Hello everyone, I would like to have gpg-agent running under runit supervision on a user runsvdir, but I have been unable to write a run script that works. Would anyone have an example run script for gpg-agent, or be able to offer any pointers? Many thanks, João
[-- Attachment #1: Type: text/plain, Size: 522 bytes --] João <phlogiston@sapo.pt> writes: > I would like to have gpg-agent running under runit supervision on a user > runsvdir, but I have been unable to write a run script that works. > Would anyone have an example run script for gpg-agent, or be able to offer any > pointers? Not an answer to your question, but you might be interested to know before you spend too much time on it that GnuPG is removing support for running gpg-agent supervised: https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --]
El mar, 20 sept 2022 a las 18:51, João escribió:
>
> I would like to have gpg-agent running under runit supervision on a user
> runsvdir, but I have been unable to write a run script that works.
> Would anyone have an example run script for gpg-agent, or be able to offer any
> pointers?
As already suggested, gpg-agent's --supervised command is probably the
closest thing that would do what you want, but in that case, gpg-agent
will:
* expect to have a properly set up environment, which runit's 'chpst
-e' could do. This includes variable GPG_TTY, which should contain the
name of a valid terminal that the supervision tree would have to make
available.
* expect to receive a bound and listening UNIX domain socket as file
descriptor 3, which runit tools alone can't do (but
s6-ipcserver-socketbinder from s6 can).
Then, also as already mentioned, this command has been deprecated
since GnuPG 2.3.6, so, in my opinion, it's better to just have
gpg-agent started by other GnuPG programs, as the manual says.
G.
Hello Alyssa,
On Mon, Sep 26, 2022 at 05:04:08PM +0000, Alyssa Ross wrote:
> Not an answer to your question, but you might be interested to know
> before you spend too much time on it that GnuPG is removing support for
> running gpg-agent supervised:
>
> https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e
Thank you for the heads up. This seems like a deliberate regression, and it is a
pity.
Would this make it impossible to supervise gpg-agent, or would there be a way
around it?
Best regards,
João
I'd have to assume that it would be achievable by patching the support
back in, but at that point you are effectively maintaining your own fork
of GPG-Agent.
On 9/29/22 09:20, João wrote:
> Hello Alyssa,
>
> On Mon, Sep 26, 2022 at 05:04:08PM +0000, Alyssa Ross wrote:
>> Not an answer to your question, but you might be interested to know
>> before you spend too much time on it that GnuPG is removing support for
>> running gpg-agent supervised:
>>
>> https://dev.gnupg.org/rGca5d5142c6d6eaba4572a086f8473e4aebdd3f9e
> Thank you for the heads up. This seems like a deliberate regression, and it is a
> pity.
> Would this make it impossible to supervise gpg-agent, or would there be a way
> around it?
>
> Best regards,
> João
--
Ellenor Agnes Bjornsdottir (she)
sysadmin umbrellix.net
jabber: ellenor ~on~ umbrellix.net
Hello Guillermo, On Wed, Sep 28, 2022 at 03:46:01PM -0300, Guillermo wrote: > El mar, 20 sept 2022 a las 18:51, João escribió: > > > > I would like to have gpg-agent running under runit supervision on a user > > runsvdir, but I have been unable to write a run script that works. > > Would anyone have an example run script for gpg-agent, or be able to offer any > > pointers? > > As already suggested, gpg-agent's --supervised command is probably the > closest thing that would do what you want, but in that case, gpg-agent > will: > > * expect to have a properly set up environment, which runit's 'chpst > -e' could do. This includes variable GPG_TTY, which should contain the > name of a valid terminal that the supervision tree would have to make > available. > * expect to receive a bound and listening UNIX domain socket as file > descriptor 3, which runit tools alone can't do (but > s6-ipcserver-socketbinder from s6 can). Thank you for this. It is this latter aspect of setting up the sockets which I'm struggling with. You mention that s6 tools can do this. Would I be right to presume this could be setup in the runit run script in some other way without s6? The Void linux manual shows gpg-agent running as an example, but they don't show the run script, so I don't know how they set it up. https://docs.voidlinux.org/config/services/user-services.html Any examples or pointers would be appreciated. > Then, also as already mentioned, this command has been deprecated > since GnuPG 2.3.6, so, in my opinion, it's better to just have > gpg-agent started by other GnuPG programs, as the manual says. > This is a pity as gpg-agent is a long running process which is the sort of thing you would want to run under supervision. I guess it is not possible to supervise a process if the rebel thing does not want to be supervised? Best regards, João
