funtoo / keychain

keychain ssh-agent front-end
http://www.funtoo.org
GNU General Public License v2.0
757 stars 107 forks source link

keychain --agent ssh --eval is idempotent, but --agent gpg is not #102

Open sowbug opened 6 years ago

sowbug commented 6 years ago

When used with ssh-agent, the --eval option always outputs information suitable for the shell to evaluate, but when used with gpg-agent, it does not.

SSH Version

$ keychain --eval

  • keychain 2.8.1 ~ http://www.funtoo.org
  • Starting ssh-agent... SSH_AUTH_SOCK=/tmp/ssh-ts8jMgzyXoA4/agent.22519; export SSH_AUTH_SOCK; SSH_AGENT_PID=22520; export SSH_AGENT_PID;

$ keychain --eval

  • keychain 2.8.1 ~ http://www.funtoo.org
  • Found existing ssh-agent: 22520 SSH_AUTH_SOCK=/tmp/ssh-ts8jMgzyXoA4/agent.22519; export SSH_AUTH_SOCK; SSH_AGENT_PID=22520; export SSH_AGENT_PID;

GPG Version

$ keychain --agents gpg --eval

  • keychain 2.8.1 ~ http://www.funtoo.org
  • Starting gpg-agent... SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

$ keychain --agents gpg --eval

The second invocation of keychain --agents gpg --eval also overwrites the .keychain/ files with a one-byte (empty) file so that subsequent shells can't eval them anymore.

This is inconvenient because the ssh-agent usage can be simple and idempotent:

my .bashrc for ssh-agent

eval keychain --eval id_ed25519

but if I want to use gpg-agent instead, it is cumbersome:

my .bashrc for gpg-agent

if pgrep -x "gpg-agent" > /dev/null then . ~/.keychain/${HOSTNAME}-sh-gpg else eval keychain --agents gpg --eval fi

(and I'm not even sure that's the right solution.)

Would it be possible to make --agents gpg --eval as idempotent as the ssh version (specifically, making it always honor the --eval option even if it's just repeating what's in the .keychain/ shell files)? This little bit of smarts in the keychain utility will allow the shell rc/profile files to be nice and dumb.

bbenne10 commented 6 years ago

I had a problem with the .bashrc snippet above. $HOSTNAME is empty for me, so I subbed in $(hostname) instead. Below is what I ended up with (for easy copy-paste for future googlers). I have also placed this in my .profile rather than .{bash,zsh}rc, but that might not work for everyone (dependent on how you log into your machine):

keychain_path="~/.keychain/$(hostname)-sh-gpg";  # this file won't exist if keychain isn't running
if [ -f "$keychain_path" ]; then
  . $keychain_path;
else 
  eval $(keychain --agents gpg --eval)
fi;
virgilwashere commented 5 years ago

Including this in the keychain --agents gpg --eval output would be good too.

GPG_TTY=$(tty); export GPG_TTY

As per the gpg-agent man page.

mrl5 commented 2 years ago

hello @sowbug - if you'd like to report a bug kindly use https://bugs.funtoo.org/

you can also reach us on Discord - for more info check https://www.funtoo.org/Welcome