pam-gnupg configuration on Artix

[aartoni]

Hi @LukeSmithxyz, I'm trying to setup pam-gnupg on an Artix runit machine, but it doesn't seem to be as easy as setting it up on Arch. I noticed that @kronikpillow, @jemadux, and others have also shown interest in this topic (here, here, and here).

As a user of your open source project, I would like to ask you to consider sharing your pam-gnupg configuration, possibly in a separate branch, so that interested users like myself can experiment with it without forcing other users to install it. It would not only allow us to understand the implementation better but also contribute to the project by providing valuable feedback and enhancements.

Moreover, I noticed that you recently released an Artix installation guide, and I think a video tutorial on using pam-gnupg would be a fantastic follow-up.

[kronikpillow]

I'v literally given up on getting it to work and moved on :) tried for months, no success

[CheesyChocolate]

I use artix, runit, startx.
The functionality works perfectly.
here are my configs

-rw-r--r-- 1 root root /etc/pam.d/system-local-login

#%PAM-1.0

auth      include   system-login
account   include   system-login
password  include   system-login
session   include   system-login
auth      optional  pam_gnupg.so store-only
session   optional  pam_gnupg.so

-rw------- 1 user user ~/.local/share/gnupg/gpg-agent.conf

allow-preset-passphrase
max-cache-ttl 86400
pinentry-program /usr/bin/pinentry-qt

NOTE: I prefer use pinentry-qt since the curses version need to spawn in terminal and gnome version needs, well gnome. That is why some previously mentioned setups failed to work.

> -rwxr-xr-x 1 user user ~/.config/x11/xinitrc
if [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/x11/xprofile" ]; then
	. "${XDG_CONFIG_HOME:-$HOME/.config}/x11/xprofile"
else
	. "$HOME/.xprofile"
fi

ssh-agent dwm

-rwxr-xr-x 1 user user ~/.config/x11/xprofile

#!/bin/sh

xrandr --dpi 96		# Set DPI. User may want to use a larger number for larger screens.
setbg $XDG_DATA_HOME/wallpapers &			# set the background with the `setbg` script
xrdb $XDG_CONFIG_HOME/x11/xresources & xrdbpid=$!	# Uncomment to use Xresources colors/settings on startup

autostart="mpd xcompmgr dunst unclutter pipewire remapd"


for program in $autostart; do
	pidof -sx "$program" || "$program" &
done >/dev/null 2>&1

[ -n "$xrdbpid" ] && wait "$xrdbpid"

-rw------- 1 user user ~/.config/pam-gnupg

****************************************

NOTE: * stands for output of gpg -K --with-keygrip

-rw-r--r-- 1 user user ~/.zprofile

export GNUPGHOME="$XDG_DATA_HOME/gnupg"

-rw-r--r-- 1 root root /etc/security/pam_env.conf

GNUPGHOME DEFAULT=@{HOME}/.local/share/gnupg

[aartoni]

@CheesyChocolate just to be sure that we are using the same setup, are you using runit as your init system? Which version of the pam-gnupg (or pam-gnupg-git) package are you running?

Here are my configs:

# -rw-r--r-- 1 root root 220 Aug  2 15:16 /etc/pam.d/system-local-login
#%PAM-1.0

auth      include   system-login
account   include   system-login
password  include   system-login
session   include   system-login
auth      optional  pam_gnupg.so store-only
session   optional  pam_gnupg.so

# -rw------- 1 aartoni aartoni 117 Aug  2 15:34 .gnupg/gpg-agent.conf
allow-preset-passphrase
default-cache-ttl   86400
max-cache-ttl       86400
pinentry-program /usr/bin/pinentry-dmenu

# -rw------- 1 arto arto 41 Jul 31 22:50 .config/pam-gnupg
# Here is the keygrip

Every other dotfile is the current default from LARBS. The pinentry program is actually able to work so I'm sure that the gpg-agent.conf file is being read.

[CheesyChocolate]

As I updated my comment, I use runit

$ yay -Qi pam-gnupg-git
Name            : pam-gnupg-git
Version         : r54.3be7745-1

[aartoni]

@CheesyChocolate thanks for your follow-up. I've just tried setting up my GNUPGHOME as in your configuration, so I have update my .zprofile and moved the content accordingly:

export GNUPGHOME="$XDG_DATA_HOME/gnupg"

I'm still able to sign messages after login with, e.g., echo | gpg --clearsign. If I may ask you something more, I'd like to know if you're sure that there's no extra configuration involved, for instance, the pam-gnupg README.md states that you should put the path to your GNUPGHOME in your .config/pam-gnupg before any keygrip. Which doesn't seem to be your case.

Can you try running:

grep -Eir 'g(nu)?pg' ~cf

And see if there's anything that doesn't come from LARBS/voidrice?

[CheesyChocolate]

I configured this a year ago, so I don't remember everything. but here's some configs that I missed

-rw-r--r-- 1 root root /etc/security/pam_env.conf

GNUPGHOME DEFAULT=@{HOME}/.local/share/gnupg

I couldn't find any other relevant configuration.

Happy to help

[kronikpillow]

Im pretty sure this doesn't work :) when I was making that report, I was using Artix as well, and there is even debug attempts by the artix devs on the forum with me, we failed at making it work ... I dunno what the GNUPGHOME directory has to do with anything ... when I didn't move GNUPG ... I'v tried all the pinentry's, and no gnome's pin entry doesn't require gnome

[kronikpillow]

last commit on pam-gnupg, 7 years ago ... developer mostly not responding to issues, all issues point to same issue ...

https://github.com/cruegge/pam-gnupg/issues ...

Like I said, I dunno how you made this work ... but I'v been trying to make it work for the past 3 years, and I gave up ... I now use gnome-keyring and gnome-pinentry easily .... just without pam-gnupg ... just because something has the word gnome in it, doesn't mean that it must be part of the suite, it's actually a standalone package and can be used in any window manager

[aartoni]

@CheesyChocolate I tried setting the GNUPGHOME variable in the pam_env.conf file as per your suggestion, couldn't get it to work anyway. Just to be 100% sure, are you able to run echo | gpg --clearsign after you log into the machine without entering your password a single time after the actual log in screen?

One more thing, are you sure that your GPG key is password protected? Try running

gpg-connect-agent reloadagent /bye

And echo | gpg --clearsign again, if it doesn't spawn a password prompt then the password is either not set or coming from somewhere else.

As always, thank you for your collaboration.

[CheesyChocolate]

my setup does not work in my new installation anymore. my new installation on same system is faced with the problem of "needing to unlock keyring via pinentry prompt once". I had to unlock the keyring via pass, mw -Y or a gpg sign. no unlocking at login.
EDIT: if pass or MY -Y called, the keyring will open without any prompt. If "gpg sign" called, I get prompted to enter password.

I did little effort to restore the functionally and I made the move to gnome-keyring.