I have a weird issue with systemd.
First off I’m sorry if I’m missing something that is supposed to be obvious but its the first time I’m trying out nixos and I have very little experience with nix itself. Anyway. I’ve installed nixos and enabled gpg-agent (with ssh enabled). I use my yubikey to both sign my commits on git and to authenticate through ssh. There’s a very weird issue with pinentry-curses where the tty is not forward to it when the gpg agent is trying to authenticate through ssh. To sign commits it works just fine. Since I had the same issue on mac (and it is currently my daily driver) I found it easier to debug and try to find a fix on it before jumping into nixos. I’ve created a script to sit between pinentry and the agent where it was log everything out and forward to the real pinentry. I found out that it was trying to set an invalid tty to it. I’ve tried to get the tty in the script but it wasn’t being able as well. I have tried a lot of “solutions” suggested in forums like calling gpg-connect-agent UPDATESTARTUPTTY /bye before and the GPG_TTY env var was set $(tty). For some reason the agent was not inheriting the variable. After trying a lot of options allowing/enabling the loopback on the agent + enabling the extra socket I was able to get the $(tty) in the script, although the agent was still not setting it correctly. But now I could just replace the option the agent was trying to set with a correct one and it worked. I tried to apply the same fix on the nixos and for some reason it wasn’t working. After debugging for a long time I found out that the agent was reading the confs in my home directory but it was being overwritten somewhere else. But that only happened if the agent was launched from systemd. If I disabled the service on systemd and started the agent manually it was working. I couldn’t find what was systemd doing to overwrite it. Listing dirs with gpgconf was all correct. The only parameter in the system config created by nixos was the --supervised. And to be clear, my config is being read because if I put any invalid configuration there, the service doesn’t start, but for some reason something is overwriting everything to its defaults later. I couldn’t see multiple agents running as well. Does anyone know what I’m missing with this issue?
here’s the script
#!/usr/bin/env bash
REAL_PINENTRY=$(which pinentry-tty)
{
while IFS= read -r line; do
if [[ "$line" == "OPTION ttyname=not a tty" ]] && [[ -n "$GPG_TTY" ]]; then
echo "OPTION ttyname=$GPG_TTY"
else
echo "$line"
fi
done
} | {
"$REAL_PINENTRY" "$@" 2>&1 | while IFS= read -r line; do
echo "$line"
done
}
here’s what I’m trying to set in the gpg-agent.conf
pinentry-program /Users/augusto/.gnupg/wrapper.sh
enable-ssh-support
ttyname $GPG_TTY
allow-loopback-pinentry
extra-socket /tmp/S.gpg-agent.extra
and the gpg.conf
pinentry-mode loopback
