diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml
index 839d75b53bd18..0145f050b24d4 100644
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@@ -137,6 +137,16 @@
make sure to update your configuration if you want to keep proglodyte-wasm
+
+
+ GnuPG is now built without support for a graphical passphrase entry
+ by default. Please enable the gpg-agent user service
+ via the NixOS option programs.gnupg.agent.enable.
+ Note that upstream recommends using gpg-agent and
+ will spawn a gpg-agent on the first invocation of
+ GnuPG anyway.
+
+
diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl
index b70faa380e545..776647f2c2ef8 100644
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -596,7 +596,11 @@ sub multiLineList {
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
- # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+ # programs.gnupg.agent = {
+ # enable = true;
+ # enableSSHSupport = true;
+ # flavour = "gtk2";
+ # };
# List services that you want to enable:
diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix
index 370db2b084527..3cca1e29f6f6b 100644
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@@ -33,7 +33,6 @@ with lib;
# Disable some other stuff we don't need.
security.sudo.enable = mkDefault false;
- services.udisks2.enable = mkDefault false;
# Automatically log in at the virtual consoles.
services.mingetty.autologinUser = "root";
diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix
index addc9dcca87ed..21a64dad9ac70 100644
--- a/nixos/modules/programs/gnupg.nix
+++ b/nixos/modules/programs/gnupg.nix
@@ -6,6 +6,19 @@ let
cfg = config.programs.gnupg;
+ xserverCfg = config.services.xserver;
+
+ defaultPinentryFlavour =
+ if xserverCfg.desktopManager.gnome3.enable then
+ "gnome3"
+ else if xserverCfg.desktopManager.lxqt.enable
+ || xserverCfg.desktopManager.plasma5.enable then
+ "qt"
+ else if xserverCfg.xserver.enable then
+ "gtk2"
+ else
+ null;
+
in
{
@@ -45,6 +58,17 @@ in
'';
};
+ agent.pinentryFlavour = mkOption {
+ type = types.nullOr (types.enum pkgs.pinentry.flavours);
+ example = "gtk2";
+ description = ''
+ Which pinentry interface to use. If not null, the path to the
+ pinentry binary will be passed to gpg-agent via commandline and
+ thus overrides the pinentry option in gpg-agent.conf in the user's
+ home directory.
+ '';
+ };
+
dirmngr.enable = mkOption {
type = types.bool;
default = false;
@@ -55,6 +79,16 @@ in
};
config = mkIf cfg.agent.enable {
+ programs.gnupg.agent.pinentryFlavour = mkDefault defaultPinentryFlavour;
+
+ # This overrides the systemd user unit shipped with the gnupg package
+ systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavour != null) {
+ serviceConfig.ExecStart = [ "" ''
+ ${pkgs.gnupg}/bin/gpg-agent --supervised \
+ --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavour}}/bin/pinentry
+ '' ];
+ };
+
systemd.user.sockets.gpg-agent = {
wantedBy = [ "sockets.target" ];
};
diff --git a/pkgs/desktops/gnome-3/core/gcr/default.nix b/pkgs/desktops/gnome-3/core/gcr/default.nix
index ea2883a5716a4..4f19ee06ecf8c 100644
--- a/pkgs/desktops/gnome-3/core/gcr/default.nix
+++ b/pkgs/desktops/gnome-3/core/gcr/default.nix
@@ -24,10 +24,8 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ pkgconfig intltool gobjectIntrospection libxslt makeWrapper vala ];
- buildInputs = let
- gpg = gnupg.override { guiSupport = false; }; # prevent build cycle with pinentry_gnome
- in [
- gpg libgcrypt libtasn1 dbus-glib pango gdk_pixbuf atk
+ buildInputs = [
+ gnupg libgcrypt libtasn1 dbus-glib pango gdk_pixbuf atk
];
propagatedBuildInputs = [ glib gtk p11-kit ];
