Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: gpg-agent and systemd

  1. #1

    Default gpg-agent and systemd

    Hello folks,

    I am trying to setup mbsync (for keeping a local copy of mails) on Leap 42.3. I have configured mbsync to use gpg to decrypt the passwords associated with my email accounts. I also have configured gpg with gpg-agent. When opening a Plasma session, I am prompted for my passphrase to unlock my gpg key. After that, I can

    Code:
     mbsync -Va
    in a terminal without entering my passphrase again.

    However, I also want mbsync to be launched every 3 minutes in the background, and I followed the Arch wiki to create a set of systemd files (https://wiki.archlinux.org/index.php/Mbsync).

    I have a service and a timer file, with

    - in /etc/systemd/system/mbsync@.service

    Code:
    [Unit]
    Description=Mailbox synchronization service for user %I
    
    [Service]
    Type=oneshot
    ExecStart=/usr/bin/mbsync -Va
    ExecStartPost=/usr/bin/notmuch new
    User=%i
    StandardOutput=syslog
    StandardError=syslog
    - and in /etc/systemd/system/mbsync@.timer

    Code:
    [Unit]
    Description=Mailbox synchronization timer
    
    [Timer]
    OnBootSec=300
    OnUnitActiveSec=180
    Persistent=false
    Unit=mbsync@%i.service
    
    [Install]
    WantedBy=timers.target
    This does not work, and I have these entries in journalctl:

    Code:
    gpg-agent[6237]: command get_passphrase failed: End of file
    gpg: problem with the agent: End of file
    gpg: decryption failed: No secret key
    I suppose this is a permission problem, and that the services are run by "someone" else than me, am I right ? How can I fix this ?

    Thanks a lot for your help !

    bests,

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,851

    Default Re: gpg-agent and systemd

    This is all new to me, but when you unlock something when you login in a Plasma session, that has of course nothing to do with something that runs in the background. You can understand that already when you understand that the background job will run regardless if somebody is loged in in the system (CLI, or Gnome, or KDE, or whatever) or not

    The unlocking is IMHO for that particular session. not for everybody that happens to be on the system in whatever form on the same time.
    Henk van Velden

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,345
    Blog Entries
    3

    Default Re: gpg-agent and systemd

    I ran this:
    Code:
    % printenv | grep GPG
    GPG_AGENT_INFO=/tmp/gpg-jKYjVd/S.gpg-agent:5439:1
    If you were to run the same command, and then set GPG_AGENT_INFO in the environment of your script, that would probably work for a while. But it would stop working when you logout, because gpg-agent would be stopped on your logout.

    Arch uses a newer "gpg", where gpg-agent is started when first required. So maybe that still works. OpenSUSE Tumbleweed also uses that newer "gpg".

    I'm not clear on what you are doing, so I don't know if my hints are helpful. Best is for background mail processes to not need access to your gpg key, and then the problem doesn't arise.
    openSUSE Leap 15.1; KDE Plasma 5;

  4. #4

    Default Re: gpg-agent and systemd

    Hello guys,

    After some reading, I finally found a solution to the problem, using user systemd unit files. For reference, if someone is interested, here is how it is done.

    Quote Originally Posted by nrickert
    If you were to run the same command, and then set GPG_AGENT_INFO in the environment of your script, that would probably work for a while. But it would stop working when you logout, because gpg-agent would be stopped on your logout.
    Exactly, but that is the intended behaviour, as I do not want to fetch mails when I'm not logged in. However, I should be able to do that when logged in, without being prompted for a passphrase, and for that, I need to tell gpg-agent to write GPG_AGENT_INFO somewhere.

    My setup is the following, with the systemd related files being placed in ~/.config/systemd/user/
    - First, I start gpg-agent with gpg-agent.service (ssh support for other purposes), with the --write-env-file option:
    Code:
    [Unit]
    Description=gpg-agent Daemon with SSH Support
    
    [Service]
    Type=forking
    ExecStart=/usr/bin/gpg-agent --quiet --daemon --enable-ssh-support --write-env-file "${HOME}/.gnupg/gpg-agent-info"
    Restart=on-success
    
    [Install]
    WantedBy=default.target
    - Then, mbsync.service is used to fetch mails, with a custom fetch_mail.sh script (see below):
    Code:
    [Unit]
    Description=Mailbox synchronization service for user
    
