pyrox.dev / nixpkgs
lol
fork atom

gnupg: disable gui/pinentry support by default

This solves the dependency cycle in gcr alternatively so there won't be
two gnupg store paths in a standard NixOS system which has udisks2 enabled
by default.

NixOS users are expected to use the gpg-agent user service to pull in the
appropriate pinentry flavour or install it on their systemPackages and set
it in their local gnupg agent config instead.

Co-authored-by: Florian Klink <flokli@flokli.de>

Franz Pletz 3d832dee c2576266

options
unified split
Changed files
+16 -11
nixos
doc
manual
release-notes
rl-2003.xml
modules
programs
gnupg.nix
pkgs
development
libraries
gcr
default.nix
tools
security
gnupg
20.nix
22.nix
top-level
all-packages.nix
+8 -1
nixos/doc/manual/release-notes/rl-2003.xml 
···

       
85

       
 

       



     

       
86

       
 

       
  <itemizedlist>


     

       
87

       
 

       
   <listitem>


     

       
88

       
-

       
    <para />


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
89

       
 

       
   </listitem>


     

       
90

       
 

       
  </itemizedlist>


     

       
91

       
 

       
 </section>


     
···

       
85

       
 

       



     

       
86

       
 

       
  <itemizedlist>


     

       
87

       
 

       
   <listitem>


     

       
88

       
+

       
    <para>


     

       
89

       
+

       
      GnuPG is now built without support for a graphical passphrase entry


     

       
90

       
+

       
      by default. Please enable the <literal>gpg-agent</literal> user service


     

       
91

       
+

       
      via the NixOS option <literal>programs.gnupg.agent.enable</literal>.


     

       
92

       
+

       
      Note that upstream recommends using <literal>gpg-agent</literal> and


     

       
93

       
+

       
      will spawn a <literal>gpg-agent</literal> on the first invocation of


     

       
94

       
+

       
      GnuPG anyway.


     

       
95

       
+

       
    </para>


     

       
96

       
 

       
   </listitem>


     

       
97

       
 

       
  </itemizedlist>


     

       
98

       
 

       
 </section>
+1 -1
nixos/modules/programs/gnupg.nix 
···

       
76

       
 

       
        thus overrides the pinentry option in gpg-agent.conf in the user's


     

       
77

       
 

       
        home directory.


     

       
78

       
 

       
        If not set at all, it'll pick an appropriate flavor depending on the


     

       
79

       
-

       
        system configuration (qt3 flavor for lxqt and plasma5, gtk2 for xfce


     

       
80

       
 

       
        4.12, gnome3 on all other systems with X enabled, ncurses otherwise).


     

       
81

       
 

       
      '';


     

       
82

       
 

       
    };


     
···

       
76

       
 

       
        thus overrides the pinentry option in gpg-agent.conf in the user's


     

       
77

       
 

       
        home directory.


     

       
78

       
 

       
        If not set at all, it'll pick an appropriate flavor depending on the


     

       
79

       
+

       
        system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce


     

       
80

       
 

       
        4.12, gnome3 on all other systems with X enabled, ncurses otherwise).


     

       
81

       
 

       
      '';


     

       
82

       
 

       
    };
+1 -5
pkgs/development/libraries/gcr/default.nix 
···

       
24

       
 

       



     

       
25

       
 

       
  nativeBuildInputs = [ pkgconfig gettext gobject-introspection libxslt makeWrapper vala ];


     

       
26

       
 

       



     

       
27

       
-

       
  buildInputs = let


     

       
28

       
-

       
    gpg = gnupg.override { guiSupport = false; }; # prevent build cycle with pinentry_gnome


     

       
29

       
-

       
  in [


     

       
30

       
-

       
    gpg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk


     

       
31

       
-

       
  ];


     

       
32

       
 

       



     

       
33

       
 

       
  propagatedBuildInputs = [ glib gtk3 p11-kit ];


     

       
34

       
 

       



     
···

       
24

       
 

       



     

