gnupg: disable gui/pinentry support by default

This solves the dependency cycle in gcr alternatively so there won't be two gnupg store paths in a standard NixOS system which has udisks2 enabled by default. NixOS users are expected to use the gpg-agent user service to pull in the appropriate pinentry flavour or install it on their systemPackages and set it in their local gnupg agent config instead. Co-authored-by: Florian Klink <flokli@flokli.de>
2024-11-11 15:27:20 +03:00 · 2018-10-27 16:03:13 +02:00 · 2018-10-27 16:03:13 +02:00 · b5bea4ce32
commit b5bea4ce32
parent edea9fed72
6 changed files with 16 additions and 11 deletions
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@ -85,7 +85,14 @@

  <itemizedlist>
   <listitem>
-    <para />
+    <para>
+      GnuPG is now built without support for a graphical passphrase entry
+      by default. Please enable the <literal>gpg-agent</literal> user service
+      via the NixOS option <literal>programs.gnupg.agent.enable</literal>.
+      Note that upstream recommends using <literal>gpg-agent</literal> and
+      will spawn a <literal>gpg-agent</literal> on the first invocation of
+      GnuPG anyway.
+    </para>
   </listitem>
  </itemizedlist>
 </section>
--- a/nixos/modules/programs/gnupg.nix
+++ b/nixos/modules/programs/gnupg.nix
@ -76,7 +76,7 @@ in
        thus overrides the pinentry option in gpg-agent.conf in the user's
        home directory.
        If not set at all, it'll pick an appropriate flavor depending on the
-        system configuration (qt3 flavor for lxqt and plasma5, gtk2 for xfce
+        system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce
        4.12, gnome3 on all other systems with X enabled, ncurses otherwise).
      '';
    };
--- a/pkgs/development/libraries/gcr/default.nix
+++ b/pkgs/development/libraries/gcr/default.nix
@ -24,11 +24,7 @@ stdenv.mkDerivation rec {

  nativeBuildInputs = [ pkgconfig gettext gobject-introspection libxslt makeWrapper vala ];

-  buildInputs = let
-    gpg = gnupg.override { guiSupport = false; }; # prevent build cycle with pinentry_gnome
-  in [
-    gpg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk
-  ];
+  buildInputs = [ gnupg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk ];

  propagatedBuildInputs = [ glib gtk3 p11-kit ];

--- a/pkgs/tools/security/gnupg/20.nix
+++ b/pkgs/tools/security/gnupg/20.nix
@ -3,7 +3,7 @@

 # Each of the dependencies below are optional.
 # Gnupg can be built without them at the cost of reduced functionality.
-, pinentry ? null, guiSupport ? true
+, pinentry ? null, guiSupport ? false
 , openldap ? null, bzip2 ? null, libusb ? null, curl ? null
 }:

--- a/pkgs/tools/security/gnupg/22.nix
+++ b/pkgs/tools/security/gnupg/22.nix
@ -4,7 +4,7 @@

 # Each of the dependencies below are optional.
 # Gnupg can be built without them at the cost of reduced functionality.
-, pinentry ? null, guiSupport ? true
+, pinentry ? null, guiSupport ? false
 , adns ? null, gnutls ? null, libusb ? null, openldap ? null
 , readline ? null, zlib ? null, bzip2 ? null
 }:
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -3499,10 +3499,12 @@ in
  gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { };
  gnupg1 = gnupg1compat;    # use config.packageOverrides if you prefer original gnupg1
  gnupg20 = callPackage ../tools/security/gnupg/20.nix {
-    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry;
+    guiSupport = stdenv.isDarwin;
+    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2;
  };
  gnupg22 = callPackage ../tools/security/gnupg/22.nix {
-    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry;
+    guiSupport = stdenv.isDarwin;
+    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2;
  };
  gnupg = gnupg22;