gnupg: Support declarative GPG keysfiles

[MilesBreslin]

Adds a new option programs.gpg.keyfiles to be an array of paths to gpg key exports.

Is implemented as an activation script that runs gpg --import $key for each key.

[rycee]

Thanks for the contribution! I've added a few comments.

[veehaitch]

I'd like to revive this PR :) happy to lend a hand.

[veehaitch]

Instead of adding the given keys to any preexisting state of GnuPG, we could also create the file pubring.kbx in its entirety and symlink it similar to .gnupg/gpg.conf.

[MilesBreslin]

I really like this idea, but I'm unsure how to implement it

[colemickens]

How does this work though, does this then prevent me from ever importing gpg keys without adding them to my h-m configuration first? I'd prefer to just have them imported on top, like I think is happening now.

[veehaitch]

@colemickens That's correct. I think, however, that such an approach is well aligned with the goal of achieving a declarative, reproducible configuration. Moreover, home-manager works like this in other places as well, for example programs.git.

@MilesBreslin We could create a derivation which sets export GNUPGHOME=$TMPDIR, imports all configured keys and then produces pubring.kbx as an output.

[colemickens]

Hm. To me, Git's configuration is completely static, whereas I regularly have to import gpg keys on the fly to work with sops or just do general things; so I view them differently (however, I am of course a fan of having everything managed, so I get this desire).

If GPG had a way to read from multiple pubrings, I'd be a lot more excited about pre-forming and symlinking the primary one.

Can we support both, maybe?

[veehaitch]

It would be great to have an option to also give the ownertrust of a key. This information is stored in the file .gnupg/trustdb.gpg. Unfortuantely, it is regularly written to by GnuPG even on operations which one would regard as read-only. Therefore, symlinking into the Nix store (as I'd suggest for the public keys, see below) would likely cause unexpected issues. It could be a middle ground to copy the trustdb.gpg file instead of symlinking it.

[MilesBreslin]

I've added mutable and immutable support for both key files and trust. Since the trustdb needs to be writable, it gets copied on each activation.

[MilesBreslin]

Is there a better way to do this?

[stale]

Thank you for your contribution! I marked this pull request as stale due to inactivity. If this remains inactive for another 7 days, I will close this PR. Please read the relevant sections below before commenting.

If you are the original author of the PR

• GitHub sometimes doesn't notify people who commented / reviewed a PR previously, when you (force) push commits. If you have addressed the reviews you can officially ask for a review from those who commented to you or anyone else.
• If it is unfinished but you plan to finish it, please mark it as a draft.
• If you don't expect to work on it any time soon, please consider closing it with a short comment encouraging someone else to pick up your work.
• To get things rolling again, rebase the PR against the target branch and address valid comments.

If you are not the original author of the issue

• If you want to pick up the work on this PR, please create a new PR and indicate that it supercedes and closes this PR.

[colemickens]

:( I'd still like to see this.

[MilesBreslin]

Is there something I can do to push this along? I've been running with my own version of this for a while now, but I'd still like to get it upstream.

[rycee]

I finally had a bit of time to look at this more carefully. Rebased and made a few cleanups and such. The most noticeable one is renaming programs.gpg.keyfiles to programs.gpg.publicKeys, which seems to me a more descriptive name.

Please have a look at the last few commits and see if I made any mistakes.

[MilesBreslin]

These changes look good at a glance. It's been a while since I've looked at this, but it looks like everything is there and should be functional. I'll give it a go this weekend.

Thanks for helping organize this. This looks better!

[MilesBreslin]

Tested on my configuration. It seems to be working with no issues now. I use mutableTrust = false and mutableKeys = false. There was an issue with the trust not getting set, but I've added commits to both fix that and test for that.

[MilesBreslin]

Existing file '/home/user/.gnupg/pubring.kbx.old' would be clobbered by backing up '/home/user/.gnupg/pubring.kbx'
Please move the above files and try again or use -b <ext> to move automatically.

Looks like this needs to be more forceful.

[MilesBreslin]

Looking into this further, this is just a migration issue on my end. This is working as intended.

[rycee]

@MilesBreslin Nice, so this is OK to merge? If so, then I can squash and merge as soon as possible.

[MilesBreslin]

@rycee Yes, this should be good to merge.

[rycee]

Great, merged to master now. Good job!

[ebbertd]

Thank you for making this possible. This works great.