`nix-env -iA nixos.pinentry_qt5` installs `pinentry` instead of pinentry_qt5

[vandenoever]

In Nixos 20.03 I need to have a graphical pinentry. Since I run KDE, pinentry_qt5 seems appropriate. But installing this leads to pinentry-1.1.0-curses being installed instead of pinentry-1.1.0-qt.

The same happens when installing pinentry-gnome, pinentry-gtk2, pinentry-qt, or pinentry_qt5.

To Reproduce Steps to reproduce the behavior:

$ sudo nix-channel --list
nixos https://nixos.org/channels/nixos-20.03
$ nix-env -iA nixos.pinentry_qt5
installing 'pinentry-1.1.0'
$ nix-env -q|grep pinentry
pinentry-1.1.0
$ realpath $(type -P pinentry)
/nix/store/iv9kwmkk91v4mz9zayd3as0j60wz9bv8-pinentry-1.1.0-curses/bin/pinentry-curses

Expected behavior

pinentry-qt should be available

Additional context

KMail and other graphical applications require that gpg is able to show a graphical pinentry. Since this not currently possible, any crytography with gpg is impossible in graphical applications.

Notify maintainers @ttuegel @fpletz

Metadata

$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.5.17, NixOS, 20.03.1418.5272327b81e (Markhor)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.4`
 - channels(root): `"nixos-20.03.1418.5272327b81e"`
 - channels(oever): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[worldofpeace]

You shouldn't need to nix-env this on nixos. See https://nixos.org/nixos/options.html#programs.gnupg.agent.pinentryflavor and the programs.gnupg.agent.enable? And second bullet of https://nixos.org/nixos/manual/release-notes.html#sec-release-20.03-incompatibilities

[vandenoever]

Setting programs.gnupg.agent.enable and not installing pinentry by hand fixes the issue. Although I do not understand why, because there is no pinenty in the PATH.

[Nos-]

I have got trouble with missing pinentry for gpg too.

$sudo nix-channel --list
nixos https://nixos.org/channels/nixos-20.03
$ nix-env -iA nixos.pinentry
installing 'pinentry-1.1.0'
these paths will be fetched (0.09 MiB download, 0.28 MiB unpacked):
  /nix/store/7m67j08dpyrd0n058bbdxipn2chvjaif-pinentry-1.1.0-gtk2
  /nix/store/nghfn6cxqa7rv6rkjdxkclfzch8q0plx-pinentry-1.1.0-emacs
  /nix/store/sy0y0ib7iz8dc9j6v1yn5rs4q710i01z-pinentry-1.1.0-gnome3
copying path '/nix/store/nghfn6cxqa7rv6rkjdxkclfzch8q0plx-pinentry-1.1.0-emacs' from 'https://cache.nixos.org'...
copying path '/nix/store/sy0y0ib7iz8dc9j6v1yn5rs4q710i01z-pinentry-1.1.0-gnome3' from 'https://cache.nixos.org'...
copying path '/nix/store/7m67j08dpyrd0n058bbdxipn2chvjaif-pinentry-1.1.0-gtk2' from 'https://cache.nixos.org'...
building '/nix/store/6sgnzvwx7mvk09pa2pa85gnb5xi8db2h-user-environment.drv'...
created 2 symlinks in user environment

$ gpg --clear-sign test.txt
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/###/.gnupg'
gpg: "###############" wird als voreingestellter geheimer Signaturschlüssel benutzt
gpg: Beglaubigung fehlgeschlagen: Kein Pinentry
gpg: test.txt: clear-sign failed: Kein Pinentry

"#"-Symbols are placeholders for private stuff. The German Text means: No pinentry, gpg cannot do its work.

Of course my /etc/nixos/configuration contains:

  programs.gnupg.agent = {
    enable = true;
#    enableSSHSupport = true;
    pinentryFlavor = "tty";
  };

(And there is no other direct instruction to install any pinentry-package)

Maybe this is interesting too:

$ nix-env -iA nixos.pinentry_qt5
replacing old 'pinentry-1.1.0'
installing 'pinentry-1.1.0'
building '/nix/store/abfyrji1vgfgh1r2q7p0lx9n8zibr3kg-user-environment.drv'...
created 2 symlinks in user environment

expected behaviour: installing of pinentry_qt5 should install pinentry_qt5 and not pinentry

wanted behaviour: gpg should ask me for the passphrase and work.

[Nos-]

After an reboot ´$ gpg --clear-sign test.txt´ worked as it should.

[Nos-]

With this setting (pinentryFlavor = "gtk2";) it worked for me now (after nixos-rebuild and reboot):

  programs.gnupg.agent = {
    enable = true;
#    enableSSHSupport = true;
    pinentryFlavor = "gtk2";
  };

But the bug with pinentryFlavor = "qt"; remains unsolved.

[worldofpeace]

We shouldn't use nix-env for this purpose.

expected behaviour: installing of pinentry_qt5 should install pinentry_qt5 and not pinentry

The derivation name doesn't change with what flavor is used, that could be an enhancement.

Here's the note in 20.03:

GnuPG is now built without support for a graphical passphrase entry by default. Please enable the gpg-agent user service via the NixOS option programs.gnupg.agent.enable. Note that upstream recommends using gpg-agent and will spawn a gpg-agent on the first invocation of GnuPG anyway.

What wasn't mentioned was the pinentry flavors were renamed. (pinentryFlavor was also introduced in 20.03). I think documentation on how to use gnupg-agent in nixos is needed.

[Nos-]

Thanks.

[stale[bot]]

I marked this as stale due to inactivity. → More info