[PATCH] Add gnupg to propagated-inputs of trezor-agent

  • Open
  • quality assurance status badge
Details
6 participants
  • Attila Lendvai
  • Efraim Flashner
  • Ludovic Courtès
  • Marek Pa?nikowski
  • Maxime Devos
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Marek Pa?nikowski
Severity
normal
M
M
Marek Pa?nikowski wrote on 22 Aug 2022 21:03
(name . guix-patches@gnu.org)(address . guix-patches@gnu.org)
oamh7oxIpfduEsGj0C875PjRnOZQr49eMY9S2AZdH4h4T5wwhwD_cOAsSZXDGlTn2rGP3751cdC6uLsdswY4PhgAa1js_xzDh3XgVdIFFdo=@protonmail.com
This is my first patch submission ever.
Please tell me if there is anything I did wrong.

The patch is motivated by failure of `trezor-gpg init` command.
After I applied it to the system, I was able to initialize my Trezor-based GPG identity.
From 8c8d465c28923591a5ef7124b1f6835a6f398c51 Mon Sep 17 00:00:00 2001
From: Marek Pa?nikowski <marekpasnikowski@protonmail.com>
Date: Mon, 22 Aug 2022 20:10:47 +0200
Subject: [PATCH] Add gnupg to propagated-inputs of trezor-agent

This fixes "OSError: Cannot find 'gpgconf' in $PATH".
---
gnu/packages/finance.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/finance.scm b/gnu/packages/finance.scm
index 849f9aba99..f6c15aebdb 100644
--- a/gnu/packages/finance.scm
+++ b/gnu/packages/finance.scm
@@ -1223,6 +1223,8 @@ (define-public trezor-agent
(list python-trezor python-trezor-agent))
(native-inputs
(list python-attrs))
+ (propagated-inputs
+ (list gnupg))
(home-page "https://github.com/romanz/trezor-agent")
(synopsis "Using Trezor as hardware SSH/GPG agent")
(description "This package allows using Trezor as a hardware SSH/GPG
--
2.37.2
R
R
Ricardo Wurmus wrote on 1 Sep 2022 10:51
(address . 57345@debbugs.gnu.org)
87a67jqxqt.fsf@elephly.net
Hi Marek,

thanks for your patch. This looks like a good fix of the problem.

Propagation is generally used sparingly, when there is no other option.
We try to avoid it when possible, because it can lead to unexpected
conflicts, e.g. when a user has a particular version of gnupg installed
in their profile and then installs trezor-agent with a more recent
version of Guix it would abort with a conflict error as it cannot
install two variants of gnupg into the same Guix profile.

I wonder if we can avoid propagation here. We could, for example, look
up gnupg in PATH (so that a user’s installation of gnupg is preferred)
and fall back to an explicit gnupg from the inputs (not
propagated-inputs). This would require minor patching of trezor-agent.

What do you think?

--
Ricardo
M
M
Marek Pa?nikowski wrote on 5 Sep 2022 07:49
(name . 57345@debbugs.gnu.org)(address . 57345@debbugs.gnu.org)
0xUyxGDdNUVX-UebH9VayY2IGvKRGV-WwdvXVVHBu1G-jPUUgs8Zgcl6grF6_rPW4WDO5xtC1a8rdy4v3oONthnqYD1Q--x7uFtVkzY1EX8=@protonmail.com
Nothing I do seems to work at all.

Last night I thought of a fundamental question:
Are `inputs` accessible in the guix store at runtime?

If they are, that means I am too dumb to correctly parse the documentation. My initial patch proves, that `gnupg` has to be available at runtime. At this point I am incapable of doing anything more. I got physically sick of trying to understand and use all the procedures.
E
E
Efraim Flashner wrote on 5 Sep 2022 11:25
(name . Marek Pa?nikowski)(address . marekpasnikowski@protonmail.com)
YxXAfr3QAvFKITa3@3900XT
On Mon, Sep 05, 2022 at 05:49:55AM +0000, guix-patches--- via wrote:
Toggle quote (7 lines)
> Nothing I do seems to work at all.
>
> Last night I thought of a fundamental question:
> Are `inputs` accessible in the guix store at runtime?
>
> If they are, that means I am too dumb to correctly parse the documentation. My initial patch proves, that `gnupg` has to be available at runtime. At this point I am incapable of doing anything more. I got physically sick of trying to understand and use all the procedures.

