local/bin/homeinit: Add support for pinentry-tty

master
Pierre Neidhardt 2019-01-22 12:49:46 +01:00
parent 05e4c64bb6
commit 6c5c2f1f95
1 changed files with 21 additions and 6 deletions

View File

@ -1,7 +1,5 @@
#!/bin/sh
# TODO: Test if TTY and set pinentry appropriately without clobbering
# ~/.gnupg/gpg-agent.conf
# TODO: Run guix pull if OPT_UPDATE and if guix chekout is more than some days old, as specified by an environment variable.
# TODO: Guix pull on commit specified in package-lists/guix-version?
@ -92,7 +90,7 @@ section "Initial packages"
if inpath guix; then
## REVIEW: Should openssh be an input of Git? Mail sent to guix-devel.
mkdir "$(dirname "$PROFILE")"
guix package --profile="$PROFILE" --install openssh gnupg git stow password-store
guix package --profile="$PROFILE" --install openssh gnupg git stow password-store pinentry-tty
source "$PROFILE"/etc/profile
elif inpath pacman; then
sudo pacman --noconfirm -S --needed openssh gnupg git stow password-store
@ -102,9 +100,26 @@ section "GPG"
if [ -d ~/.gnupg ]; then
ROOT=$SSH_ROOT
## Set up gpg-agent to authenticate to SSH_ROOT.
chmod go-rwx ~/.gnupg ~/.gnupg/*
chmod -R go-rwx ~/.gnupg
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
guix package -i pinentry-tty
if [ "$GPG_TTY" != "not a tty" ]; then
## If a TTY, since our ~/.gnupg/gpg-agent.conf exists and specifies a
## pinentry, we must force the TTY version or else it won't work from a TTY.
gpgconf --kill gpg-agent
cat<<EOF>"$(dirname "$PROFILE")/gpg-agent.conf"
## 1-day timeout
default-cache-ttl 86400
max-cache-ttl 86400
## SSH
enable-ssh-support
default-cache-ttl-ssh 86400
max-cache-ttl-ssh 86400
## Force pinentry (should be pinentry-tty)
pinentry-program $(readlink -f $(which pinentry))
EOF
gpg-agent --home-dir ~/.gnupg --use-standard-socket -daemon --options "$(dirname "$PROFILE")/gpg-agent.conf"
fi
## Start gpg-agent manually since SSH requests do not do it automatically.
gpg-connect-agent updatestartuptty /bye
if [ -e "$SOURCEDIR" ]; then
@ -136,7 +151,7 @@ else
git clone ${ROOT}Ambrevar/dotfiles
fi
pushd ~/dotfiles
## .bash_profile may prevent .profile from being parsed, so we remove it.
## .bash_profile may prevent .profile from being parsed, so we move it.
[ -e ~/.bash_profile ] && mv -v ~/.bash_profile ~/.bash_profile.old
stow -v . || exit 1
popd