Moving the agent's socket to /var/run ?

Werner Koch wk at
Wed Jun 8 15:29:13 CEST 2016


I just pushed some changes to use sockets below /run/user:

    If a [/var]/run/user/$(id -u)/ directory exists, a gnupg subdir is
    created as needed and the permissions of the directories are checked.
    If that all matches that directory name is returned instead of the
    To cope with non standard homedirs (via GNUPGHOME or --homedir) the
    SHA-1 hash of the homedir is computed, left truncated to 120 bits,
    zBase-32 encoded, prefixed with "d.", and appended to
    "[/var]/run/user/$(id -u)/gnupg/".  If that directory exists and has
    proper permissions it is returned as socket dir - if not the homedir
    is used.  Due to cleanup issues, this directory will not be
    auto-created but needs to be created by the user in advance.
    The required permissions are: directory owned by the user, group and
    others bits not set.

As long as no /run/user/$UID directory exists, you should not run into
problems.  If that directory exists GnUPG will try to use it - in this
case you should restart the daemons (gpgconf --kill gpg-agent; gpgconf
--kill dirmngr).

If you are not using the default homedirectly, you may use
  gpgconf --create-sockdir
to create a dedicated directory below /run/user/$UID/gnupg.  gpgconf
--remove-socketdir can be used for cleanup; gpgconf now also
understands --homedir.

If you are using gpg-agent for ssh, remember to change the envvar to the
new place:

  export SSH_AUTH_SOCK

This envvar is actually a bit annoying and thus I would appreciate if
Debian could change ssh to try the above socket if for example
SSH_AUTH_SOCK is set to "gpg-agent" or some other magic.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.  /* EFH in
    Erkrath: */

More information about the Gnupg-devel mailing list