Bug 1479332

Summary: gpg-agent can't be modified with --enable-ssh-support at startup
Product: [Fedora] Fedora Reporter: Kees de Jong <keesdejong+dev>
Component: gnupg2Assignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 26CC: bcl, jamielinux, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-15 09:22:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kees de Jong 2017-08-08 11:36:11 UTC 
Description of problem:
I have the following in ~/.gnupg/gpg-agent.conf 
enable-ssh-support
extra-socket ~/.gnupg/S.gpg-agent.extra
default-cache-ttl 120
max-cache-ttl 300

But when I login to my GNOME session the --enable-ssh-support switch is not enabled.

I also created a local systemd unit file and enabled it for at startup, but also that doesn't do the trick. This probably means that the distribution starts the gpg-agent when I login and ignores the gpg-agent.conf in my home folder. I need the --enable-ssh-support because I use the GPG keys of my Yubikey to use ssh.



Version-Release number of selected component (if applicable): gnupg2-2.1.21-2.fc26.x86_64


Steps to Reproduce:
1. Add "enable-ssh-support" to ~/.gnupg/gpg-agent.conf
2. Login again to your GNOME session
3. Check with ps the gpg-agent process, --enable-ssh-support is missing.


Expected results: I expect to be able to modify the startup configuration of gpg-agent. But what I've tried so far doesn't work. Except for killing gpg-agent and then start it myself with the correct switches enabled.


Additional info: https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
Comment 1 Tomas Mraz 2017-08-08 11:44:12 UTC 
Is the option really ignored? Why do you expect the --enable-ssh-support being shown in the ps output if you set it in the gpg-agent.conf file?

Also if Gnome somehow starts the gpg-agent in a way that the config file settings are ignored, I'd suggest reassigning it to some appropriate Gnome component. I do not personally use Gnome and have no idea about its session start up.
Comment 2 Kees de Jong 2017-08-08 11:49:41 UTC 
The --enable-ssh-support option is visible in ps when I restart gpg-agent with this local systemd unit-file.


[Unit]
Description=GnuPG Agent
IgnoreOnIsolate=true

[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh
ExecStart=/usr/bin/gpg-agent --homedir %h/.gnupg --enable-ssh-support --daemon
ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK}

[Install]
WantedBy=default.target


After I restart that, it works. I can do a test without a desktop environment, then we can cancel out that causality.
Comment 3 Tomas Mraz 2017-08-08 12:02:46 UTC 
But there you explicitly call it with --enable-ssh-support on the command line.
Comment 4 Kees de Jong 2017-08-15 09:22:25 UTC 
Using the upstream gpg systemd files is sufficient to get ssh working with the gpg keys on a Yubikey: https://dev.gnupg.org/source/gnupg/browse/master/doc/examples/systemd-user/

After the example systemd files are symlinked to /usr/lib/systemd/user/, they need to be activated with:
systemctl --user --global enable gpg-agent.socket
systemctl --user --global enable gpg-agent-ssh.socket

Then make sure this is included in you .bash_profile: export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh

Then it works as a charm!