Open aartoni opened 11 months ago
I'v literally given up on getting it to work and moved on :) tried for months, no success
I use artix, runit, startx. The functionality works perfectly. here are my configs
-rw-r--r-- 1 root root /etc/pam.d/system-local-login
#%PAM-1.0
auth include system-login
account include system-login
password include system-login
session include system-login
auth optional pam_gnupg.so store-only
session optional pam_gnupg.so
-rw------- 1 user user ~/.local/share/gnupg/gpg-agent.conf
allow-preset-passphrase
max-cache-ttl 86400
pinentry-program /usr/bin/pinentry-qt
NOTE: I prefer use pinentry-qt
since the curses version need to spawn in terminal and gnome version needs, well gnome. That is why some previously mentioned setups failed to work.
> -rwxr-xr-x 1 user user ~/.config/x11/xinitrc
if [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/x11/xprofile" ]; then
. "${XDG_CONFIG_HOME:-$HOME/.config}/x11/xprofile"
else
. "$HOME/.xprofile"
fi
ssh-agent dwm
-rwxr-xr-x 1 user user ~/.config/x11/xprofile
#!/bin/sh
xrandr --dpi 96 # Set DPI. User may want to use a larger number for larger screens.
setbg $XDG_DATA_HOME/wallpapers & # set the background with the `setbg` script
xrdb $XDG_CONFIG_HOME/x11/xresources & xrdbpid=$! # Uncomment to use Xresources colors/settings on startup
autostart="mpd xcompmgr dunst unclutter pipewire remapd"
for program in $autostart; do
pidof -sx "$program" || "$program" &
done >/dev/null 2>&1
[ -n "$xrdbpid" ] && wait "$xrdbpid"
-rw------- 1 user user ~/.config/pam-gnupg
****************************************
NOTE: *
stands for output of gpg -K --with-keygrip
-rw-r--r-- 1 user user ~/.zprofile
export GNUPGHOME="$XDG_DATA_HOME/gnupg"
-rw-r--r-- 1 root root /etc/security/pam_env.conf
GNUPGHOME DEFAULT=@{HOME}/.local/share/gnupg
@CheesyChocolate just to be sure that we are using the same setup, are you using runit as your init system? Which version of the pam-gnupg
(or pam-gnupg-git
) package are you running?
Here are my configs:
# -rw-r--r-- 1 root root 220 Aug 2 15:16 /etc/pam.d/system-local-login
#%PAM-1.0
auth include system-login
account include system-login
password include system-login
session include system-login
auth optional pam_gnupg.so store-only
session optional pam_gnupg.so
# -rw------- 1 aartoni aartoni 117 Aug 2 15:34 .gnupg/gpg-agent.conf
allow-preset-passphrase
default-cache-ttl 86400
max-cache-ttl 86400
pinentry-program /usr/bin/pinentry-dmenu
# -rw------- 1 arto arto 41 Jul 31 22:50 .config/pam-gnupg
# Here is the keygrip
Every other dotfile is the current default from LARBS. The pinentry program is actually able to work so I'm sure that the gpg-agent.conf
file is being read.
As I updated my comment, I use runit
$ yay -Qi pam-gnupg-git
Name : pam-gnupg-git
Version : r54.3be7745-1
@CheesyChocolate thanks for your follow-up. I've just tried setting up my GNUPGHOME
as in your configuration, so I have update my .zprofile
and moved the content accordingly:
export GNUPGHOME="$XDG_DATA_HOME/gnupg"
I'm still able to sign messages after login with, e.g., echo | gpg --clearsign
. If I may ask you something more, I'd like to know if you're sure that there's no extra configuration involved, for instance, the pam-gnupg README.md
states that you should put the path to your GNUPGHOME in your .config/pam-gnupg
before any keygrip. Which doesn't seem to be your case.
Can you try running:
grep -Eir 'g(nu)?pg' ~cf
And see if there's anything that doesn't come from LARBS/voidrice?
I configured this a year ago, so I don't remember everything. but here's some configs that I missed
-rw-r--r-- 1 root root /etc/security/pam_env.conf
GNUPGHOME DEFAULT=@{HOME}/.local/share/gnupg
I couldn't find any other relevant configuration.
Happy to help
Im pretty sure this doesn't work :) when I was making that report, I was using Artix as well, and there is even debug attempts by the artix devs on the forum with me, we failed at making it work ... I dunno what the GNUPGHOME directory has to do with anything ... when I didn't move GNUPG ... I'v tried all the pinentry's, and no gnome's pin entry doesn't require gnome
last commit on pam-gnupg, 7 years ago ... developer mostly not responding to issues, all issues point to same issue ...
https://github.com/cruegge/pam-gnupg/issues ...
Like I said, I dunno how you made this work ... but I'v been trying to make it work for the past 3 years, and I gave up ... I now use gnome-keyring and gnome-pinentry easily .... just without pam-gnupg ... just because something has the word gnome in it, doesn't mean that it must be part of the suite, it's actually a standalone package and can be used in any window manager
@CheesyChocolate I tried setting the GNUPGHOME
variable in the pam_env.conf
file as per your suggestion, couldn't get it to work anyway. Just to be 100% sure, are you able to run echo | gpg --clearsign
after you log into the machine without entering your password a single time after the actual log in screen?
One more thing, are you sure that your GPG key is password protected? Try running
gpg-connect-agent reloadagent /bye
And echo | gpg --clearsign
again, if it doesn't spawn a password prompt then the password is either not set or coming from somewhere else.
As always, thank you for your collaboration.
my setup does not work in my new installation anymore. my new installation on same system is faced with the problem of "needing to unlock keyring via pinentry prompt once". I had to unlock the keyring via pass, mw -Y or a gpg sign. no unlocking at login. EDIT: if pass or MY -Y called, the keyring will open without any prompt. If "gpg sign" called, I get prompted to enter password.
I did little effort to restore the functionally and I made the move to gnome-keyring.
Hi @LukeSmithxyz, I'm trying to setup pam-gnupg on an Artix runit machine, but it doesn't seem to be as easy as setting it up on Arch. I noticed that @kronikpillow, @jemadux, and others have also shown interest in this topic (here, here, and here).
As a user of your open source project, I would like to ask you to consider sharing your pam-gnupg configuration, possibly in a separate branch, so that interested users like myself can experiment with it without forcing other users to install it. It would not only allow us to understand the implementation better but also contribute to the project by providing valuable feedback and enhancements.
Moreover, I noticed that you recently released an Artix installation guide, and I think a video tutorial on using pam-gnupg would be a fantastic follow-up.