fix(service/gpg-agent): allow SSH ForwardAgent compatibility (#7355)

https://github.com/nix-community/home-manager/pull/7117#issuecomment-3018582819 noted that #7117 broke compatibility with forwarding ssh-agents using `ssh -A`/`ForwardAgent`. In order to continue supporting the fix for the issue raised in #5997 and address the compatibility problem mentioned by @euank, this commit introduces the solution described in https://github.com/nix-community/home-manager/pull/7117#issuecomment-3025001779. The code now checks the following: 1. is this shell part of an SSH connection and is `SSH_AUTH_SOCK` set? if so, assume the socket variable was set by sshd to point at a forwarded socket; bail out to skip setting `SSH_AUTH_SOCK". 1. is the current process a child of `gpg-agent --daemon`? if so, then bail out to skip setting `SSH_AUTH_SOCK`. 1. if we got this far, then set `SSH_AUTH_SOCK`. I've tested this fix locally and can confirm that both #5997 as well as the regression are fixed. Signed-off-by: squat <lserven@gmail.com>
2025-11-20 17:29:39 +01:00 · 2025-07-03 15:24:16 +02:00 · 2025-07-03 15:24:16 +02:00 · 1fa73bb2cc
commit 1fa73bb2cc
parent b182e64c01
1 changed files with 1 additions and 1 deletions
--- a/modules/services/gpg-agent.nix
+++ b/modules/services/gpg-agent.nix
@ -372,7 +372,7 @@ in
        home.sessionVariablesExtra = optionalString cfg.enableSshSupport ''
          unset SSH_AGENT_PID
-          if [ "''${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
+          if [ -z "$SSH_CONNECTION" -o -z "$SSH_AUTH_SOCK" ] && [ "''${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
            export SSH_AUTH_SOCK="$(${gpgPkg}/bin/gpgconf --list-dirs agent-ssh-socket)"
          fi
        '';