gpg-agent shell variable output

Daniel Kahn Gillmor dkg at
Wed Oct 5 19:14:45 CEST 2016

On Wed 2016-10-05 10:35:17 -0400, Werner Koch wrote:
> They still work:
>   $ GNUPGHOME=$(pwd) gpg-agent --options /dev/null \
>                        --daemon --enable-ssh-support >out
>   $ cat out
>   SSH_AUTH_SOCK=/FOO/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
> or for csh:
>   $ GNUPGHOME=$(pwd) gpg-agent --options /dev/null \
>                        --daemon --enable-ssh-support --csh >out
>   $ cat out
>   setenv SSH_AUTH_SOCK /FOO/S.gpg-agent.ssh;
> and they are also set in the environment of a spawned program
>   $ GNUPGHOME=$(pwd) gpg-agent --options /dev/null \
>                        --daemon --enable-ssh-support /bin/sh
>   $ echo $SSH_AUTH_SOCK
>   /FOO/S.gpg-agent.ssh

These only work in the event that gpg-agent is actually launched.

If, instead, gpg-agent just detects that it is already running, nothing
is printed to stdout.  Why not?

>> Are we explicitly deprecating the feature of writing variables to
>> stdout?  If so, the documentation should be cleaned up and those
>> arguments should be explicitly deprecated.
> Yes, we should deprecate that and favor of
>  SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
> A problem with gpgconf is that it does only know about the standard
> socket names which are determined based on $GNUPGHOME.  That is fine for
> ssh but the --extra-socket and the --browser-socket may have been set to
> a different name.  --supervised may also set them to arbitrary names and
> - worse - could do that also for the standard socket. A --supervised
> based installation should never do the latter of course to avoid the
> catch-22.  For the other 3 sockets it would be possible to ask gpg-agent
> for the right socket but that also means that gpg-agent would be
> launched just t know the sockets.
> My conclusion is that we should stick to the default socket names as
> printed by gpgconf and not try to make them configurable.  Thus a
> warning about the use of --extra-socket and --browser socket would be
> appropriate.

--browser-socket has never been a documented option in a released
version.  We could replace it entirely with --disable-browser-socket and
not break any documented interfaces.

For symmetry, we could also introduce --disable-restricted-socket and
explicitly deprecate --extra-socket (if the socket is going to be named
S.gpg-agent.rstrd then we should refer to it consistently as "restricted
socket", not as "extra", as long as we're doing an interface deprecation
and cleanup)

thanks for thinking these through with me,


More information about the Gnupg-devel mailing list