    [Service]
    Type=oneshot
    ExecStart=${HOME}/bin/fetch_mail.sh
    StandardOutput=syslog
    StandardError=syslog
    The important point is that fetch_mail.sh will read the file gpg-agent created with the following code:
    Code:
    if [ -f "${HOME}/.gnupg/gpg-agent-info" ]; then
        . "${HOME}/.gnupg/gpg-agent-info"
        export GPG_AGENT_INFO
    fi
    - And the timer file mbsync.timer is used to activate mbsync.service every 3 minutes:
    Code:
    [Unit]
    Description=Mailbox synchronization timer
    
    [Timer]
    OnBootSec=300
    OnUnitActiveSec=180
    Persistent=false
    Unit=mbsync.service
    
    [Install]
    WantedBy=default.target
    - Everything is activated with the following commands:
    Code:
    systemctl --user daemon-reload
    systemctl --user enable mbsync.timer
    systemctl --user enable gpg-agent.service
    systemctl --user start gpg-agent.service
    systemctl --user start mbsync.timer
    Now, everything works as intended

    Thanks !

  5. #5
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,851

    Default Re: gpg-agent and systemd

    Nice example of systemd usage on the user level.

    Thanks so much for posting this.
    Henk van Velden

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,916
    Blog Entries
    2

    Default Re: gpg-agent and systemd

    Good to hear you got a solution working, but...

    1. Is there some reason why you didn't put your custom systemd Unit files in the standard location instead of in your home directory
    Code:
    /etc/systemd/user/
    2. Ordinarily, it's not necessary to execute the systemd commands in your last step specifying a User, without specifiying a User those commands should execute "daemon reload" against all Unit files and the others simply modify and start the specific Unit files.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7

    Default Re: gpg-agent and systemd

    Quote Originally Posted by tsu2 View Post
    1. Is there some reason why you didn't put your custom systemd Unit files in the standard location instead of in your home directory
    Code:
    /etc/systemd/user/
    This is just to separate what belongs only to the user to system-wide files. Besides, this setup does not require root access.

    Quote Originally Posted by tsu2 View Post
    2. Ordinarily, it's not necessary to execute the systemd commands in your last step specifying a User, without specifiying a User those commands should execute "daemon reload" against all Unit files and the others simply modify and start the specific Unit files.
    I think using daemon-reload without the --user flag works as well, but I'm not sure if with the files put in ~/.config/systemd/user/ not specifying --user will work. However, I have an empirical and very experimental knowledge on systemd, so I may be mistaking there

    Quote Originally Posted by hcvv
    Thanks so much for posting this.
    You're welcome Besides, as I have an habit of changing / reinstalling my system and losing some tweaks, at least now I know this is somewhere on the Web !

    bests,

  8. #8
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,851

    Default Re: gpg-agent and systemd

    Quote Originally Posted by tsu2 View Post
    Good to hear you got a solution working, but...

    1. Is there some reason why you didn't put your custom systemd Unit files in the standard location instead of in your home directory
    Because he wants to organize this as a normal user for the normal user. Thus he has no access to changing things in /etc.

    This is IMHO an example how an "end-user" can make use of the features of systemd.
    Quote Originally Posted by tsu2 View Post
    I think using daemon-reload without the --user flag works as well,
    Reading
    Code:
    man systemd
    --system, --user
    For --system, tell systemd to run a system instance, even if the process ID is not 1, i.e. systemd is not run as init process. --user does the opposite, running a user instance even if the process ID is 1. Normally it should not be necessary to pass these options, as systemd automatically detects the mode it is started in. These options are hence of little use except for debugging. Note that it is not supported booting and maintaining a full system with systemd running in --system mode, but PID not 1. In practice, passing --system explicitly is only useful in conjunction with --test.
    which means, as you say, that sytemd will detect it is executed by a user.
    Henk van Velden

  9. #9
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,916
    Blog Entries
    2

    Default Re: gpg-agent and systemd

    You should be commended for successfully implementing two custom services for your solution.

    Note that the locations for custom systemd system and user Unit files are in different locations.

    system
    Code:
    /etc/systemd/system/
    User
    Code:
    /etc/systemd/user/
    When a system boots up, these two locations are scanned first, and if any Unit file has the same name as in the default location, then these found in subdirectories of /etc/systemd/ will over-ride. Of course, if your Unit file has a unique name, then there is nothing to over-ride.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  10. #10
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,916
    Blog Entries
    2

    Default Re: gpg-agent and systemd

    A FYI for anyone interested in diving deeper into systemd/User,

    https://wiki.archlinux.org/index.php/Systemd/User

    Includes a full description why systemd Unit files might be deployed in different places.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •