[PATCH] Add gnupg to propagated-inputs of trezor-agent

  • Open
  • quality assurance status badge
Details
7 participants
  • Attila Lendvai
  • Attila Lendvai
  • Efraim Flashner
  • Ludovic Courtès
  • Marek Paśnikowski
  • Maxime Devos
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Marek Paśnikowski
Severity
normal

Debbugs page

M
M
Marek Paśnikowski wrote on 22 Aug 2022 12:03
(name . guix-patches@gnu.org)(address . guix-patches@gnu.org)
oamh7oxIpfduEsGj0C875PjRnOZQr49eMY9S2AZdH4h4T5wwhwD_cOAsSZXDGlTn2rGP3751cdC6uLsdswY4PhgAa1js_xzDh3XgVdIFFdo=@protonmail.com
This is my first patch submission ever.
Please tell me if there is anything I did wrong.

The patch is motivated by failure of `trezor-gpg init` command.
After I applied it to the system, I was able to initialize my Trezor-based GPG identity.
From 8c8d465c28923591a5ef7124b1f6835a6f398c51 Mon Sep 17 00:00:00 2001
From: Marek Paśnikowski <marekpasnikowski@protonmail.com>
Date: Mon, 22 Aug 2022 20:10:47 +0200
Subject: [PATCH] Add gnupg to propagated-inputs of trezor-agent

This fixes "OSError: Cannot find 'gpgconf' in $PATH".
---
gnu/packages/finance.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/finance.scm b/gnu/packages/finance.scm
index 849f9aba99..f6c15aebdb 100644
--- a/gnu/packages/finance.scm
+++ b/gnu/packages/finance.scm
@@ -1223,6 +1223,8 @@ (define-public trezor-agent
(list python-trezor python-trezor-agent))
(native-inputs
(list python-attrs))
+ (propagated-inputs
+ (list gnupg))
(home-page "https://github.com/romanz/trezor-agent")
(synopsis "Using Trezor as hardware SSH/GPG agent")
(description "This package allows using Trezor as a hardware SSH/GPG
--
2.37.2
R
R
Ricardo Wurmus wrote on 1 Sep 2022 01:51
(address . 57345@debbugs.gnu.org)
87a67jqxqt.fsf@elephly.net
Hi Marek,

thanks for your patch. This looks like a good fix of the problem.

Propagation is generally used sparingly, when there is no other option.
We try to avoid it when possible, because it can lead to unexpected
conflicts, e.g. when a user has a particular version of gnupg installed
in their profile and then installs trezor-agent with a more recent
version of Guix it would abort with a conflict error as it cannot
install two variants of gnupg into the same Guix profile.

I wonder if we can avoid propagation here. We could, for example, look
up gnupg in PATH (so that a user’s installation of gnupg is preferred)
and fall back to an explicit gnupg from the inputs (not
propagated-inputs). This would require minor patching of trezor-agent.

What do you think?

--
Ricardo
M
M
Marek Paśnikowski wrote on 4 Sep 2022 22:49
(name . 57345@debbugs.gnu.org)(address . 57345@debbugs.gnu.org)
0xUyxGDdNUVX-UebH9VayY2IGvKRGV-WwdvXVVHBu1G-jPUUgs8Zgcl6grF6_rPW4WDO5xtC1a8rdy4v3oONthnqYD1Q--x7uFtVkzY1EX8=@protonmail.com
Nothing I do seems to work at all.

Last night I thought of a fundamental question:
Are `inputs` accessible in the guix store at runtime?

If they are, that means I am too dumb to correctly parse the documentation. My initial patch proves, that `gnupg` has to be available at runtime. At this point I am incapable of doing anything more. I got physically sick of trying to understand and use all the procedures.
E
E
Efraim Flashner wrote on 5 Sep 2022 02:25
(name . Marek Paśnikowski)(address . marekpasnikowski@protonmail.com)
YxXAfr3QAvFKITa3@3900XT
On Mon, Sep 05, 2022 at 05:49:55AM +0000, guix-patches--- via wrote:
Toggle quote (7 lines)
> Nothing I do seems to work at all.
>
> Last night I thought of a fundamental question:
> Are `inputs` accessible in the guix store at runtime?
>
> If they are, that means I am too dumb to correctly parse the documentation. My initial patch proves, that `gnupg` has to be available at runtime. At this point I am incapable of doing anything more. I got physically sick of trying to understand and use all the procedures.

After some poking around on IRC and in trezor-agent and
python-trezor-agent, it seems that there are a number of calls to the
gpgconf binary and the actual path to gpg is probably set in
python-trezor-agent in libagent/gpg/keyring.py. With all of this it's
probably best to just wrap the files in the bin output of trezor agent
so that we don't miss any files.

(ins)efraim@3900XT /tmp$ tree /gnu/store/46br8illcfv93ryh28s2haz1s59n584v-trezor-agent-0.14.4
/gnu/store/46br8illcfv93ryh28s2haz1s59n584v-trezor-agent-0.14.4
├── bin
│   ├── __pycache__
│   │   └── trezor_agent.cpython-39.pyc
│   ├── trezor-agent
│   ├── trezor_agent.py
│   ├── trezor-gpg
│   ├── trezor-gpg-agent
│   └── trezor-signify
└── lib
└── python3.9
└── site-packages
└── trezor_agent-0.11.0-py3.9.egg-info
├── dependency_links.txt
├── entry_points.txt
├── PKG-INFO
├── requires.txt
├── SOURCES.txt
└── top_level.txt

trezor_agent.py is an actual python script, so I'd use wrap-script, but
the other extensionless files I'd use wrap-program, which IIRC will Do
The Right Thing™ and not double-wrap those files, which are already
wrappers.

I haven't tested the code out, but something like this should work
inside trezor-agent.

(add-before 'check 'wrap-more
;; We want to make sure we're before 'check but after 'wrap
(lambda* (#:key inputs outputs #:allow-other-keys)
(wrap-script (string-append #$output "/bin/trezor_agent.py")
`(("PATH" ":" prefix (,(dirname (search-input-file inputs
"gpg"))))))
(for-each
(lambda (file)
(wrap-program file
`(("PATH" ":" prefix (,(dirname (search-input-file inputs
"gpg")))))))
(find-files (string-append #$output "/bin") "^trezor-"))))

--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmMVwHUACgkQQarn3Mo9
g1GGfg/+PNydiCKrylFjCvYuOHWWfrAapJbJ1V+nhXUgQbNqsYNjGgT+zz9X0sDe
XPG8/kZGvJf8dAEffnuSVU9bPuD8HvZYo7EJ5+67W3CBYErR+9veNZvBrBrHJBB6
ctfA0aJKC6tuFNZ8SzlsIABZJfYO1KooZ0MPyMQfcQsE2iVog+qJFCFrST8EZu9X
gifpw0gZaxlsGaGkRQt06ed0TJBV2Fd39beQ8u85hUdkB7+Lc1nn72KZbTNSLEwI
7BARQByuiqiM1WK9ZV69S6BV2TVJLYizm0Gad05PZ0v4i+njF9zyAhWMEP+Wocp+
y6oInE71EnHwWFqe9kkivmI1tVh05mzeeT523rzsMiYchEmHx+xoaJwA7BcIBcI/
Z10Rsm1tQ/SOA1nzJQNVpR7cXCx75Nvp3zP1LijKUAmcIlUrCN/7cRYGyjwl58P5
D7DyHnn0vxt5pXf0e4W5klp5bqa8NvBfBihTIie4KT3WZZLnfMFPFcpIcPQs0Dsf
D+Pw8edpO9OgbeqYt3agpnWLEPEYpuJpid1p5MYI5KVrTAn+Kqc6CGxx469pnA9M
CJLRo0xAJRJjXX/BR60Q+X2sxNonyoMdGYuqNDSr4zBSgHrFsMPlVmSFRuV+l9Fx
kvagv/pYPiGZmU1escaJEB2LNbNYcJHkC++QLllQd024arSb3zI=
=c7NZ
-----END PGP SIGNATURE-----


M
M
M
Marek Paśnikowski wrote on 6 Sep 2022 06:06
(name . Efraim Flashner)(address . efraim@flashner.co.il)
mPYu0RVOabPNSlkkHUhirgbiJlfzY1Inrq_1g1_RCzZPg9RXtScKNsGunaUlLbFD9dIJDp5W7rk3_LCxfuE3KaDM4fkzC4ntNpnPudTDkZU=@protonmail.com
Let us not have perfect be the enemy of good, and merge the `propagated-inputs` solution. Once an `inputs` solution is found, it would be used instead.

