On 2024-08-17 08:18:47-04:00, Andreas Metzler wrote:
On 2024-08-16 Richard Hansen <rhan...@rhansen.org> wrote:On 8/16/24 05:55, Andreas Metzler wrote:I think I will revert https://salsa.debian.org/debian/gnupg2/-/commit/2ed898c22475d25dbc874b9cdc82063c31c4e603That would work, although I wonder: If the user has enable-ssh-support in their ~/.gnupg/gpg-agent.conf and disables the gpg-agent-ssh.socket unit file, wouldn't that environment generator still set SSH_AUTH_SOCK? Wouldn't it be better to never set SSH_AUTH_SOCK if gpg-agent-ssh.socket is disabled?Hello,hm, afaict systemd does not offer dependencies between environment-generators and units
That is my understanding as well.
(otherwise afaict BindsTo with After would do the trick).
Yeah, that would be nice.
One could document that changing/enabling the unit also might require changes to the generator.
Users are unlikely to see that documentation until after they have already wasted time troubleshooting, and changing a generator is not as easy as disabling a unit, so I'd prefer to find a friendlier solution.
Perhaps the environment generator could check to see if the unit is enabled? I don't know how difficult it would be to make that check robust. It's probably easier to just do the ExecStartPost command.
BTW two questions:
Is it necessary to use
ExecStartPost=sh -c '[ -z "$$(gpgconf --list-options gpg-agent | awk -F:
\'/^enable-ssh-support:/{print$$10}\')" ] || systemctl --user set-environment "$$@"' -
"SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh"
instead of the simpler
ExecStartPost=sh -c '[ -z "$$(gpgconf --list-options gpg-agent | awk -F:
\'/^enable-ssh-support:/{print$$10}\')" ] || systemctl --user set-environment
"SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh"'
It is only necessary if %t might expand to something containing shell meta characters such as double quotes, dollar sign, or backslash. It's easier to conservatively quote than to figure out if malicious code could possibly inject something into %t ($XDG_RUNTIME_DIR).
I could not find whether single quotes in systemd files prevent % (or even $)-expansion, perhaps you can help me. - TIA
From my understanding of systemd.syntax(7), there is no difference in behavior between a pair of double quotes and a pair of single quotes (other than how easy it is to embed single/double quotes inside, of course).
The generator checked the "okay" field in 'gpgconf --check-options gpg-agent'. I guess you left that out in the socket file because the ExecStartPost command will only run if the agent started successfully.
Correct. Thanks, Richard
OpenPGP_signature.asc
Description: OpenPGP digital signature
