Split pinentry flavours and enable udisks2 on install media again

nixos/doc/manual/release-notes/rl-1903.xml

@@ -137,6 +137,16 @@
      make sure to update your configuration if you want to keep <literal>proglodyte-wasm</literal>
     </para>
    </listitem>
+   <listitem>
+    <para>
+      GnuPG is now built without support for a graphical passphrase entry
+      by default. Please enable the <literal>gpg-agent</literal> user service
+      via the NixOS option <literal>programs.gnupg.agent.enable</literal>.
+      Note that upstream recommends using <literal>gpg-agent</literal> and
+      will spawn a <literal>gpg-agent</literal> on the first invocation of
+      GnuPG anyway.
+     </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -596,7 +596,11 @@ sub multiLineList {
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
   # programs.mtr.enable = true;
-  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  #   flavour = "gtk2";
+  # };
 
   # List services that you want to enable:
 

nixos/modules/profiles/installation-device.nix

@@ -33,7 +33,6 @@ with lib;
 
     # Disable some other stuff we don't need.
     security.sudo.enable = mkDefault false;
-    services.udisks2.enable = mkDefault false;
 
     # Automatically log in at the virtual consoles.
     services.mingetty.autologinUser = "root";

nixos/modules/programs/gnupg.nix

@@ -6,6 +6,19 @@ let
 
   cfg = config.programs.gnupg;
 
+  xserverCfg = config.services.xserver;
+
+  defaultPinentryFlavour =
+    if xserverCfg.desktopManager.gnome3.enable then
+      "gnome3"
+    else if xserverCfg.desktopManager.lxqt.enable
+         || xserverCfg.desktopManager.plasma5.enable then
+      "qt"
+    else if xserverCfg.xserver.enable then
+      "gtk2"
+    else
+      null;
+
 in
 
 {
@@ -45,6 +58,17 @@ in
       '';
     };
 
+    agent.pinentryFlavour = mkOption {
+      type = types.nullOr (types.enum pkgs.pinentry.flavours);
+      example = "gtk2";
+      description = ''
+        Which pinentry interface to use. If not null, the path to the
+        pinentry binary will be passed to gpg-agent via commandline and
+        thus overrides the pinentry option in gpg-agent.conf in the user's
+        home directory.
+      '';
+    };
+
     dirmngr.enable = mkOption {
       type = types.bool;
       default = false;
@@ -55,6 +79,16 @@ in
   };
 
   config = mkIf cfg.agent.enable {
+    programs.gnupg.agent.pinentryFlavour = mkDefault defaultPinentryFlavour;
+
+    # This overrides the systemd user unit shipped with the gnupg package
+    systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavour != null) {
+      serviceConfig.ExecStart = [ "" ''
+        ${pkgs.gnupg}/bin/gpg-agent --supervised \
+          --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavour}}/bin/pinentry
+      '' ];
+    };
+
     systemd.user.sockets.gpg-agent = {
       wantedBy = [ "sockets.target" ];
     };

pkgs/desktops/gnome-3/core/gcr/default.nix

@@ -24,10 +24,8 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkgconfig intltool gobjectIntrospection libxslt makeWrapper vala ];
 
-  buildInputs = let
-    gpg = gnupg.override { guiSupport = false; }; # prevent build cycle with pinentry_gnome
-  in [
-    gpg libgcrypt libtasn1 dbus-glib pango gdk_pixbuf atk
+  buildInputs = [
+    gnupg libgcrypt libtasn1 dbus-glib pango gdk_pixbuf atk
   ];
 
   propagatedBuildInputs = [ glib gtk p11-kit ];

pkgs/tools/security/gnupg/20.nix

@@ -3,7 +3,7 @@
 
 # Each of the dependencies below are optional.
 # Gnupg can be built without them at the cost of reduced functionality.
-, pinentry ? null, guiSupport ? true
+, pinentry ? null, guiSupport ? false
 , openldap ? null, bzip2 ? null, libusb ? null, curl ? null
 }:
 

pkgs/tools/security/gnupg/22.nix

@@ -3,7 +3,7 @@
 
 # Each of the dependencies below are optional.
 # Gnupg can be built without them at the cost of reduced functionality.
-, pinentry ? null, guiSupport ? true
+, pinentry ? null, guiSupport ? false
 , adns ? null, gnutls ? null, libusb ? null, openldap ? null
 , readline ? null, zlib ? null, bzip2 ? null
 }:

pkgs/tools/security/pinentry/default.nix

@@ -1,13 +1,41 @@
 { fetchurl, fetchpatch, stdenv, lib, pkgconfig
-, libgpgerror, libassuan, libcap ? null, libsecret ? null, ncurses ? null,  gtk2 ? null, gcr ? null, qt ? null
-, enableEmacs ? false
+, libgpgerror, libassuan
+, ncurses, gtk2, qt
+, libcap ? null, libsecret ? null, gcr ? null
+, flavours ? [ "curses" "tty" "gtk2" "qt" "gnome3" "emacs" ]
 }:
 
