From fd258eb5f3280a59854e6a6fff53f62120adeb20 Mon Sep 17 00:00:00 2001 From: Arctic Ice Studio Date: Sat, 15 Sep 2018 14:58:59 +0200 Subject: [PATCH] Add macOS support for GPG MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit > Changed the default socket file paths. There was a problem where the `gpg-agent` was not able to create the socket files within the `~/.gnupg` folder that is symlinked to the gocryptfs (1) container to securely (encrypted) store the GPG keys: ``` gpg: can’t connect to the agent: IPC connect call failed ``` This might be caused by either the macOS filesystem (APFS) that doesn't support the creation of sockets (it works fine on other Arch Linux hosts like `igloo`) or by restrictions due to read/write permissions that are not passed through. This solution/workaround is to change the default absolute file paths of the socket files: 1. Created a `S.gpg-agent` and `S.gpg-agent.ssh` file manually in the `$GNUPGPHOME` folder (defaults to `~/.gnupg`). 2. Added the `extra-socket` and `browser-socket` options in the `gpg-agent.conf` file with the desired paths. The created `S.gpg-agent` and `S.gpg-agent.ssh` files allow to use values of environment variables via string interpolation (2), e.g. `${HOME}`. NOTE: It is important to make sure that the target folder exists and the permissions are set to 700! > macOS pinentry tool Set the `pinentry-programm` option in the `gpg-agent.conf` file to use pinentry-mac (3). Note that this requires the Homebrew formula pinentry-mac (4) to be installed! ```conf pinentry-program /usr/local/bin/pinentry-mac ``` > More references * „gpg: can’t connect to the agent: IPC connect call failed“ (5) * GNUPG bugtracker - “gpg-agent 2.1 socket and nfs /home“ (6) * „How to configure GnuPG's S.gpg-agent socket location?“ (7) References: (1) https://github.com/rfjakob/gocryptfs (2) https://en.wikipedia.org/wiki/String_interpolation (3) https://github.com/GPGTools/pinentry-mac (4) https://formulae.brew.sh/formula/pinentry-mac (5) https://michaelheap.com/gpg-cant-connect-to-the-agent-ipc-connect-call-failed (6) https://dev.gnupg.org/T1752 (7) https://askubuntu.com/a/1053594 Epic: GH-131 Closes GH-132 --- snowblocks/gpg/README.md | 77 ++++++++++++++++++++++++++++ snowblocks/gpg/S.gpg-agent | 2 + snowblocks/gpg/S.gpg-agent.ssh | 2 + snowblocks/gpg/gpg-agent.iceowl.conf | 21 ++++++++ snowblocks/gpg/snowblock.json | 21 +++++++- 5 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 snowblocks/gpg/README.md create mode 100644 snowblocks/gpg/S.gpg-agent create mode 100644 snowblocks/gpg/S.gpg-agent.ssh create mode 100644 snowblocks/gpg/gpg-agent.iceowl.conf diff --git a/snowblocks/gpg/README.md b/snowblocks/gpg/README.md new file mode 100644 index 0000000..7a01163 --- /dev/null +++ b/snowblocks/gpg/README.md @@ -0,0 +1,77 @@ +# GnuPG - The GNU Privacy Guard + +> [GnuPG][] is a complete and free implementation of the OpenPGP standard as defined by [RFC4880][] (also known as PGP). + +## Troubleshooting + +### Fix failed IPC connection call on macOS + +There is a problem where the `gpg-agent` is not able to create the socket files within the `~/.gnupg` folder that is symlinked to the [gocryptfs][] container (to securely store the GPG keys encrypted): + +```raw +gpg: can’t connect to the agent: IPC connect call failed +``` + +See the „igloosync-dropbox“ setup from the [systemd][gh-igloo-snowblock-systemd] and [launchd][gh-igloo-snowblock-launchd] setup snowblocks. + +The error might be caused by either the macOS filesystem (APFS) that doesn't support the creation of sockets (it works fine on other Arch Linux hosts like `igloo`) or by restrictions due to read/write permissions that are not passed through. + +One solution/workaround is to change the default **absolute** file paths of the socket files by + +1. creating a `S.gpg-agent` and `S.gpg-agent.ssh` file manually in the `$GNUPGPHOME` folder (defaults to `~/.gnupg`). +2. adding the `extra-socket` and `browser-socket` options