - # TODO: Maybe GNOME is overriding the SSH agent socket that is set elswhere by NixOS? - # https://wiki.archlinux.org/title/GnuPG#GNOME_on_Wayland_overrides_SSH_agent_socket # # gpgconf --check-programs #=> gpgconf: error running '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/pinentry': probably not installed @@ -80,13 +77,33 @@ ssh.startAgent = false; gnupg.agent = { enable = true; - # ... Also sets SSH_AUTH_SOCK environment variable correctly. + # Sets SSH_AUTH_SOCK environment variable. enableSSHSupport = true; #pinentryFlavor = "curses"; pinentryFlavor = "gnome3"; }; }; + # GNOME Keyring: Disable SSH agent. + # + # Without this, + # export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh + # is required before ssh can use the smartcard (through gpg-agent). + # + # GNOME Keyring will override the SSH_AUTH_SOCK variable + # if it starts its own SSH agent. The docs suggest to disable + # SSH agent support in GNOME Keyring if using another SSH agent: + # https://wiki.gnome.org/Projects/GnomeKeyring/Ssh + # + # Here are related issues: + # https://github.com/NixOS/nixpkgs/issues/8356 + # https://github.com/NixOS/nixpkgs/issues/42291 + # https://wiki.archlinux.org/title/GnuPG#GNOME_on_Wayland_overrides_SSH_agent_socket + # + # Solution 1: https://github.com/NixOS/nixpkgs/issues/42291#issuecomment-399630199 + # Solution 2: https://github.com/NixOS/nixpkgs/issues/42291#issuecomment-687979733 + services.gnome.gnome-keyring.enable = pkgs.lib.mkForce false; + # Adds the pinentry binary to the PATH so that e.g. # echo GETPIN | pinentry # works.