João Pedro Malhado <phlogiston@sapo.pt> writes: > The Void linux manual shows gpg-agent running as an example, but > they > don't show > the run script, so I don't know how they set it up. > https://docs.voidlinux.org/config/services/user-services.html Duncaen's run script for gpg-agent is here: https://github.com/Duncaen/dotfiles/blob/master/sv/gpg-agent/run It's actually an execline script that makes use of s6-ipcserver-socketbinder. Also note that the script calls gpg-agent with `--supervise`. > This is a pity as gpg-agent is a long running process which is > the > sort of thing > you would want to run under supervision. Well, the typical reason we want to run something under supervision is to ensure it's up, because (a) there are processes relying on it being up, and (b) those processes aren't themselves able to start the relevant process. But this isn't the case with gpg-agent: the main programs that utilise it know how to start it themselves if necessary, so it doesn't matter if a gpg-agent process exits abnormally, as a new one will get created when required. Alexis.
El jue, 29 sept 2022 a las 9:22, Alexis escribió:
>
> João Pedro Malhado writes:
>
> > The Void linux manual shows gpg-agent running as an example, but
> > they
> > don't show
> > the run script, so I don't know how they set it up.
> > https://docs.voidlinux.org/config/services/user-services.html
>
> Duncaen's run script for gpg-agent is here:
>
> https://github.com/Duncaen/dotfiles/blob/master/sv/gpg-agent/run
The combination of Duncaen's run script, and the Void Handbook's
example /etc/sv/runsvdir-<username>/run script, at least if used
verbatim, does not appear to set up GPG_TTY. gpg-agent might start,
but I'm not sure if things will work well if, e.g., it wants to run
the pinentry program...
G.
Guillermo <gdiazhartusch@gmail.com> writes:
> The combination of Duncaen's run script, and the Void Handbook's
> example /etc/sv/runsvdir-<username>/run script, at least if used
> verbatim, does not appear to set up GPG_TTY. gpg-agent might
> start,
> but I'm not sure if things will work well if, e.g., it wants to
> run
> the pinentry program...
Yeah. Trying to get a program to run in ways it's not intended to
be run can get complex at the best of times, but i'd be
particularly wary of trying to do so with a program that's
security infrastructure; i'd worry about accidentally creating
vulnerabilities not present when the program is used in the
intended manner.
Alexis.
Hello Alexis, On Thu, Sep 29, 2022 at 10:12:49PM +1000, Alexis wrote: > João <phlogiston@sapo.pt> writes: > > > The Void linux manual shows gpg-agent running as an example, but they > > don't show > > the run script, so I don't know how they set it up. > > https://docs.voidlinux.org/config/services/user-services.html > > Duncaen's run script for gpg-agent is here: > > https://github.com/Duncaen/dotfiles/blob/master/sv/gpg-agent/run > > It's actually an execline script that makes use of > s6-ipcserver-socketbinder. Also note that the script calls gpg-agent with > `--supervise`. Thank you for this. It is helpful to look at an example. > > This is a pity as gpg-agent is a long running process which is the > > sort of thing > > you would want to run under supervision. > > Well, the typical reason we want to run something under supervision is to > ensure it's up, because (a) there are processes relying on it being up, and > (b) those processes aren't themselves able to start the relevant process. > But this isn't the case with gpg-agent: the main programs that utilise it > know how to start it themselves if necessary, so it doesn't matter if a > gpg-agent process exits abnormally, as a new one will get created when > required. You have a point. But I guess you still loose a common consistent way of checking the status and controlling the processes in your system. Best regards, João