The GNU Privacy Guard 2.3 man page for `gpg-agent` describes the
`--grab` and `--no-grab` options as follows:
> Tell the pinentry to grab the keyboard and mouse. This option should
> be used on X-Servers to avoid X-sniffing attacks. Any use of the
> option --grab overrides an used option --no-grab. The default is
> --no-grab.
Therefore Home Manager should explicitly output `grab` when
`cfg.grabKeyboardAndMouse` is true. Previously Home Manager emitted
`no-grab` when `cfg.grabKeyboardAndMouse` was false.
PR #3192
In esoteric setups, automatically setting GPG_TTY to current tty is not
desired on every shell startup. This change adds configuration options
to allow user to disable that if desired.
Make `gpgconf` only perform an import from derivation when the GPG
`homedir` is set to a non-default value, which probably isn't the case
for most users.
* gpg-agent: local agent acting as ssh-agent should yield
This happens commonly if someone using home manager with gpg-agent
acting as ssh-agent on both machines.
@rycee brought up how gpg-itself has some support for agents on both
ends, but in that case one is forwarding the gpg-agent socket rather
than forwardning the gpg-agent-as-ssh-agent socket. There is no need to
forward both.
So I think this is a good default:
- Forward just gpg-agent socket and this doesn't matter.
- Forward just the ssh-agent socket and this does the right thing.
- Forward both sockets and now the ssh one takes priority instead, but
forwarding both was always a silly thing to do.
Fix#667
* Update modules/services/gpg-agent.nix
Co-authored-by: Nicolas Berbiche <nic.berbiche@gmail.com>
Co-authored-by: Nicolas Berbiche <nic.berbiche@gmail.com>
This option enables a GPG Agent restricted socket (aka "extra-socket"), which
can be used to forward GPG Agent over SSH.
Additionally `verbose` option enables verbose output of an `gpg-agent.service`
unit for easier debugging.
See: https://wiki.gnupg.org/AgentForwarding
