From b5bea4ce32a26deb3b6d600893e37a4c347c66ab Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 27 Oct 2018 16:03:13 +0200 Subject: [PATCH] gnupg: disable gui/pinentry support by default This solves the dependency cycle in gcr alternatively so there won't be two gnupg store paths in a standard NixOS system which has udisks2 enabled by default. NixOS users are expected to use the gpg-agent user service to pull in the appropriate pinentry flavour or install it on their systemPackages and set it in their local gnupg agent config instead. Co-authored-by: Florian Klink --- nixos/doc/manual/release-notes/rl-2003.xml | 9 ++++++++- nixos/modules/programs/gnupg.nix | 2 +- pkgs/development/libraries/gcr/default.nix | 6 +----- pkgs/tools/security/gnupg/20.nix | 2 +- pkgs/tools/security/gnupg/22.nix | 2 +- pkgs/top-level/all-packages.nix | 6 ++++-- 6 files changed, 16 insertions(+), 11 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index ab0951e831c..49ffcd1c2d2 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -85,7 +85,14 @@ - + + GnuPG is now built without support for a graphical passphrase entry + by default. Please enable the gpg-agent user service + via the NixOS option programs.gnupg.agent.enable. + Note that upstream recommends using gpg-agent and + will spawn a gpg-agent on the first invocation of + GnuPG anyway. + diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index dd3d74c2632..4fb7c43c8b2 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -76,7 +76,7 @@ in thus overrides the pinentry option in gpg-agent.conf in the user's home directory. If not set at all, it'll pick an appropriate flavor depending on the - system configuration (qt3 flavor for lxqt and plasma5, gtk2 for xfce + system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). ''; }; diff --git a/pkgs/development/libraries/gcr/default.nix b/pkgs/development/libraries/gcr/default.nix index 18b568b0f6c..1947d40dc85 100644 --- a/pkgs/development/libraries/gcr/default.nix +++ b/pkgs/development/libraries/gcr/default.nix @@ -24,11 +24,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig gettext gobject-introspection libxslt makeWrapper vala ]; - buildInputs = let - gpg = gnupg.override { guiSupport = false; }; # prevent build cycle with pinentry_gnome - in [ - gpg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk - ]; + buildInputs = [ gnupg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk ]; propagatedBuildInputs = [ glib gtk3 p11-kit ]; diff --git a/pkgs/tools/security/gnupg/20.nix b/pkgs/tools/security/gnupg/20.nix index 6336d319997..ef348e38834 100644 --- a/pkgs/tools/security/gnupg/20.nix +++ b/pkgs/tools/security/gnupg/20.nix @@ -3,7 +3,7 @@ # Each of the dependencies below are optional. # Gnupg can be built without them at the cost of reduced functionality. -, pinentry ? null, guiSupport ? true +, pinentry ? null, guiSupport ? false , openldap ? null, bzip2 ? null, libusb ? null, curl ? null }: diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index e2f460e7e30..f62f10c8cf9 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -4,7 +4,7 @@ # Each of the dependencies below are optional. # Gnupg can be built without them at the cost of reduced functionality. -, pinentry ? null, guiSupport ? true +, pinentry ? null, guiSupport ? false , adns ? null, gnutls ? null, libusb ? null, openldap ? null , readline ? null, zlib ? null, bzip2 ? null }: diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d1c5611d389..56aa84bca7d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3499,10 +3499,12 @@ in gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { }; gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1 gnupg20 = callPackage ../tools/security/gnupg/20.nix { - pinentry = if stdenv.isDarwin then pinentry_mac else pinentry; + guiSupport = stdenv.isDarwin; + pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2; }; gnupg22 = callPackage ../tools/security/gnupg/22.nix { - pinentry = if stdenv.isDarwin then pinentry_mac else pinentry; + guiSupport = stdenv.isDarwin; + pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2; }; gnupg = gnupg22;