[Pkg-gnupg-commit] [gnupg2] 03/05: improve dirmngr, gpg-agent README.Debian (Closes: #850982)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 18 20:17:17 UTC 2017 

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch master
in repository gnupg2.

commit 8b789eab3fe1018b9fc83932cf67185ca17d7e18
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Wed Jan 18 12:58:47 2017 -0500

    improve dirmngr, gpg-agent README.Debian (Closes: #850982)
---
 debian/Xsession.d/90gpg-agent    |  5 ++-
 debian/control                   |  4 ++
 debian/dirmngr.README.Debian     | 46 +++++++++++------------
 debian/gnupg-agent.README.Debian | 80 ++++++++++++++++++++++++++--------------
 4 files changed, 82 insertions(+), 53 deletions(-)

diff --git a/debian/Xsession.d/90gpg-agent b/debian/Xsession.d/90gpg-agent
index b97c363..bc54b93 100644
--- a/debian/Xsession.d/90gpg-agent
+++ b/debian/Xsession.d/90gpg-agent
@@ -1,6 +1,7 @@
 # On systems with systemd running, we expect the agent to be launched
-# via systemd's user mode (see /usr/lib/systemd/user/gpg-agent.service
-# and systemd.unit(5)).  This allows systemd to clean up the agent
+# via systemd's user mode (see
+# /usr/lib/systemd/user/gpg-agent.{socket,service} and
+# systemd.unit(5)).  This allows systemd to clean up the agent
 # automatically at logout.
 
 # If systemd is absent from your system, or you do not permit it to
diff --git a/debian/control b/debian/control
index 01a79ce..4be7294 100644
--- a/debian/control
+++ b/debian/control
@@ -55,6 +55,8 @@ Depends:
 Recommends:
  gnupg (= ${binary:Version}) | gpgsm,
 Suggests:
+ dbus-user-session,
+ pinentry-gnome3,
  scdaemon,
 Provides:
  gpg-agent,
@@ -226,6 +228,8 @@ Breaks:
 Replaces:
  gnupg2 (<< 2.1.10-2),
 Suggests:
+ dbus-user-session,
+ pinentry-gnome3,
  tor,
 Description: GNU privacy guard - network certificate management service
  dirmngr is a server for managing and downloading OpenPGP and X.509
diff --git a/debian/dirmngr.README.Debian b/debian/dirmngr.README.Debian
index 4fd9156..b0281b3 100644
--- a/debian/dirmngr.README.Debian
+++ b/debian/dirmngr.README.Debian
@@ -9,40 +9,38 @@ automatically.
 systemd
 =======
 
-Users on machines with systemd can ensure that dirmngr is always
-running for their session, and that it gets terminated safely at
-logout by doing:
+Since 2.1.17, users on machines with systemd will have a dirmngr
+process launched automatically by systemd's user session, upon first
+access of the standard socket.  systemd will also cleanly tear this
+process down at session logout.
 
-   systemctl --user enable dirmngr.socket
+Users who don't want systemd to manage their dirmngr in this way for
+all future sessions should do:
 
-If you do this from the middle of a running session, you probably also
-want to clean up any other running dirmngr, and ensure that the
-service is started for the current session as well:
+    systemctl --user mask dirmngr.socket
 
-   gpgconf --kill dirmngr
-   systemctl --user start dirmngr.socket
+Doing this means that dirmngr will fall back to its manual mode of
+operation.
 
-Manual dirmngr startup
-======================
+See systemctl(1) for more details about managing the dirmngr.socket
+unit.
+
+Manual dirmngr startup and teardown
+===================================
 
 Any user who wants to launch dirmngr manually (e.g., to talk to it
-with a tool from outside the GnuPG suite) should do so with:
+with a tool from outside the GnuPG suite) and is *not* using systemd
+should first ensure that it is launched with:
 
    gpgconf --launch dirmngr
 
-You may wish to add this to your session login scripts if you're not
-using systemd.
-
-dirmngr teardown
-================
-
 If dirmngr is launched manually or automatically (but not supervised
-by systemd), you probably want to ensure that it terminates when your
-session ends with:
+by systemd), you also probably want to ensure that it terminates when
+your session ends with:
 
-   gpgconf --kill dirmngr
+   gpgconf --no-autostart --kill dirmngr
 
-You may wish to add this to your session logout scripts if you're not
-using systemd.
+If you're not using systemd, you may wish to add this command to your
+session logout scripts.
 
