1479332 – gpg-agent can't be modified with --enable-ssh-support at startup

Bug 1479332 - gpg-agent can't be modified with --enable-ssh-support at startup

Summary: gpg-agent can't be modified with --enable-ssh-support at startup

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnupg2
Sub Component:
Version:	26
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-08 11:36 UTC by Kees de Jong
Modified:	2017-08-15 09:22 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-15 09:22:25 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kees de Jong 2017-08-08 11:36:11 UTC

Description of problem:
I have the following in ~/.gnupg/gpg-agent.conf 
enable-ssh-support
extra-socket ~/.gnupg/S.gpg-agent.extra
default-cache-ttl 120
max-cache-ttl 300

But when I login to my GNOME session the --enable-ssh-support switch is not enabled.

I also created a local systemd unit file and enabled it for at startup, but also that doesn't do the trick. This probably means that the distribution starts the gpg-agent when I login and ignores the gpg-agent.conf in my home folder. I need the --enable-ssh-support because I use the GPG keys of my Yubikey to use ssh.



Version-Release number of selected component (if applicable): gnupg2-2.1.21-2.fc26.x86_64


Steps to Reproduce:
1. Add "enable-ssh-support" to ~/.gnupg/gpg-agent.conf
2. Login again to your GNOME session
3. Check with ps the gpg-agent process, --enable-ssh-support is missing.


Expected results: I expect to be able to modify the startup configuration of gpg-agent. But what I've tried so far doesn't work. Except for killing gpg-agent and then start it myself with the correct switches enabled.


Additional info: https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/

Comment 1 Tomas Mraz 2017-08-08 11:44:12 UTC

Is the option really ignored? Why do you expect the --enable-ssh-support being shown in the ps output if you set it in the gpg-agent.conf file?

Also if Gnome somehow starts the gpg-agent in a way that the config file settings are ignored, I'd suggest reassigning it to some appropriate Gnome component. I do not personally use Gnome and have no idea about its session start up.

Comment 2 Kees de Jong 2017-08-08 11:49:41 UTC

The --enable-ssh-support option is visible in ps when I restart gpg-agent with this local systemd unit-file.


[Unit]
Description=GnuPG Agent
IgnoreOnIsolate=true

[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh
ExecStart=/usr/bin/gpg-agent --homedir %h/.gnupg --enable-ssh-support --daemon
ExecStartPost=/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=${SSH_AUTH_SOCK}

[Install]
WantedBy=default.target


After I restart that, it works. I can do a test without a desktop environment, then we can cancel out that causality.

Comment 3 Tomas Mraz 2017-08-08 12:02:46 UTC

But there you explicitly call it with --enable-ssh-support on the command line.

Comment 4 Kees de Jong 2017-08-15 09:22:25 UTC

Using the upstream gpg systemd files is sufficient to get ssh working with the gpg keys on a Yubikey: https://dev.gnupg.org/source/gnupg/browse/master/doc/examples/systemd-user/

After the example systemd files are symlinked to /usr/lib/systemd/user/, they need to be activated with:
systemctl --user --global enable gpg-agent.socket
systemctl --user --global enable gpg-agent-ssh.socket

Then make sure this is included in you .bash_profile: export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh

Then it works as a charm!

Note You need to log in before you can comment on or make changes to this bug.