Skip to content

Commit

Permalink
Add macOS support for GPG
Browse files Browse the repository at this point in the history
> Changed the default socket file paths.

There was a problem where the `gpg-agent` was not able to create the
socket files within the `~/.gnupg` folder that is symlinked to the
gocryptfs (1) container to securely (encrypted) store the GPG keys:

```
gpg: can’t connect to the agent: IPC connect call failed
```

This might be caused by either the macOS filesystem (APFS) that doesn't
support the creation of sockets (it works fine on other Arch Linux hosts
like `igloo`) or by restrictions due to read/write permissions that are
not passed through.

This solution/workaround is to change the default absolute file paths of
the socket files:

1. Created a `S.gpg-agent` and `S.gpg-agent.ssh` file manually in the
   `$GNUPGPHOME` folder (defaults to `~/.gnupg`).
2. Added the `extra-socket` and `browser-socket` options in the
   `gpg-agent.conf` file with the desired paths.

The created `S.gpg-agent` and `S.gpg-agent.ssh` files allow to use
values of environment variables via string interpolation (2), e.g.
`${HOME}`.

NOTE: It is important to make sure that the target folder exists and
the permissions are set to 700!

> macOS pinentry tool

Set the `pinentry-programm` option in the `gpg-agent.conf` file to use
pinentry-mac (3). Note that this requires the Homebrew formula
pinentry-mac (4) to be installed!

```conf
pinentry-program /usr/local/bin/pinentry-mac
```

> More references

* „gpg: can’t connect to the agent: IPC connect call failed“ (5)

* GNUPG bugtracker - “gpg-agent 2.1 socket and nfs /home“ (6)
* „How to configure GnuPG's S.gpg-agent socket location?“ (7)

References:

  (1) https://github.com/rfjakob/gocryptfs
  (2) https://en.wikipedia.org/wiki/String_interpolation
  (3) https://github.com/GPGTools/pinentry-mac
  (4) https://formulae.brew.sh/formula/pinentry-mac
  (5) https://michaelheap.com/gpg-cant-connect-to-the-agent-ipc-connect-call-failed
  (6) https://dev.gnupg.org/T1752
  (7) https://askubuntu.com/a/1053594

Epic: GH-131
Closes GH-132
  • Loading branch information
arcticicestudio committed Sep 15, 2018
1 parent 56bc072 commit fd258eb
Show file tree
Hide file tree
Showing 5 changed files with 122 additions and 1 deletion.
77 changes: 77 additions & 0 deletions snowblocks/gpg/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# GnuPG - The GNU Privacy Guard

> [GnuPG][] is a complete and free implementation of the OpenPGP standard as defined by [RFC4880][] (also known as PGP).
## Troubleshooting

### Fix failed IPC connection call on macOS

There is a problem where the `gpg-agent` is not able to create the socket files within the `~/.gnupg` folder that is symlinked to the [gocryptfs][] container (to securely store the GPG keys encrypted):

```raw
gpg: can’t connect to the agent: IPC connect call failed
```

See the „igloosync-dropbox“ setup from the [systemd][gh-igloo-snowblock-systemd] and [launchd][gh-igloo-snowblock-launchd] setup snowblocks.

The error might be caused by either the macOS filesystem (APFS) that doesn't support the creation of sockets (it works fine on other Arch Linux hosts like `igloo`) or by restrictions due to read/write permissions that are not passed through.

One solution/workaround is to change the default **absolute** file paths of the socket files by

1. creating a `S.gpg-agent` and `S.gpg-agent.ssh` file manually in the `$GNUPGPHOME` folder (defaults to `~/.gnupg`).
2. adding the `extra-socket` and `browser-socket` options in the `gpg-agent.conf` file with the desired paths.

**NOTE**: The created `S.gpg-agent` and `S.gpg-agent.ssh` files allow to use values of environment variables via [string interpolation][wikipedia-string-interpol], e.g. `${HOME}`.

