search

nix-community / home-manager

Manage a user environment using Nix [maintainer=@rycee]
https://nix-community.github.io/home-manager/
MIT License
6.31k stars 1.69k forks source link

gpg-agent: looking for a way to circumvent smart-card PIN caching #3414

Open steveej opened 1 year ago

steveej commented 1 year ago

goal

i want gpg-agent to ask for a PIN via the configured pinentry every time it's used.

what i've tried

*CacheTtl settings

  services = {
    gpg-agent = {
      enable = true;
      enableScDaemon = true;
      enableSshSupport = true;
      grabKeyboardAndMouse = true;
      pinentryFlavor = "gtk2";
      extraConfig = "";

      defaultCacheTtl = 0;
      maxCacheTtl = 0;
    };
  };

these do not apply to smart-card PINs as it seems.

Socket.Accept=true setting

in addition to the above i've tried to configure the socket to stop the service again once it's closed, which i thought the following settings would do:

  systemd.user.sockets.gpg-agent.Socket.Accept = true;

this doesn't demonstrate any notable effect.

ideas

debug why the socket setting doesn't work

wrap the gpg-agent with gnu timeout

d-dervishi commented 1 year ago

Maybe your PIN is stored in an external keychain? Have you tried setting no-allow-external-cache in extraConfig?

stale[bot] commented 1 year ago

Thank you for your contribution! I marked this issue as stale due to inactivity. Please be considerate of people watching this issue and receiving notifications before commenting 'I have this issue too'. We welcome additional information that will help resolve this issue. Please read the relevant sections below before commenting.

If you are the original author of the issue

* If this is resolved, please consider closing it so that the maintainers know not to focus on this. * If this might still be an issue, but you are not interested in promoting its resolution, please consider closing it while encouraging others to take over and reopen an issue if they care enough. * If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

If you are not the original author of the issue

* If you are also experiencing this issue, please add details of your situation to help with the debugging process. * If you know how to solve the issue, please consider submitting a Pull Request that addresses this issue.

Memorandum on closing issues

Don't be afraid to manually close an issue, even if it holds valuable information. Closed issues stay in the system for people to search, read, cross-reference, or even reopen – nothing is lost! Closing obsolete issues is an important way to help maintainers focus their time and effort.

steveej commented 2 months ago

Maybe your PIN is stored in an external keychain? Have you tried setting no-allow-external-cache in extraConfig?

i just came back here after a long while. i tried that setting and it doesn't help. the PIN is still cached until i either unplug the yubikey or terminate the gpg-agent. i think this is an internal PIN caching mechanism.