#43584 closed defect (fixed)
gpg-agent: enable launchd integration (including LaunchAgent file)
| Reported by: | Ionic (Mihai Moldovan) | Owned by: | Ionic (Mihai Moldovan) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | haspatch | Cc: | neverpanic (Clemens Lang), nerdling (Jeremy Lavergne), borys@…, cooljeanius (Eric Gallager) |
| Port: | gpg-agent |
Description
Until now, users in need of gpg-agent either had to install the bloated GPGTools script or write hacks to start gpg-agent (which only worked after restarting the terminal.)
To clean up this mess, I incorporated a patch for making gpg-agent launchd-compatible and set up a StartupItem MP users can load with launchctl load -w to automatically spawn gpg-agent after login.
The Portfile is currently establishing and deleting links and files in post-activate and post-deactivate. This sounds like the most logical way, as the uninstall phase will not be run during upgrades, but we still want to clean old StartupItems and links. Likewise, using the install phase for setting files and links in place would be possible, but this won't allow switching between installed versions easily.
Attachments (3)
Change History (14)
comment:1 Changed 10 years ago by borys@…
comment:2 Changed 10 years ago by Ionic (Mihai Moldovan)
Oh, do you have an example for me so that I can reproduce this?
GPG indeed shouldn't be searching $HOME/.gnupg/S.gpg-agent anymore. Actually, GPG_AGENT_INFO should also be available session-wide with the correct information.
ionic@nopileos~% echo $GPG_AGENT_INFO /tmp/launch-KvsnGf/Listeners
comment:3 Changed 10 years ago by Ionic (Mihai Moldovan)
That's actually a bug. Thanks for catching that.
Changed 10 years ago by Ionic (Mihai Moldovan)
| Attachment: | gpg-agent_launchd.patch added |
|---|
Patchset for launchd integration and StartupItem/LaunchAgent.
comment:5 Changed 10 years ago by Ionic (Mihai Moldovan)
Updated patchset.
I have disabled the creation of a UNIX socket in the user's home directory and worked around the fact that one cannot control what the environment variable set via SecureSocketWithKey in the launchd plist is actually set to (as mentioned, dropping the PID and protocol version information.)
This is working for me, but there's a catch:
If users have programs starting up right after login, those programs won't inherit the correct environment variable. In order to solve this, one has to restart the application(s) in question.
I admit that this is very uncomfortable.
However, this solution also has a good side:
The SSH agent option is fail-safe. As gpg-agent is started after launchd initialized all sockets (and environment variables it sets), SSH_AUTH_SOCK will always be populated with some value, if another LaunchAgent is providing SSH agent support (like for instance Apple's or MacPorts's ssh-agent.) gpg-agent can query that and gracefully disable SSH agent support, to not collide with the other daemon.
This said, I guess that nobody is using SSH agent support in gpg-agent anyway.
There is another, more intrusive way to do stuff.
I could restore the previous behavior (setting GPG_AGENT_INFO to "/tmp/launch-xxxxxx/Listeners" only) and patch the other GPG ports, so that they accept a "malformed" GPG_AGENT_INFO value with the PID and protocol version stripped.
This may lead to a race condition when it comes to SSH_AUTH_SOCK. I don't know what happens when two Agents define that in their plist files. Probably one of them gets control over it, likely the first one to come.
I will thus disable SSH agent support completely.
In general, I think that an always available GPG_AGENT_INFO environment variable without clumsy application restarts outweights the benefits of SSH agent support (and, really, nobody uses this. Apple even ships ssh-agent and it's turned on by default.)
comment:6 Changed 10 years ago by Ionic (Mihai Moldovan)
This is working fine for me.
Please test it, especially Borys.
You will have to install the (patched) new versions of gpg-agent and either gnupg or gnupg2, or both, depending on what version you use.
comment:7 Changed 10 years ago by Ionic (Mihai Moldovan)
Updated patchset against the current MacPorts tree.
Changed 10 years ago by Ionic (Mihai Moldovan)
| Attachment: | gpg-agent_launchd-launchd_control.patch added |
|---|
Patchset for launchd integration and StartupItem/LaunchAgent. Doesn't exhibit startup issues. Also patches gnupg and gnupg2 to make them compatible.
Changed 10 years ago by Ionic (Mihai Moldovan)
| Attachment: | gpg-agent_launchd-launchd_control.2.patch added |
|---|
EMPTY
comment:8 Changed 10 years ago by Ionic (Mihai Moldovan)
Accidentally created a new attachment, please ignore the .2.patch file.
Updated patchset against the current gnupg1 and gnupg2 versions.
comment:9 Changed 9 years ago by Ionic (Mihai Moldovan)
| Owner: | changed from macports-tickets@… to ionic@… |
|---|---|
| Status: | new → assigned |
comment:10 Changed 9 years ago by Ionic (Mihai Moldovan)
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
This patch is working well for me on 10.6.8.
gpg complains about a malformed GPG_AGENT_INFO because launchd is masking gpg's control socket in $HOME/.gnupg/S.gpg-agent with its own in /tmp/launch-XXXXXX/Listeners as configured by the gpg-agent.plist, dropping the pid & protocol version from GPG_AGENT_INFO.
gpg is still able to connect to the agent, though, so it's just a warning.
Thanks!