You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When setting GNUPGHOME=$XDG_STATE_HOME/gnupg, or anything except GNUPGHOME=~/.gnupg, the systemd service will never be able to get the right $SSH_AUTH_SOCK. Instead, at startup, it will print:
Nov 26 20:55:56 redacted yubikey-touch-detector[23252]: time="2023-11-26T20:55:56-08:00" level=error msg="Cannot watch SSH, the socket '/run/user/1000/gnupg/S.gpg-agent.ssh' does not exist: stat /run/user/1000/gnupg/S.gpg-agent.ssh: no such file or directory"
The cause of the problem is that GPG will change the socket path to an effectively random subdirectory of /run/user/<uid>/gpg, such as /run/user/1000/gnupg/d.ua3izggs38hms8x3fa1edxxz/S.gpg-agent.ssh (more details). Since the correct $SSH_AUTH_SOCK is set by gpg-agent in the shell rc files (.zshrc in my case) which systemd doesn't run, the service will never get the right value.
My current workaround is a janky hack. I override the systemd service and add the following:
Aside from GPG fixing it upstream, the ideal fix would be for yubikey-touch-detector to run gpgconf --list-dirs agent-ssh-socket once at the start, and fall back to that. If for some reason the hash changes (which is possible, although it shouldn't happen during normal use - by the time I finished setting up my yubikey I had 9 subdirs), then it would only take a systemctl --user restart yubikey-touch-detector to fix.
The text was updated successfully, but these errors were encountered:
Thanks for the detailed report! I agree on your proposal to make the app execute gpgconf on startup. I'm thinking the priorities should be SSH_AUTH_SOCK > gpgconf > XDG_RUNTIME_DIR, would you agree?
If you feel like it, feel free to adapt the code snippet above to respect gpgconf and send a PR, which would automatically ensure that it solves your problem 😉
exec.Command("gpgconf", "--list-dirs", "agent-ssh-socket").Output() is probably a starting point 👍
When setting
GNUPGHOME=$XDG_STATE_HOME/gnupg
, or anything exceptGNUPGHOME=~/.gnupg
, the systemd service will never be able to get the right$SSH_AUTH_SOCK
. Instead, at startup, it will print:The cause of the problem is that GPG will change the socket path to an effectively random subdirectory of
/run/user/<uid>/gpg
, such as/run/user/1000/gnupg/d.ua3izggs38hms8x3fa1edxxz/S.gpg-agent.ssh
(more details). Since the correct$SSH_AUTH_SOCK
is set by gpg-agent in the shell rc files (.zshrc in my case) which systemd doesn't run, the service will never get the right value.My current workaround is a janky hack. I override the systemd service and add the following:
Aside from GPG fixing it upstream, the ideal fix would be for yubikey-touch-detector to run
gpgconf --list-dirs agent-ssh-socket
once at the start, and fall back to that. If for some reason the hash changes (which is possible, although it shouldn't happen during normal use - by the time I finished setting up my yubikey I had 9 subdirs), then it would only take asystemctl --user restart yubikey-touch-detector
to fix.The text was updated successfully, but these errors were encountered: