WIP: okc-gpg

...can't make okc-ssh-agent work even on Termux...

.github/workflows/emulator.yml

@@ -108,12 +108,13 @@ jobs:
         # below 28: bootstrap didn't start, IDK why
         # 34: sometimes work, but doesn't seem stable, even w/o caching images
         script:
-          - android_integration
-          - bootstrap_flakes
-          - bootstrap_channels
-          - poke_around
-          - test_channels_uiautomator
-          - test_channels_shell
+          # android_integration
+          # bootstrap_flakes
+          # bootstrap_channels
+          - okc_agents
+          # poke_around
+          # test_channels_uiautomator
+          # test_channels_shell
 
     steps:
       - name: Checkout repository

CHANGELOG.md

@@ -9,6 +9,10 @@
   `am`, `termux-open`, `termux-open-url`, `termux-reload-settings`,
   `termux-setup-storage`, `termux-wake-lock`, `termux-wake-unlock`
   and `xdg-open`.
+* Another option under `android-integration`, `okc-gpg`,
+  provides a GPG agent for OpenKeychain,
+  courtesy of https://github.com/DDoSolitary/okc-agents.
+  This lets you use PGP keys stored on hardware tokens, like Yubikeys.
 
 ### Compatibility considerations
 

modules/environment/android-integration.nix

@@ -1,6 +1,6 @@
 # Copyright (c) 2019-2024, see AUTHORS. Licensed under MIT License, see LICENSE.
 
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, nixpkgs, ... }:
 
 let
   cfg = config.android-integration;
@@ -11,6 +11,10 @@ let
     pkgs.callPackage (import ../../pkgs/android-integration/termux-tools.nix) {
       inherit termux-am;
     };
+  okc-agents =
+    import (../../pkgs/android-integration/okc-agents) {
+      inherit nixpkgs pkgs termux-am;
+    };
 in
 {
 
@@ -103,6 +107,17 @@ in
       '';
     };
 
+    okc-gpg.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = "true";
+      description = lib.mdDoc ''
+        Provides a GPG agent for OpenKeychain,
+        courtesy of https://github.com/DDoSolitary/okc-agents.
+        This lets you use PGP keys stored on hardware tokens, like Yubikeys.
+      '';
+    };
+
     unsupported.enable = lib.mkOption {
       type = lib.types.bool;
       default = false;
@@ -110,6 +125,7 @@ in
       description = lib.mdDoc ''
         Provide several more unsupported and untested commands.
         For testing and for brave souls only.
+        Currently provides `termux-backup` and `okc-ssh-agent`.
       '';
     };
 
@@ -127,6 +143,8 @@ in
       (ifD cfg.termux-wake-lock.enable termux-tools.wake_lock) ++
       (ifD cfg.termux-wake-unlock.enable termux-tools.wake_unlock) ++
       (ifD cfg.xdg-open.enable termux-tools.xdg_open) ++
+      (ifD cfg.okc-gpg.enable okc-agents.okc_gpg) ++
+      (ifD cfg.unsupported.enable okc-agents.out) ++
       (ifD cfg.unsupported.enable termux-tools.out);
   };
 }

pkgs/android-integration/okc-agents/default.nix

@@ -0,0 +1,23 @@
+# Copyright (c) 2019-2024, see AUTHORS. Licensed under MIT License, see LICENSE.
+
+{ nixpkgs, pkgs, termux-am }:
+
+let
+  okc-agents-unwrapped =
+    (import ./Cargo.nix { inherit nixpkgs pkgs; }).rootCrate.build;
+in
+pkgs.stdenvNoCC.mkDerivation {
+  inherit (okc-agents-unwrapped) name version;
+  phases = [ "installPhase" ];
+  nativeBuildInputs = [ pkgs.makeWrapper ];
+  outputs = [ "out" "okc_gpg" ];
+  installPhase = ''
+    mkdir -p $out/bin $okc_gpg/bin
+    makeWrapper ${okc-agents-unwrapped}/bin/okc-gpg \
+      $okc_gpg/bin/okc-gpg \
+      --prefix PATH : ${pkgs.lib.makeBinPath [ termux-am ]}
+    makeWrapper ${okc-agents-unwrapped}/bin/okc-ssh-agent \
+      $out/bin/okc-ssh-agent \
+      --prefix PATH : ${pkgs.lib.makeBinPath [ termux-am ]}
+  '';
+}

