Prevent gpg-agent from being called with --keep-display

If I understand correctly, the openSUSE distribution of xdm contains a script /etc/X11/xdm/scripts/10-gpg-agent that invokes gpg-agent with the --keep-display option. This is inconvenient for me because it prevents me from processing signed/encrypted e-mails when I access my machine remotely. Steps to reproduce:

  1. I log into my home machine locally. gpg-agent gets automatically launched with the --keep-display option.
  2. I lock my screen and go to the office. At the office, I connect to my home machine via SSH or x2go and launch my mail client.
  3. I try to read an encrypted message, or to send a signed or encrypted message. Normally the pinentry program would pop up asking for my passphrase. However, the --keep-display option prevents it from being displayed.

What is the best way of continuing to have my machine automatically launch gpg-agent on login, but without the --keep-display option? I don’t want to edit the /etc/X11/xdm/scripts/10-gpg-agent file directly as it will get overwritten whenever the xdm package is upgraded.

I haven’t tested this.

You should be able to start gpg-agent in your shell profile. If you are using “bash” that is presumably either “.profile” or “.bash_profile” in your home directory. For “csh” (which I use), it is “.login”.

Normal X startup begins by starting your login shell, which should run the appropriate startup file. And this happens before “ssh-agent” and “gpg-agent” are started.

I’ll note that you have to put in cross-checks, so that these agents are not started if they are already running (you can probably tell from environment variables).

In my experience, if I start “ssh-agent” from the shell startup file, then it is not started a second time in X session startup. I have not checked whether that is also true for “gpg-agent” startup.

OK, I can try that.The system default invokes gpg-agent with “–daemon /etc/X11/xinit/xinitrc”. Should my invocation in ~/.profile use that option too? I’m not really clear on the purpose of calling it with that environment. (Well, I understand the idea of daemonizing it; I just don’t understand why /etc/X11/xinit/xinitrc should be passed.)

It looks as if you should start it with:

eval $(gpg-agent --daemon)

But first check if “$GPG_AGENT_INFO” is defined.
Maybe something like:

if  "$GPG_AGENT_INFO" = "" ] ; then
  eval $(gpg-agent --daemon)

You most certainly do not want the “xinitrc” there when starting from shell startup file.

As to why that is there – the idea is to run gpg-agent as a daemon, and have that daemon startup X11 as a subprocess. That way, when X11 ends, the gpg-agent daemon will automatically shutdown. But you can’t do it that way from your shell profile, because X11 is being started elsewhere.

Yes, I’m trying something similar (but checking the string with with -z rather than = “”). However, this doesn’t work; when I log in I get the following error:

gpg-agent[7844]: enabled debug flags: ipc
can't connect to 'socket:///home/psy/.gnupg/log-socket': Connection refused

The file in question is a pipe with a very old timestamp—I think it was carried over from my old openSUSE 11.4 installation, which probably invoked gpg-agent in a different way. I’ll try moving the pipe out of the way and see if that helps.

OK, that makes sense. Thanks for the explanation.

I tried moving the pipe out of the way. I’m able to log in on the console now, and gpg-agent seems to get started correctly. But I can’t log into Plasma. As soon as I type my username and password and hit enter, the screen blanks for a moment and then returns me to the login prompt.