diff --git a/pkgs/tools/security/gnupg/20.nix b/pkgs/tools/security/gnupg/20.nix
index 6ae2bbc436ed5..6c4d7f320f3f0 100644
--- a/pkgs/tools/security/gnupg/20.nix
+++ b/pkgs/tools/security/gnupg/20.nix
@@ -3,7 +3,7 @@
# Each of the dependencies below are optional.
# Gnupg can be built without them at the cost of reduced functionality.
-, pinentry ? null, guiSupport ? true
+, pinentry ? null, guiSupport ? false
, openldap ? null, bzip2 ? null, libusb ? null, curl ? null
}:
diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix
index 06a06f5721c9b..a6a7fadd53c7d 100644
--- a/pkgs/tools/security/gnupg/22.nix
+++ b/pkgs/tools/security/gnupg/22.nix
@@ -3,7 +3,7 @@
# Each of the dependencies below are optional.
# Gnupg can be built without them at the cost of reduced functionality.
-, pinentry ? null, guiSupport ? true
+, pinentry ? null, guiSupport ? false
, adns ? null, gnutls ? null, libusb ? null, openldap ? null
, readline ? null, zlib ? null, bzip2 ? null
}:
diff --git a/pkgs/tools/security/pinentry/default.nix b/pkgs/tools/security/pinentry/default.nix
index 3a7e1b5a3437a..14e6d5e22bd68 100644
--- a/pkgs/tools/security/pinentry/default.nix
+++ b/pkgs/tools/security/pinentry/default.nix
@@ -1,13 +1,41 @@
{ fetchurl, fetchpatch, stdenv, lib, pkgconfig
-, libgpgerror, libassuan, libcap ? null, libsecret ? null, ncurses ? null, gtk2 ? null, gcr ? null, qt ? null
-, enableEmacs ? false
+, libgpgerror, libassuan
+, ncurses, gtk2, qt
+, libcap ? null, libsecret ? null, gcr ? null
+, flavours ? [ "curses" "tty" "gtk2" "qt" "gnome3" "emacs" ]
}:
+with stdenv.lib;
+
+assert isList flavours && flavours != [];
+
let
- mkFlag = pfxTrue: pfxFalse: cond: name: "--${if cond then pfxTrue else pfxFalse}-${name}";
+ mkFlag = pfxTrue: pfxFalse: cond: name:
+ "--${if cond then pfxTrue else pfxFalse}-${name}";
mkEnable = mkFlag "enable" "disable";
mkWith = mkFlag "with" "without";
+
+ mkEnablePinentry = f:
+ let
+ info = flavourInfo.${f};
+ inputs = info.buildInputs or [];
+ flag = flavourInfo.${f}.flag or null;
+ inputsSatifsfied = inputs == [] || all (f: !(isNull f)) inputs;
+ in
+ optionalString (flag != null)
+ (mkEnable (elem f flavours && inputsSatifsfied) ("pinentry-" + flag));
+
+ flavourInfo = {
+ curses = { bin = "curses"; buildInputs = [ ncurses ]; };
+ tty = { bin = "tty"; flag = "tty"; };
+ gtk2 = { bin = "gtk-2"; flag = "gtk2"; buildInputs = [ gtk2 ]; };
+ gnome3 = { bin = "gnome3"; flag = "gnome3"; buildInputs = [ gcr ]; };
+ qt = { bin = "qt"; flag = "qt"; buildInputs = [ qt ]; };
+ emacs = { bin = "emacs"; flag = "emacs"; buildInputs = []; };
+ };
+
in
+
stdenv.mkDerivation rec {
name = "pinentry-1.1.0";
@@ -16,13 +44,11 @@ stdenv.mkDerivation rec {
sha256 = "0w35ypl960pczg5kp6km3dyr000m1hf0vpwwlh72jjkjza36c1v8";
};
- buildInputs = [ libgpgerror libassuan libcap libsecret gtk2 gcr ncurses qt ];
-
- prePatch = ''
- substituteInPlace pinentry/pinentry-curses.c --replace ncursesw ncurses
- '';
+ nativeBuildInputs = [ pkgconfig ];
+ buildInputs = [ libgpgerror libassuan libcap libsecret ]
+ ++ flatten (flip map flavours (f: flavourInfo.${f}.buildInputs or []));