After some poking around on IRC and in trezor-agent and
python-trezor-agent, it seems that there are a number of calls to the
gpgconf binary and the actual path to gpg is probably set in
python-trezor-agent in libagent/gpg/keyring.py. With all of this it's
probably best to just wrap the files in the bin output of trezor agent
so that we don't miss any files.

(ins)efraim@3900XT /tmp$ tree /gnu/store/46br8illcfv93ryh28s2haz1s59n584v-trezor-agent-0.14.4
/gnu/store/46br8illcfv93ryh28s2haz1s59n584v-trezor-agent-0.14.4
??? bin
?   ??? __pycache__
?   ?   ??? trezor_agent.cpython-39.pyc
?   ??? trezor-agent
?   ??? trezor_agent.py
?   ??? trezor-gpg
?   ??? trezor-gpg-agent
?   ??? trezor-signify
??? lib
??? python3.9
??? site-packages
??? trezor_agent-0.11.0-py3.9.egg-info
??? dependency_links.txt
??? entry_points.txt
??? PKG-INFO
??? requires.txt
??? SOURCES.txt
??? top_level.txt

trezor_agent.py is an actual python script, so I'd use wrap-script, but
the other extensionless files I'd use wrap-program, which IIRC will Do
The Right Thing™ and not double-wrap those files, which are already
wrappers.

I haven't tested the code out, but something like this should work
inside trezor-agent.

(add-before 'check 'wrap-more
;; We want to make sure we're before 'check but after 'wrap
(lambda* (#:key inputs outputs #:allow-other-keys)
(wrap-script (string-append #$output "/bin/trezor_agent.py")
`(("PATH" ":" prefix (,(dirname (search-input-file inputs
"gpg"))))))
(for-each
(lambda (file)
(wrap-program file
`(("PATH" ":" prefix (,(dirname (search-input-file inputs
"gpg")))))))
(find-files (string-append #$output "/bin") "^trezor-"))))

--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmMVwHUACgkQQarn3Mo9
g1GGfg/+PNydiCKrylFjCvYuOHWWfrAapJbJ1V+nhXUgQbNqsYNjGgT+zz9X0sDe
XPG8/kZGvJf8dAEffnuSVU9bPuD8HvZYo7EJ5+67W3CBYErR+9veNZvBrBrHJBB6
ctfA0aJKC6tuFNZ8SzlsIABZJfYO1KooZ0MPyMQfcQsE2iVog+qJFCFrST8EZu9X
gifpw0gZaxlsGaGkRQt06ed0TJBV2Fd39beQ8u85hUdkB7+Lc1nn72KZbTNSLEwI
7BARQByuiqiM1WK9ZV69S6BV2TVJLYizm0Gad05PZ0v4i+njF9zyAhWMEP+Wocp+
y6oInE71EnHwWFqe9kkivmI1tVh05mzeeT523rzsMiYchEmHx+xoaJwA7BcIBcI/
Z10Rsm1tQ/SOA1nzJQNVpR7cXCx75Nvp3zP1LijKUAmcIlUrCN/7cRYGyjwl58P5
D7DyHnn0vxt5pXf0e4W5klp5bqa8NvBfBihTIie4KT3WZZLnfMFPFcpIcPQs0Dsf
D+Pw8edpO9OgbeqYt3agpnWLEPEYpuJpid1p5MYI5KVrTAn+Kqc6CGxx469pnA9M
CJLRo0xAJRJjXX/BR60Q+X2sxNonyoMdGYuqNDSr4zBSgHrFsMPlVmSFRuV+l9Fx
kvagv/pYPiGZmU1escaJEB2LNbNYcJHkC++QLllQd024arSb3zI=
=c7NZ
-----END PGP SIGNATURE-----


M
M
M
Marek Pa?nikowski wrote on 6 Sep 2022 15:06
(name . Efraim Flashner)(address . efraim@flashner.co.il)
mPYu0RVOabPNSlkkHUhirgbiJlfzY1Inrq_1g1_RCzZPg9RXtScKNsGunaUlLbFD9dIJDp5W7rk3_LCxfuE3KaDM4fkzC4ntNpnPudTDkZU=@protonmail.com
Let us not have perfect be the enemy of good, and merge the `propagated-inputs` solution. Once an `inputs` solution is found, it would be used instead.