tests/emulator/okc_agents.py

@@ -0,0 +1,107 @@
+import base64
+import os
+import time
+
+import bootstrap_channels
+
+from common import screenshot, wait_for
+
+
+def run(d):
+    # Set up a GPG key in OpenKeychain
+    os.system('fdroidcl update')
+    okc = 'org.sufficientlysecure.keychain'
+    openkeychain = d.fdroid[okc]
+    openkeychain.permissions.allow_notifications()
+    openkeychain.launch()
+    wait_for(d, 'CREATE MY KEY')
+    d.ui(resourceId=f'{okc}:id/create_key_create_key_button').click()
+    d.ui(resourceId=f'{okc}:id/create_key_name').set_text('Test Key')
+    d.ui(resourceId=f'{okc}:id/create_key_next_button').click()
+    time.sleep(.5)
+    d.ui(resourceId=f'{okc}:id/create_key_email').set_text('nod@example.org')
+    d.ui(resourceId=f'{okc}:id/create_key_next_button').click()
+    time.sleep(.5)
+    d.ui(resourceId=f'{okc}:id/create_key_next_button').click()
+    screenshot(d, 'key-created')
+
+    # Select this key in OkcAgent
+    okc_agent = d.fdroid['org.ddosolitary.okcagent']
+    okc_agent.permissions.allow_notifications()
+    okc_agent.launch()
+    time.sleep(1)
+    wait_for(d, 'Automatic error reporting')
+    d.ui(text='NO').click()
+    wait_for(d, 'SELECT GPG KEY')
+    d.ui(text='SELECT GPG KEY').click()
+    d.ui(text='Test Key <nod@example.org>').click()
+    screenshot(d, 'gpg-key-selected')
+
+    # SSH is currently untested (`Error: Could not create description: null`)
+    # wait_for(d, 'ADD SSH KEY')
+    # d.ui(text='ADD SSH KEY').click()
+    # wait_for(d, 'Select authentication key')
+    # d.ui(text='Use key: nod@example.org').click()
+    # d.ui(text='SELECT').click()
+    # screenshot(d, 'ssh-key-selected')
+
+    # Bootstrap
+    nod = bootstrap_channels.run(d)
+    nod.permissions += 'android.permission.SYSTEM_ALERT_WINDOW'
+
+    # Apply a config that enables okc-agents (but not am)
+    cfg_file = '.config/nixpkgs/nix-on-droid.nix'
+    config = ('_: { system.stateVersion = "23.11"; '
+              'android-integration.okc-gpg.enable = true; }')
+    config_base64 = base64.b64encode(config.encode()).decode()
+    d(f'input text "echo {config_base64} | base64 -d > {cfg_file}"')
+    d.ui.press('enter')
+    d('input text "nix-on-droid switch && echo okc-agents  installed"')
+    screenshot(d, 'pre-switch')
+    d.ui.press('enter')
+    wait_for(d, 'okc-agents installed', timeout=1200)
+    screenshot(d, 'post-switch')
+
+    # Verify am is not in path
+    d('input text "am"')
+    d.ui.press('enter')
+    wait_for(d, 'bash: am: command not found')
+    screenshot(d, 'no-am')
+
+    # Run okc-gpg and see how would it complain
+    d('input text "okc-gpg"')
+    d.ui.press('enter')
+    wait_for(d, 'No supported action is found')
+    screenshot(d, 'executed-okc-gpg-no-args')
+
+    # Test that nix-on-droid can use that GPG key through okc-gpg: encryption
+    d('input text "echo secret  data > test"')
+    d.ui.press('enter')
+    screenshot(d, 'pre-encryption')
+    d('input text "RUST_BACKTRACE=1 okc-gpg -er nod@example.org test > test.gpg"')
+    d.ui.press('enter')
+    screenshot(d, 'encryption')
+    d('input text "rm test"')
+    d.ui.press('enter')
+    screenshot(d, 'pre-decryption')
+    d('input text "okc-gpg -d test.gpg"')
+    d.ui.press('enter')
+    screenshot(d, 'decryption')
+    wait_for(d, 'secret data')
+    wait_for(d, 'Verification result: RESULT_NO_SIGNATURE')
+    wait_for(d, 'Decryption result: RESULT_ENCRYPTED')
+    screenshot(d, 'decryption-success')
+
+    # Test that nix-on-droid can use that GPG key through okc-gpg: signing
+    d('input text "echo signed data > test"')
+    d.ui.press('enter')
+    d('input text "okc-gpg -s test -o test.sig"')
+    d.ui.press('enter')
+    d('input text "okc-gpg -v test.sig"')
+    d.ui.press('enter')
+    screenshot(d, 'verification-attempt')
+    wait_for(d, 'secret data')
+    wait_for(d, 'Signature from: Test Key <nod@example.org>')
+    wait_for(d, 'Created on: ')
+    wait_for(d, 'Verification result: RESULT_VALID_KEY_CONFIRMED')
+    screenshot(d, 'verification-success')

tests/on-device/config-android-integration.nix

@@ -11,6 +11,7 @@ _:
     termux-wake-lock.enable = true;
     termux-wake-unlock.enable = true;
     xdg-open.enable = true;
+    okc-gpg.enable = false; # building takes an eternity, tested separately
     # unsupported.enable = false;
   };
 }