- patches = lib.optionals (gtk2 != null) [
+ patches = optionals (elem "gtk2" flavours) [
(fetchpatch {
url = https://sources.debian.org/data/main/p/pinentry/1.1.0-1/debian/patches/0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch;
sha256 = "15r1axby3fdlzz9wg5zx7miv7gqx2jy4immaw4xmmw5skiifnhfd";
@@ -32,15 +58,24 @@ stdenv.mkDerivation rec {
configureFlags = [
(mkWith (libcap != null) "libcap")
(mkEnable (libsecret != null) "libsecret")
- (mkEnable (ncurses != null) "pinentry-curses")
- (mkEnable true "pinentry-tty")
- (mkEnable enableEmacs "pinentry-emacs")
- (mkEnable (gtk2 != null) "pinentry-gtk2")
- (mkEnable (gcr != null) "pinentry-gnome3")
- (mkEnable (qt != null) "pinentry-qt")
- ];
+ ] ++ (map mkEnablePinentry (attrNames flavourInfo));
- nativeBuildInputs = [ pkgconfig ];
+ postInstall =
+ concatStrings (flip map flavours (f:
+ let
+ binary = "pinentry-" + flavourInfo.${f}.bin;
+ outputVar = "$" + f;
+ in ''
+ moveToOutput bin/${binary} ${outputVar}
+ ln -sf ${outputVar}/bin/${binary} ${outputVar}/bin/pinentry
+ ''))
+ + ''
+ ln -sf ${head flavours}/bin/pinentry-${flavourInfo.${head flavours}.bin} $out/bin/pinentry
+ '';
+
+ outputs = [ "out" ] ++ flavours;
+
+ passthru = { inherit flavours; };
meta = with stdenv.lib; {
homepage = http://gnupg.org/aegypten2/;
@@ -51,6 +86,6 @@ stdenv.mkDerivation rec {
Pinentry provides a console and (optional) GTK+ and Qt GUIs allowing users
to enter a passphrase when `gpg' or `gpg2' is run and needs it.
'';
- maintainers = [ maintainers.ttuegel ];
+ maintainers = with maintainers; [ ttuegel fpletz ];
};
}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 782fb6d8dd897..7b88a7a570c8b 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -2894,10 +2894,12 @@ with pkgs;
gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { };
gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1
gnupg20 = callPackage ../tools/security/gnupg/20.nix {
- pinentry = if stdenv.isDarwin then pinentry_mac else pinentry;
+ guiSupport = stdenv.isDarwin;
+ pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2;
};
gnupg22 = callPackage ../tools/security/gnupg/22.nix {
- pinentry = if stdenv.isDarwin then pinentry_mac else pinentry;
+ guiSupport = stdenv.isDarwin;
+ pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2;
};
gnupg = gnupg22;
@@ -4735,26 +4737,19 @@ with pkgs;
pinentry = callPackage ../tools/security/pinentry {
libcap = if stdenv.isDarwin then null else libcap;
- };
-
- pinentry_ncurses = self.pinentry.override {
- gtk2 = null;
- };
-
- pinentry_emacs = self.pinentry.override {
- enableEmacs = true;
- };
-
- pinentry_gnome = self.pinentry.override {
+ qt = qt5.qtbase;
gcr = gnome3.gcr;
};
- pinentry_qt4 = self.pinentry.override {
- qt = qt4;
- };
+ pinentry_curses = pinentry.curses;
+ pinentry_emacs = pinentry.emacs;
+ pinentry_gtk2 = pinentry.gtk2;
+ pinentry_qt = pinentry.qt;
+ pinentry_gnome = pinentry.gnome3;
- pinentry_qt5 = self.pinentry.override {
- qt = qt5.qtbase;
+ pinentry_qt4 = pinentry.override {
+ qt = qt4;
+ flavours = [ "qt" "curses" "tty" ];
};
pinentry_mac = callPackage ../tools/security/pinentry/mac.nix {