A potential conflict with other `gnupg` instances is less harmful than the currently happening guaranteed loss of major functionality.

What do you think?
M
M
Maxime Devos wrote on 6 Sep 2022 08:39
46089e99-ded5-ccc9-9e15-f979f3b788df@telenet.be
On 05-09-2022 13:26, guix-patches--- via wrote:
Toggle quote (1 lines)
> I do not understand how to apply the proposed fix.
Copy-paste Efraim's phase to the %standard-phases (I assume before
fixup-agent-py).
Greetings,
Maxime
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 6 Sep 2022 08:41
5884679c-060d-f581-2ab7-18d702f69e53@telenet.be
On 06-09-2022 15:06, guix-patches--- via wrote:
Toggle quote (5 lines)
> Let us not have perfect be the enemy of good, and merge the `propagated-inputs` solution. Once an `inputs` solution is found, it would be used instead.
>
> A potential conflict with other `gnupg` instances is less harmful than the currently happening guaranteed loss of major functionality.
>
> What do you think?
Efraim has posted a potential 'inputs' solution.
Greetings,
Maxime.
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 6 Sep 2022 08:44
5651ad51-13cf-a535-143a-f1bf1d791881@telenet.be
On 05-09-2022 13:26, guix-patches--- via wrote:
Toggle quote (5 lines)
> I have encountered the same problem as in this email:
> https://lists.gnu.org/archive/html/help-guix/2019-06/msg00073.html
>
> I do not understand how to apply the proposed fix.
>
IIRC, python-build-system uses G-exps nowadays, so to use #$, all you
need to do is replace
(arguments `(#:phases (modify-phases ...)))
by
(arguments (list #:phases #~(modify-phases ...))),
no need for separate inputs.
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 6 Sep 2022 08:48
1c43aceb-82af-8a0e-7efb-0c0f6472e940@telenet.be
On 05-09-2022 07:49, guix-patches--- via wrote:
Toggle quote (4 lines)
> Nothing I do seems to work at all.
>
> Last night I thought of a fundamental question:
> Are `inputs` accessible in the guix store at runtime?
If a reference (i.e., a /gnu/store/the-input-... string) ends up in the
resulting store item of trezor-agent, then yes.
Toggle quote (1 lines)
> If they are, that means I am too dumb to correctly parse the documentation.
As far as I'm aware it is not documented that the GC is based on
reference-scanning.
Toggle quote (1 lines)
> My initial patch proves, that `gnupg` has to be available at runtime. At this point I am incapable of doing anything more. I got physically sick of trying to understand and use all the procedures.
Look where 'gnupg' is used in trezor-agent (git grep -F can be useful)
and replace it with substitute* + search-input-file. Alternatively,
wrap-program, as proposed in Efraim's reply.
Greetings,
Maxime.
Attachment: OpenPGP_signature
L
L
Ludovic Courtès wrote on 8 Sep 2022 05:49
control message for bug #57345
(address . control@debbugs.gnu.org)
87wnaeghej.fsf@gnu.org
tags 57345 + moreinfo
quit
M
M
Marek Paśnikowski wrote on 9 Sep 2022 12:55
Re: [bug#57345] [PATCH] Add gnupg to propagated-inputs of trezor-agent
(name . Maxime Devos)(address . maximedevos@telenet.be)(name . 57345@debbugs.gnu.org)(address . 57345@debbugs.gnu.org)
UIhoinuw45pQTkijzIpi5feYchi7pAoP2enfY71IcMG4Kr5p3l-7xst3qhibI78OjNQ8RF1Nkc6tHA-lmkeDs-X4hcEsDBcDEbfEII2-de4=@protonmail.com
I give up.

