Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/hardware/gnupg-ccid: init udev rules #121085

Merged
merged 1 commit into from
Dec 10, 2021
Merged

nixos/hardware/gnupg-ccid: init udev rules #121085

merged 1 commit into from
Dec 10, 2021

Conversation

colemickens
Copy link
Member

Motivation for this change

Gnupg apparently has udev rules for enabling it to access CCID devices.

This provides a NixOS module that will enable those udev rules.

I think they work, but I'm not sure if it's these rules or the yubikey rules kicking in, I need to do further testing.

I think this is potentially going to be needed for gnupg-2.3 users that get pushed into the CCID route (now that gnupg-2.3 doesn't fallback from CCID failures to PC/SC mode automatically, and there are blooming reports of pcscd problems in nixos-unstable...)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Apr 28, 2021
@colemickens
Copy link
Member Author

debian's version: https://salsa.debian.org/debian/gnupg2/-/blob/debian/main/debian/scdaemon.udev

@colemickens
Copy link
Member Author

Ah nice, to make things more confusing, the gnupg pointed me at debians' rules, which are much more expansive, and go-figure, include yubikey's identifiers too...

... so... maybe I'll update these rules to include the full debian list. And I guess users who activate this AND manually link the yk package in serivces.udev.packages will be doubly-covered.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/home-manager-users-can-help-test-gnupg-2-3-1-beta/12692/8

@colemickens colemickens force-pushed the gpg-ccid-udev branch 2 times, most recently from 6e3a5ef to b245fc1 Compare April 28, 2021 22:18
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1 labels Apr 28, 2021
@colemickens colemickens force-pushed the gpg-ccid-udev branch 3 times, most recently from c047afd to 7242cd0 Compare April 28, 2021 22:25
SuperSandro2000
SuperSandro2000 reviewed Apr 29, 2021
View reviewed changes
nixos/modules/hardware/gpgsmartcards.nix Outdated
Comment on lines 5 to 12
# https://www.gnupg.org/howtos/card-howto/en/gnupg-ccid.rules
# https://www.gnupg.org/howtos/card-howto/en/gnupg-ccid

# but then: https://dev.gnupg.org/T5409
# https://salsa.debian.org/debian/gnupg2/-/blob/debian/main/debian/scdaemon.udev

# per https://man7.org/linux/man-pages/man1/dh_installudev.1.html
# it looks like the default level prefix is 60-...
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it wouldn't hurt to add a sentence or two about the links.

@colemickens colemickens force-pushed the gpg-ccid-udev branch 3 times, most recently from 229683a to 7351d1c Compare April 29, 2021 06:14
@stale
Copy link

stale bot commented Oct 30, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 30, 2021
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Nov 10, 2021
@colemickens
Copy link
Member Author

This is still relevant, and I think going to be really important for users upgrading to 2.3.3. I think other distros have this on by default .... like debian.

stigtsp
stigtsp reviewed Dec 9, 2021
View reviewed changes
Copy link
Member

@stigtsp stigtsp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested OK on Yubikey 5 with gnupg 2.3.3 from #145434

(Did not work with "076b:3031 OmniKey AG OMNIKEY 3x21 Smart Card Reader" even adding a rule for it)

stigtsp
stigtsp approved these changes Dec 10, 2021
View reviewed changes
Copy link
Member

@stigtsp stigtsp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stigtsp stigtsp merged commit 8f21565 into NixOS:master Dec 10, 2021
@stigtsp stigtsp mentioned this pull request Dec 10, 2021
Merged
11 tasks
@colemickens colemickens deleted the gpg-ccid-udev branch December 30, 2022 01:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@stigtsp stigtsp stigtsp approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@colemickens @nixos-discourse @stigtsp @SuperSandro2000