       
25

       
 

       
  nativeBuildInputs = [ pkgconfig gettext gobject-introspection libxslt makeWrapper vala ];


     

       
26

       
 

       



     

       
27

       
+

       
  buildInputs = [ gnupg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk ];


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
28

       
 

       



     

       
29

       
 

       
  propagatedBuildInputs = [ glib gtk3 p11-kit ];


     

       
30
+1 -1
pkgs/tools/security/gnupg/20.nix 
···

       
3

       
 

       



     

       
4

       
 

       
# Each of the dependencies below are optional.


     

       
5

       
 

       
# Gnupg can be built without them at the cost of reduced functionality.


     

       
6

       
-

       
, pinentry ? null, guiSupport ? true


     

       
7

       
 

       
, openldap ? null, bzip2 ? null, libusb ? null, curl ? null


     

       
8

       
 

       
}:


     

       
9

       
 

       



     
···

       
3

       
 

       



     

       
4

       
 

       
# Each of the dependencies below are optional.


     

       
5

       
 

       
# Gnupg can be built without them at the cost of reduced functionality.


     

       
6

       
+

       
, pinentry ? null, guiSupport ? false


     

       
7

       
 

       
, openldap ? null, bzip2 ? null, libusb ? null, curl ? null


     

       
8

       
 

       
}:


     

       
9
+1 -1
pkgs/tools/security/gnupg/22.nix 
···

       
4

       
 

       



     

       
5

       
 

       
# Each of the dependencies below are optional.


     

       
6

       
 

       
# Gnupg can be built without them at the cost of reduced functionality.


     

       
7

       
-

       
, pinentry ? null, guiSupport ? true


     

       
8

       
 

       
, adns ? null, gnutls ? null, libusb ? null, openldap ? null


     

       
9

       
 

       
, readline ? null, zlib ? null, bzip2 ? null


     

       
10

       
 

       
}:


     
···

       
4

       
 

       



     

       
5

       
 

       
# Each of the dependencies below are optional.


     

       
6

       
 

       
# Gnupg can be built without them at the cost of reduced functionality.


     

       
7

       
+

       
, pinentry ? null, guiSupport ? false


     

       
8

       
 

       
, adns ? null, gnutls ? null, libusb ? null, openldap ? null


     

       
9

       
 

       
, readline ? null, zlib ? null, bzip2 ? null


     

       
10

       
 

       
}:
+4 -2
pkgs/top-level/all-packages.nix 
···

       
3499

       
 

       
  gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { };


     

       
3500

       
 

       
  gnupg1 = gnupg1compat;    # use config.packageOverrides if you prefer original gnupg1


     

       
3501

       
 

       
  gnupg20 = callPackage ../tools/security/gnupg/20.nix {


     

       
3502

       
-

       
    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry;


     

       

       

       
     

       
3503

       
 

       
  };


     

       
3504

       
 

       
  gnupg22 = callPackage ../tools/security/gnupg/22.nix {


     

       
3505

       
-

       
    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry;


     

       

       

       
     

       
3506

       
 

       
  };


     

       
3507

       
 

       
  gnupg = gnupg22;


     

       
3508

       
 

       



     
···

       
3499

       
 

       
  gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { };


     

       
3500

       
 

       
  gnupg1 = gnupg1compat;    # use config.packageOverrides if you prefer original gnupg1


     

       
3501

       
 

       
  gnupg20 = callPackage ../tools/security/gnupg/20.nix {


     

       
3502

       
+

       
    guiSupport = stdenv.isDarwin;


     

       
3503

       
+

       
    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2;


     

       
3504

       
 

       
  };


     

       
3505

       
 

       
  gnupg22 = callPackage ../tools/security/gnupg/22.nix {


     

       
3506

       
+

       
    guiSupport = stdenv.isDarwin;


     

       
3507

       
+

       
    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2;


     

       
3508

       
 

       
  };


     

       
3509

       
 

       
  gnupg = gnupg22;


     

       
3510