###### `S.gpg-agent`

```raw
%Assuan%
socket=${HOME}/path/to/S.gpg-agent
```

###### `S.gpg-agent.ssh`

```raw
%Assuan%
socket=${HOME}/path/to/S.gpg-agent.ssh
```

###### `gpg-agent.conf`

```conf
# ...
# Disable the usage of the default/standard sockets.
no-use-standard-socket
# Set the cutom paths of the socket files.
extra-socket /path/to/S.gpg-agent.extra
browser-socket /path/to/S.gpg-agent.browser
# ...
```

**NOTE**: It is important to make sure that the **target folder exists** and the **permissions** are set to `700`!

```sh
chmod 700 ~/path/to/target/folder
```

See the [references](#references) for more information and details.

## References

**Fix failed IPC connection call on macOS**

* [gpg: can’t connect to the agent: IPC connect call failed][ref-blog-michaelheap-ipc-connect-fail]
* [GNUPG bugtracker: “gpg-agent 2.1 socket and nfs /home“][ref-gnupg-bugtracker-t1752]
* [How to configure GnuPG's S.gpg-agent socket location?]([ref-askubuntu-gpg-socket])

[gnupg]: https://www.gnupg.org
[gh-igloo-snowblock-launchd]: https://github.com/arcticicestudio/igloo/tree/develop/snowblocks/launchd
[gh-igloo-snowblock-systemd]: https://github.com/arcticicestudio/igloo/tree/develop/snowblocks/systemd
[gocryptfs]: https://github.com/rfjakob/gocryptfs
[ref-askubuntu-gpg-socket]: https://askubuntu.com/a/1053594
[ref-blog-michaelheap-ipc-connect-fail]: https://michaelheap.com/gpg-cant-connect-to-the-agent-ipc-connect-call-failed
[ref-gnupg-bugtracker-t1752]: https://dev.gnupg.org/T1752
[rfc4880]: https://www.ietf.org/rfc/rfc4880.txt
[wikipedia-string-interpol]: https://en.wikipedia.org/wiki/String_interpolation
2 changes: 2 additions & 0 deletions snowblocks/gpg/S.gpg-agent
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
%Assuan%
socket=${HOME}/.gnupg-socket-box/S.gpg-agent
2 changes: 2 additions & 0 deletions snowblocks/gpg/S.gpg-agent.ssh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
%Assuan%
socket=${HOME}/.gnupg-socket-box/S.gpg-agent.ssh
21 changes: 21 additions & 0 deletions snowblocks/gpg/gpg-agent.iceowl.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Copyright (C) 2016-present Arctic Ice Studio <[email protected]>
# Copyright (C) 2016-present Sven Greb <[email protected]>

# Project: igloo
# Repository: https://github.com/arcticicestudio/igloo
# License: MIT
# References:
# https://www.gnupg.org/documentation/manuals/gnupg/
# https://wiki.archlinux.org/index.php/GnuPG
# gpg-agent(1)
# gpgconf(1)

# Set the tool for password prompts.
pinentry-program /usr/local/bin/pinentry-mac

log-file /Users/sgreb/.var/log/igloo/gpg/gpg-agent.log

# Disable the usage of the default/standard sockets and set custom paths for the socket files.
no-use-standard-socket
extra-socket /Users/sgreb/.gnupg-socket-box/S.gpg-agent.extra
browser-socket /Users/sgreb/.gnupg-socket-box/S.gpg-agent.browser
21 changes: 20 additions & 1 deletion snowblocks/gpg/snowblock.json
Original file line number Diff line number Diff line change
@@ -1,12 +1,31 @@
[
{
"clean": ["~/.gnupg"]
"clean": [
"~/.gnupg",
"~/.gnupg-socket-box"
]
},
{
"link": {
"~/.gnupg/gpg-agent.conf": {
"create": true,
"hosts": {
"iceowl": "gpg-agent.iceowl.conf"
}
},
"~/.gnupg/gpg.conf": {
"create": true,
"path": "gpg.conf"
},
"~/.gnupg-socket-box/S.gpg-agent": {
"hosts": {
"iceowl": "S.gpg-agent"
}
},
"~/.gnupg-socket-box/S.gpg-agent.ssh": {
"hosts": {
"iceowl": "S.gpg-agent.ssh"
}
}
}
}
Expand Down

0 comments on commit fd258eb

Please sign in to comment.