So far, the cleanest workaround is to explicitly declare `gnupg` installation.
I decided to use that going forward.

```
(inputs (list gnupg guile-2.0 python-3 python-trezor python-trezor-agent))

(add-before 'check 'wrap-more
(lambda* (#:key inputs outputs #:allow-other-keys)
(wrap-script (string-append #$output "/bin/trezor_agent.py")
'("PATH" ":" prefix '("/gnu/store/3bpq5knfvzhxhqfwzqm9br917nz7r0yp-gnupg-2.2.32/bin")))))
```

This is as far as I was able to go while maintaining any sense of understanding and control over the code.
All attempts to progress end with this failure:

```
Backtrace [...]

ERROR:
1. &wrap-error:
program: "/gnu/store/rb3wzd5pi899mlvv4wj35afc4z8ys60m-trezor-agent-0.14.4/bin/trezor_agent.py"
type: no-interpreter-found
```

Clearly, the wrapping documentation assumes something and fails to mention it - and now a programming noob like me is totally lost.

My conclusions:
1. Current state of `trezor-agent` - broken critical functionality by default.
2. Presence of `gnupg` in profile fixes the above.
3. `propagated-inputs` also fixes 1., but is not acceptable.
4. In theory, it should be possible to expose a PATH to `gnupg` in `inputs`; but after days of working towards it, I am still not capable of reaching this solution.
A
A
Attila Lendvai wrote on 11 Oct 2022 07:44
(No Subject)
(name . 57345@debbugs.gnu.org)(address . 57345@debbugs.gnu.org)
UQYpv4MON1iX7VF-C4StKWIH3rp3m6gjHUeCR3QHvaI3E0RjSRkGNSg0qusZUl5NMaigsjKx3wl1dMAfnBclLbZlEQ4tufzmVwYIRr1vVNY=@lendvai.name
the problem is that there's no #! shebang line at the head of trezor_agent.py

but i'm not sure that file needs to be patched. the user-facing entry point is trezor-agent, not the .py file.

--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“There is no reason ever to have the same thought twice, unless you like having that thought.”
— David Allen (1945–), 'Getting Things Done'
A
A
Attila Lendvai wrote on 9 Sep 07:33 -0700
Re: Status: [PATCH] Add gnupg to propagated-inputs of trezor-agent
(name . bug#57345)(address . 57345@debbugs.gnu.org)
87frq8rj5h.fsf@lendvai.name
i have updated Trezor support in https://issues.guix.gnu.org/73148and
the last patch fixes this issue (by using absolute store paths to access
gnupg binaries).

i think this one can be closed.

--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“If a nation values anything more than freedom, it will lose its freedom; and the irony of it is that if it is comfort or money that it values more, it will lose that, too.”
— Somerset Maugham (1874–1965)
-----BEGIN PGP SIGNATURE-----

iQHIBAEBCgAyFiEEadqNdPF5etZ4Bu4G/vqf5Vz2480FAmbfB1EUHGF0dGlsYUBs
ZW5kdmFpLm5hbWUACgkQ/vqf5Vz2481AwwwAwG4f1bD7RW22ytUuhI4UF2sorUiU
tcjF+uXpNlDOoKszHjudx9HfvuUmAZy5TG1AzZ/SHwVoKz1785HXGfREFEkw3HBZ
BUhFTzjsSkPLY2deg0F/jG7VH824TAzU2wLNmGIVAKeAHwygeJsFtzHM6lingQAr
OGIu3kSHd3h02vOhHU1kTyjC7BGKHnEJGb2PS78cWmfvUGV9sn8JE07p2VWMqBpW
cCXqGkbyD19DNSFEh40wOeUWlmhNmbJ9xrXjKqGpZ10jOvMsPt6vWTjIEPm/Dolh
jflixQsT5S2L06WE1Hx7mEGoJ3RY3dZaGWay0K7NsdgrC4ssadH84JoqmlZ2e7o6
GY0ayQnjN6NKamh/eCAAZCE977E1rL4fT1VcP6IjZbGKpcHbARzepi8wfapFB4VE
FeWtBU+5U/lU7jKCDiMrc24KHkLcZwPLLAczqIPZh5No1Zt3BvQ1S6D3AZesyP1a
gF4Z0bZ8RHA4/OjlNVhETB6VutJ+N1fb+7KI
=o/A9
-----END PGP SIGNATURE-----

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 57345@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 57345
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch