Add macOS support for GPG

> Changed the default socket file paths. There was a problem where the `gpg-agent` was not able to create the socket files within the `~/.gnupg` folder that is symlinked to the gocryptfs (1) container to securely (encrypted) store the GPG keys: ``` gpg: can’t connect to the agent: IPC connect call failed ``` This might be caused by either the macOS filesystem (APFS) that doesn't support the creation of sockets (it works fine on other Arch Linux hosts like `igloo`) or by restrictions due to read/write permissions that are not passed through. This solution/workaround is to change the default absolute file paths of the socket files: 1. Created a `S.gpg-agent` and `S.gpg-agent.ssh` file manually in the `$GNUPGPHOME` folder (defaults to `~/.gnupg`). 2. Added the `extra-socket` and `browser-socket` options in the `gpg-agent.conf` file with the desired paths. The created `S.gpg-agent` and `S.gpg-agent.ssh` files allow to use values of environment variables via string interpolation (2), e.g. `${HOME}`. NOTE: It is important to make sure that the target folder exists and the permissions are set to 700! > macOS pinentry tool Set the `pinentry-programm` option in the `gpg-agent.conf` file to use pinentry-mac (3). Note that this requires the Homebrew formula pinentry-mac (4) to be installed! ```conf pinentry-program /usr/local/bin/pinentry-mac ``` > More references * „gpg: can’t connect to the agent: IPC connect call failed“ (5) * GNUPG bugtracker - “gpg-agent 2.1 socket and nfs /home“ (6) * „How to configure GnuPG's S.gpg-agent socket location?“ (7) References: (1) https://github.com/rfjakob/gocryptfs (2) https://en.wikipedia.org/wiki/String_interpolation (3) https://github.com/GPGTools/pinentry-mac (4) https://formulae.brew.sh/formula/pinentry-mac (5) https://michaelheap.com/gpg-cant-connect-to-the-agent-ipc-connect-call-failed (6) https://dev.gnupg.org/T1752 (7) https://askubuntu.com/a/1053594 Epic: GH-131 Closes GH-132
arcticicestudio · Sep 15, 2018 · fd258eb · fd258eb
1 parent 56bc072
commit fd258eb
Show file tree

Hide file tree

Showing 5 changed files with 122 additions and 1 deletion.
diff --git a/snowblocks/gpg/README.md b/snowblocks/gpg/README.md
@@ -0,0 +1,77 @@
+# GnuPG - The GNU Privacy Guard
+
+> [GnuPG][] is a complete and free implementation of the OpenPGP standard as defined by [RFC4880][] (also known as PGP).
+
+## Troubleshooting
+
+### Fix failed IPC connection call on macOS
+
+There is a problem where the `gpg-agent` is not able to create the socket files within the `~/.gnupg` folder that is symlinked to the [gocryptfs][] container (to securely store the GPG keys encrypted):
+
+```raw
+gpg: can’t connect to the agent: IPC connect call failed
+```
+
+See the „igloosync-dropbox“ setup from the [systemd][gh-igloo-snowblock-systemd] and [launchd][gh-igloo-snowblock-launchd] setup snowblocks.
+
+The error might be caused by either the macOS filesystem (APFS) that doesn't support the creation of sockets (it works fine on other Arch Linux hosts like `igloo`) or by restrictions due to read/write permissions that are not passed through.
+
+One solution/workaround is to change the default **absolute** file paths of the socket files by
+
+1. creating a `S.gpg-agent` and `S.gpg-agent.ssh` file manually in the `$GNUPGPHOME` folder (defaults to `~/.gnupg`).
+2. adding the `extra-socket` and `browser-socket` options in the `gpg-agent.conf` file with the desired paths.
+
+**NOTE**: The created `S.gpg-agent` and `S.gpg-agent.ssh` files allow to use values of environment variables via [string interpolation][wikipedia-string-interpol], e.g. `${HOME}`.
+
+###### `S.gpg-agent`
+
+```raw
+%Assuan%
+socket=${HOME}/path/to/S.gpg-agent
+```
+
+###### `S.gpg-agent.ssh`
+
+```raw
+%Assuan%
+socket=${HOME}/path/to/S.gpg-agent.ssh
+```
+
+###### `gpg-agent.conf`
+
+```conf
+# ...
+# Disable the usage of the default/standard sockets.
+no-use-standard-socket
+
+# Set the cutom paths of the socket files.
+extra-socket /path/to/S.gpg-agent.extra
+browser-socket /path/to/S.gpg-agent.browser
+# ...
+```
+
+**NOTE**: It is important to make sure that the **target folder exists** and the **permissions** are set to `700`!
+
+```sh
+chmod 700 ~/path/to/target/folder
+```
+
+See the [references](#references) for more information and details.
+
+## References
+
+**Fix failed IPC connection call on macOS**
+
+* [gpg: can’t connect to the agent: IPC connect call failed][ref-blog-michaelheap-ipc-connect-fail]
+* [GNUPG bugtracker: “gpg-agent 2.1 socket and nfs /home“][ref-gnupg-bugtracker-t1752]
+* [How to configure GnuPG's S.gpg-agent socket location?]([ref-askubuntu-gpg-socket])
+
+[gnupg]: https://www.gnupg.org
+[gh-igloo-snowblock-launchd]: https://github.com/arcticicestudio/igloo/tree/develop/snowblocks/launchd
+[gh-igloo-snowblock-systemd]: https://github.com/arcticicestudio/igloo/tree/develop/snowblocks/systemd
+[gocryptfs]: https://github.com/rfjakob/gocryptfs
+[ref-askubuntu-gpg-socket]: https://askubuntu.com/a/1053594
+[ref-blog-michaelheap-ipc-connect-fail]: https://michaelheap.com/gpg-cant-connect-to-the-agent-ipc-connect-call-failed
+[ref-gnupg-bugtracker-t1752]: https://dev.gnupg.org/T1752
+[rfc4880]: https://www.ietf.org/rfc/rfc4880.txt
+[wikipedia-string-interpol]: https://en.wikipedia.org/wiki/String_interpolation
diff --git a/snowblocks/gpg/S.gpg-agent b/snowblocks/gpg/S.gpg-agent
@@ -0,0 +1,2 @@
+%Assuan%
+socket=${HOME}/.gnupg-socket-box/S.gpg-agent
diff --git a/snowblocks/gpg/S.gpg-agent.ssh b/snowblocks/gpg/S.gpg-agent.ssh
@@ -0,0 +1,2 @@
+%Assuan%
+socket=${HOME}/.gnupg-socket-box/S.gpg-agent.ssh
diff --git a/snowblocks/gpg/gpg-agent.iceowl.conf b/snowblocks/gpg/gpg-agent.iceowl.conf
@@ -0,0 +1,21 @@
+# Copyright (C) 2016-present Arctic Ice Studio <[email protected]>
+# Copyright (C) 2016-present Sven Greb <[email protected]>
+
+# Project:    igloo
+# Repository: https://github.com/arcticicestudio/igloo
+# License:    MIT
+# References:
+#   https://www.gnupg.org/documentation/manuals/gnupg/
+#   https://wiki.archlinux.org/index.php/GnuPG
+#   gpg-agent(1)
+#   gpgconf(1)
+
+# Set the tool for password prompts.
+pinentry-program /usr/local/bin/pinentry-mac
+
+log-file /Users/sgreb/.var/log/igloo/gpg/gpg-agent.log
+
+# Disable the usage of the default/standard sockets and set custom paths for the socket files.
+no-use-standard-socket
+extra-socket /Users/sgreb/.gnupg-socket-box/S.gpg-agent.extra
+browser-socket /Users/sgreb/.gnupg-socket-box/S.gpg-agent.browser
diff --git a/snowblocks/gpg/snowblock.json b/snowblocks/gpg/snowblock.json
@@ -1,12 +1,31 @@
 [
   {
-    "clean": ["~/.gnupg"]
+    "clean": [
+      "~/.gnupg",
+      "~/.gnupg-socket-box"
+    ]
   },
   {
     "link": {
+      "~/.gnupg/gpg-agent.conf": {
+        "create": true,
+        "hosts": {
+          "iceowl": "gpg-agent.iceowl.conf"
+        }
+      },
       "~/.gnupg/gpg.conf": {
         "create": true,
         "path": "gpg.conf"
+      },
+      "~/.gnupg-socket-box/S.gpg-agent": {
+        "hosts": {
+          "iceowl": "S.gpg-agent"
+        }
+      },
+      "~/.gnupg-socket-box/S.gpg-agent.ssh": {
+        "hosts": {
+          "iceowl": "S.gpg-agent.ssh"
+        }
       }
     }
   }