+with stdenv.lib;
+
+assert isList flavours && flavours != [];
+
 let
-  mkFlag = pfxTrue: pfxFalse: cond: name: "--${if cond then pfxTrue else pfxFalse}-${name}";
+  mkFlag = pfxTrue: pfxFalse: cond: name:
+    "--${if cond then pfxTrue else pfxFalse}-${name}";
   mkEnable = mkFlag "enable" "disable";
   mkWith = mkFlag "with" "without";
+
+  mkEnablePinentry = f:
+    let
+      info = flavourInfo.${f};
+      inputs = info.buildInputs or [];
+      flag = flavourInfo.${f}.flag or null;
+      inputsSatifsfied = inputs == [] || all (f: !(isNull f)) inputs;
+    in
+      optionalString (flag != null)
+        (mkEnable (elem f flavours && inputsSatifsfied) ("pinentry-" + flag));
+
+  flavourInfo = {
+    curses = { bin = "curses"; buildInputs = [ ncurses ]; };
+    tty = { bin = "tty"; flag = "tty"; };
+    gtk2 = { bin = "gtk-2"; flag = "gtk2"; buildInputs = [ gtk2 ]; };
+    gnome3 = { bin = "gnome3"; flag = "gnome3"; buildInputs = [ gcr ]; };
+    qt = { bin = "qt"; flag = "qt"; buildInputs = [ qt ]; };
+    emacs = { bin = "emacs"; flag = "emacs"; buildInputs = []; };
+  };
+
 in
+
 stdenv.mkDerivation rec {
   name = "pinentry-1.1.0";
 
@@ -16,13 +44,11 @@ stdenv.mkDerivation rec {
     sha256 = "0w35ypl960pczg5kp6km3dyr000m1hf0vpwwlh72jjkjza36c1v8";
   };
 
-  buildInputs = [ libgpgerror libassuan libcap libsecret gtk2 gcr ncurses qt ];
-
-  prePatch = ''
-    substituteInPlace pinentry/pinentry-curses.c --replace ncursesw ncurses
-  '';
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ libgpgerror libassuan libcap libsecret ]
+    ++ flatten (flip map flavours (f: flavourInfo.${f}.buildInputs or []));
 
-  patches = lib.optionals (gtk2 != null) [
+  patches = optionals (elem "gtk2" flavours) [
     (fetchpatch {
       url = https://sources.debian.org/data/main/p/pinentry/1.1.0-1/debian/patches/0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch;
       sha256 = "15r1axby3fdlzz9wg5zx7miv7gqx2jy4immaw4xmmw5skiifnhfd";
@@ -32,15 +58,24 @@ stdenv.mkDerivation rec {
   configureFlags = [
     (mkWith   (libcap != null)    "libcap")
     (mkEnable (libsecret != null) "libsecret")
-    (mkEnable (ncurses != null)   "pinentry-curses")
-    (mkEnable true                "pinentry-tty")
-    (mkEnable enableEmacs         "pinentry-emacs")
-    (mkEnable (gtk2 != null)      "pinentry-gtk2")
-    (mkEnable (gcr != null)       "pinentry-gnome3")
-    (mkEnable (qt != null)        "pinentry-qt")
-  ];
+  ] ++ (map mkEnablePinentry (attrNames flavourInfo));
 
-  nativeBuildInputs = [ pkgconfig ];
+  postInstall =
+    concatStrings (flip map flavours (f:
+      let
+        binary = "pinentry-" + flavourInfo.${f}.bin;
+        outputVar = "$" + f;
+      in ''
+        moveToOutput bin/${binary} ${outputVar}
+        ln -sf ${outputVar}/bin/${binary} ${outputVar}/bin/pinentry
+      ''))
+    + ''
+      ln -sf ${head flavours}/bin/pinentry-${flavourInfo.${head flavours}.bin} $out/bin/pinentry
+    '';
+
+  outputs = [ "out" ] ++ flavours;
+
+  passthru = { inherit flavours; };
 
   meta = with stdenv.lib; {
     homepage = http://gnupg.org/aegypten2/;
@@ -51,6 +86,6 @@ stdenv.mkDerivation rec {
       Pinentry provides a console and (optional) GTK+ and Qt GUIs allowing users
       to enter a passphrase when `gpg' or `gpg2' is run and needs it.
     '';
-    maintainers = [ maintainers.ttuegel ];
+    maintainers = with maintainers; [ ttuegel fpletz ];
   };
 }

pkgs/top-level/all-packages.nix

@@ -2894,10 +2894,12 @@ with pkgs;
   gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { };
   gnupg1 = gnupg1compat;    # use config.packageOverrides if you prefer original gnupg1
   gnupg20 = callPackage ../tools/security/gnupg/20.nix {
-    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry;
+    guiSupport = stdenv.isDarwin;
+    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2;
   };
   gnupg22 = callPackage ../tools/security/gnupg/22.nix {
-    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry;
+    guiSupport = stdenv.isDarwin;
+    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2;
   };
   gnupg = gnupg22;
 
@@ -4735,26 +4737,19 @@ with pkgs;
 
   pinentry = callPackage ../tools/security/pinentry {
     libcap = if stdenv.isDarwin then null else libcap;
-  };
-
-  pinentry_ncurses = self.pinentry.override {
-    gtk2 = null;
-  };
-
-  pinentry_emacs = self.pinentry.override {
-    enableEmacs = true;
-  };
-
-  pinentry_gnome = self.pinentry.override {
+    qt = qt5.qtbase;
     gcr = gnome3.gcr;
   };
 
-  pinentry_qt4 = self.pinentry.override {
-    qt = qt4;
-  };
+  pinentry_curses = pinentry.curses;
+  pinentry_emacs = pinentry.emacs;
+  pinentry_gtk2 = pinentry.gtk2;
+  pinentry_qt = pinentry.qt;
+  pinentry_gnome = pinentry.gnome3;
 
-  pinentry_qt5 = self.pinentry.override {
-    qt = qt5.qtbase;
+  pinentry_qt4 = pinentry.override {
+    qt = qt4;
+    flavours = [ "qt" "curses" "tty" ];
   };
 
   pinentry_mac = callPackage ../tools/security/pinentry/mac.nix {