gpg-agent shell variable output

Werner Koch wk at gnupg.org
Wed Oct 5 16:35:17 CEST 2016 

On Wed,  5 Oct 2016 15:58, dkg at fifthhorseman.net said:

> With the new use of standard socket in 2.1.x, it's not clear how to get
> these variables to stdout.  for example, the old mechanism of:
>
>    $(gpg-agent --enable-ssh-support --daemon --sh)
>
> now does nothing to the parent shell.

They still work:

  $ GNUPGHOME=$(pwd) gpg-agent --options /dev/null \
                       --daemon --enable-ssh-support >out
  $ cat out
  SSH_AUTH_SOCK=/FOO/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

or for csh:

  $ GNUPGHOME=$(pwd) gpg-agent --options /dev/null \
                       --daemon --enable-ssh-support --csh >out
  $ cat out
  setenv SSH_AUTH_SOCK /FOO/S.gpg-agent.ssh;

and they are also set in the environment of a spawned program

  $ GNUPGHOME=$(pwd) gpg-agent --options /dev/null \
                       --daemon --enable-ssh-support /bin/sh
  $ echo $SSH_AUTH_SOCK
  /FOO/S.gpg-agent.ssh

> Are we explicitly deprecating the feature of writing variables to
> stdout?  If so, the documentation should be cleaned up and those
> arguments should be explicitly deprecated.

Yes, we should deprecate that and favor of

 SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"

A problem with gpgconf is that it does only know about the standard
socket names which are determined based on $GNUPGHOME.  That is fine for
ssh but the --extra-socket and the --browser-socket may have been set to
a different name.  --supervised may also set them to arbitrary names and
- worse - could do that also for the standard socket. A --supervised
based installation should never do the latter of course to avoid the
catch-22.  For the other 3 sockets it would be possible to ask gpg-agent
for the right socket but that also means that gpg-agent would be
launched just t know the sockets.

My conclusion is that we should stick to the default socket names as
printed by gpgconf and not try to make them configurable.  Thus a
warning about the use of --extra-socket and --browser socket would be
appropriate.


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161005/4165e843/attachment.sig>

More information about the Gnupg-devel mailing list