- -- Daniel Kahn Gillmor <dkg at fifthhorseman.net>, Thu, 27 Oct 2016 12:46:23 -0400
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net>, Wed, 18 Jan 2017 12:56:09 -0500
diff --git a/debian/gnupg-agent.README.Debian b/debian/gnupg-agent.README.Debian
index dd4e51a..8f15c8e 100644
--- a/debian/gnupg-agent.README.Debian
+++ b/debian/gnupg-agent.README.Debian
@@ -9,47 +9,73 @@ automatically.
 systemd
 =======
 
-Users on machines with systemd can ensure that gpg-agent is always
-available for their session, and that it gets terminated safely at
-logout by doing:
+Since 2.1.17, users on machines with systemd will have their gpg-agent
+process launched automatically by systemd's user session, upon first
+access of any of the expected gpg-agent sockets (including the ssh
+socket).  systemd will also cleanly tear this process down at session
+logout.
 
-    systemctl --user enable gpg-agent.socket
+If dbus-user-session and pinentry-gnome3 packages are installed, then
+all user interaction with this systemd-managed gpg-agent process
+(e.g. prompting for passwords or confirmations, etc) will take place
+over the d-bus session, for better integration with graphical
+environments like GNOME.
 
-If you also want the ssh or extra (restricted) sockets to be
-available, you might also add:
+Users who don't want systemd to manage their gpg-agent in this way for
+all future sessions should do:
 
-    systemctl --user enable gpg-agent-ssh.socket
-    systemctl --user enable gpg-agent-extra.socket
+    systemctl --user mask 'gpg-agent*.socket'
 
-If you do this from the middle of a running session, you probably also
-want to clean up any other running gpg-agent, and ensure that the
-socket is open and listening is started for the current session as
-well:
+Doing this means that gpg-agent will fall back to its manual mode of
+operation.
 
-    gpgconf --kill gpg-agent
-    systemctl --user start gpg-agent.socket
+See systemctl(1) for more details about managing the gpg-agent*.socket
+units.
 
-Manual gpg-agent startup
-========================
+ssh-agent emulation
+===================
 
-Any user who wants to launch gpg-agent manually (e.g., to talk to it
-with a tool from outside the GnuPG suite) should do so with:
+gpg-agent offers an ssh-agent emulation which can be achieved by
+setting the environment variable SSH_AUTH_SOCK to:
 
-    gpgconf --launch gpg-agent
+    /run/user/$(id -u)/gnupg/S.gpg-agent.ssh
+
+(replace $(id -u) with the user's numeric user ID, of course). 
+
+But ssh doesn't have a way to tell ssh-agent how to prompt the user
+when necessary; the systemd-managed gpg-agent process will only know
+how to prompt the user if you have dbus-user-session and
+pinentry-gnome3 installed.  This is the recommended configuration for
+gpg-agent's ssh-agent emulation on desktop machines running systemd,
+and doesn't need any additional configuration.
+
+However, if dbus-user-session and pinentry-gnome3 are not in use, by
+default the systemd-managed gpg-agent will not know how to get
+feedback from the user when a request is first received by ssh.  You
+can give it a hint for all future ssh connections by running:
 
-You may wish to add this to your session login scripts if you're not
-using systemd.
+    gpg-connect-agent updatestartuptty /bye
 
-gpg-agent teardown
-==================
+You may wish to do this in the login scripts for your user session if
+you run systemd without dbus-user-session and pinentry-gnome3, and you
+plan to use gpg-agent's ssh-agent emulation.
+
+Manual gpg-agent startup and teardown
+=====================================
+
+Any user who wants to launch gpg-agent manually (e.g., to talk to it
+with a tool from outside the GnuPG suite) and is *not* using systemd
+should first ensure that it is launched with:
+
+    gpgconf --launch gpg-agent
 
 If gpg-agent is launched manually or automatically (but not supervised
 by systemd), you probably want to ensure that it terminates when your
 session ends with:
 
-    gpgconf --kill gpg-agent
+    gpgconf --no-autostart --kill gpg-agent
 
-You may wish to add this to your session logout scripts if you're not
-using systemd.
+If you're not using systemd, you may wish to add this to your session
+logout scripts.
 
- -- Daniel Kahn Gillmor <dkg at fifthhorseman.net>, Mon, 17 Oct 2016 17:06:22 -0400
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net>, Wed, 18 Jan 2017 12:56:20 -0500

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git

More information about the Pkg-gnupg-commit mailing list