in the `gpg-agent.conf` file with the desired paths. + +**NOTE**: The created `S.gpg-agent` and `S.gpg-agent.ssh` files allow to use values of environment variables via [string interpolation][wikipedia-string-interpol], e.g. `${HOME}`. + +###### `S.gpg-agent` + +```raw +%Assuan% +socket=${HOME}/path/to/S.gpg-agent +``` + +###### `S.gpg-agent.ssh` + +```raw +%Assuan% +socket=${HOME}/path/to/S.gpg-agent.ssh +``` + +###### `gpg-agent.conf` + +```conf +# ... +# Disable the usage of the default/standard sockets. +no-use-standard-socket + +# Set the cutom paths of the socket files. +extra-socket /path/to/S.gpg-agent.extra +browser-socket /path/to/S.gpg-agent.browser +# ... +``` + +**NOTE**: It is important to make sure that the **target folder exists** and the **permissions** are set to `700`! + +```sh +chmod 700 ~/path/to/target/folder +``` + +See the [references](#references) for more information and details. + +## References + +**Fix failed IPC connection call on macOS** + +* [gpg: can’t connect to the agent: IPC connect call failed][ref-blog-michaelheap-ipc-connect-fail] +* [GNUPG bugtracker: “gpg-agent 2.1 socket and nfs /home“][ref-gnupg-bugtracker-t1752] +* [How to configure GnuPG's S.gpg-agent socket location?]([ref-askubuntu-gpg-socket]) + +[gnupg]: https://www.gnupg.org +[gh-igloo-snowblock-launchd]: https://github.com/arcticicestudio/igloo/tree/develop/snowblocks/launchd +[gh-igloo-snowblock-systemd]: https://github.com/arcticicestudio/igloo/tree/develop/snowblocks/systemd +[gocryptfs]: https://github.com/rfjakob/gocryptfs +[ref-askubuntu-gpg-socket]: https://askubuntu.com/a/1053594 +[ref-blog-michaelheap-ipc-connect-fail]: https://michaelheap.com/gpg-cant-connect-to-the-agent-ipc-connect-call-failed +[ref-gnupg-bugtracker-t1752]: https://dev.gnupg.org/T1752 +[rfc4880]: https://www.ietf.org/rfc/rfc4880.txt +[wikipedia-string-interpol]: https://en.wikipedia.org/wiki/String_interpolation diff --git a/snowblocks/gpg/S.gpg-agent b/snowblocks/gpg/S.gpg-agent new file mode 100644 index 0000000..01247c7 --- /dev/null +++ b/snowblocks/gpg/S.gpg-agent @@ -0,0 +1,2 @@ +%Assuan% +socket=${HOME}/.gnupg-socket-box/S.gpg-agent diff --git a/snowblocks/gpg/S.gpg-agent.ssh b/snowblocks/gpg/S.gpg-agent.ssh new file mode 100644 index 0000000..37e00f0 --- /dev/null +++ b/snowblocks/gpg/S.gpg-agent.ssh @@ -0,0 +1,2 @@ +%Assuan% +socket=${HOME}/.gnupg-socket-box/S.gpg-agent.ssh diff --git a/snowblocks/gpg/gpg-agent.iceowl.conf b/snowblocks/gpg/gpg-agent.iceowl.conf new file mode 100644 index 0000000..ba945e2 --- /dev/null +++ b/snowblocks/gpg/gpg-agent.iceowl.conf @@ -0,0 +1,21 @@ +# Copyright (C) 2016-present Arctic Ice Studio +# Copyright (C) 2016-present Sven Greb + +# Project: igloo +# Repository: https://github.com/arcticicestudio/igloo +# License: MIT +# References: +# https://www.gnupg.org/documentation/manuals/gnupg/ +# https://wiki.archlinux.org/index.php/GnuPG +# gpg-agent(1) +# gpgconf(1) + +# Set the tool for password prompts. +pinentry-program /usr/local/bin/pinentry-mac + +log-file /Users/sgreb/.var/log/igloo/gpg/gpg-agent.log + +# Disable the usage of the default/standard sockets and set custom paths for the socket files. +no-use-standard-socket +extra-socket /Users/sgreb/.gnupg-socket-box/S.gpg-agent.extra +browser-socket /Users/sgreb/.gnupg-socket-box/S.gpg-agent.browser diff --git a/snowblocks/gpg/snowblock.json b/snowblocks/gpg/snowblock.json index 07843a8..6644439 100644 --- a/snowblocks/gpg/snowblock.json +++ b/snowblocks/gpg/snowblock.json @@ -1,12 +1,31 @@ [ { - "clean": ["~/.gnupg"] + "clean": [ + "~/.gnupg", + "~/.gnupg-socket-box" + ] }, { "link": { + "~/.gnupg/gpg-agent.conf": { + "create": true, + "hosts": { + "iceowl": "gpg-agent.iceowl.conf" + } + }, "~/.gnupg/gpg.conf": { "create": true, "path": "gpg.conf" + }, + "~/.gnupg-socket-box/S.gpg-agent": { + "hosts": { + "iceowl": "S.gpg-agent" + } + }, + "~/.gnupg-socket-box/S.gpg-agent.ssh": { + "hosts": { + "iceowl": "S.gpg-agent.ssh" + } } } }