A potential conflict with other `gnupg` instances is less harmful than the currently happening guaranteed loss of major functionality.

What do you think?
M
M
Maxime Devos wrote on 6 Sep 2022 17:39
46089e99-ded5-ccc9-9e15-f979f3b788df@telenet.be
On 05-09-2022 13:26, guix-patches--- via wrote:
Toggle quote (1 lines)
> I do not understand how to apply the proposed fix.
Copy-paste Efraim's phase to the %standard-phases (I assume before
fixup-agent-py).
Greetings,
Maxime
Attachment: OpenPGP_0x49E3EE22191725EE.asc
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 6 Sep 2022 17:41
5884679c-060d-f581-2ab7-18d702f69e53@telenet.be
On 06-09-2022 15:06, guix-patches--- via wrote:
Toggle quote (5 lines)
> Let us not have perfect be the enemy of good, and merge the `propagated-inputs` solution. Once an `inputs` solution is found, it would be used instead.
>
> A potential conflict with other `gnupg` instances is less harmful than the currently happening guaranteed loss of major functionality.
>
> What do you think?
Efraim has posted a potential 'inputs' solution.
Greetings,
Maxime.
Attachment: OpenPGP_0x49E3EE22191725EE.asc
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 6 Sep 2022 17:44
5651ad51-13cf-a535-143a-f1bf1d791881@telenet.be
On 05-09-2022 13:26, guix-patches--- via wrote:
Toggle quote (5 lines)
> I have encountered the same problem as in this email:
> https://lists.gnu.org/archive/html/help-guix/2019-06/msg00073.html
>
> I do not understand how to apply the proposed fix.
>
IIRC, python-build-system uses G-exps nowadays, so to use #$, all you
need to do is replace
(arguments `(#:phases (modify-phases ...)))
by
(arguments (list #:phases #~(modify-phases ...))),
no need for separate inputs.
Attachment: OpenPGP_0x49E3EE22191725EE.asc
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 6 Sep 2022 17:48
1c43aceb-82af-8a0e-7efb-0c0f6472e940@telenet.be
On 05-09-2022 07:49, guix-patches--- via wrote:
Toggle quote (4 lines)
> Nothing I do seems to work at all.
>
> Last night I thought of a fundamental question:
> Are `inputs` accessible in the guix store at runtime?
If a reference (i.e., a /gnu/store/the-input-... string) ends up in the
resulting store item of trezor-agent, then yes.
Toggle quote (1 lines)
> If they are, that means I am too dumb to correctly parse the documentation.
As far as I'm aware it is not documented that the GC is based on
reference-scanning.
Toggle quote (1 lines)
> My initial patch proves, that `gnupg` has to be available at runtime. At this point I am incapable of doing anything more. I got physically sick of trying to understand and use all the procedures.
Look where 'gnupg' is used in trezor-agent (git grep -F can be useful)
and replace it with substitute* + search-input-file. Alternatively,
wrap-program, as proposed in Efraim's reply.
Greetings,
Maxime.
Attachment: OpenPGP_0x49E3EE22191725EE.asc
Attachment: OpenPGP_signature
L
L
Ludovic Courtès wrote on 8 Sep 2022 14:49
control message for bug #57345
(address . control@debbugs.gnu.org)
87wnaeghej.fsf@gnu.org
tags 57345 + moreinfo
quit
M
M
Marek Pa?nikowski wrote on 9 Sep 2022 21:55
Re: [bug#57345] [PATCH] Add gnupg to propagated-inputs of trezor-agent
(name . Maxime Devos)(address . maximedevos@telenet.be)(name . 57345@debbugs.gnu.org)(address . 57345@debbugs.gnu.org)
UIhoinuw45pQTkijzIpi5feYchi7pAoP2enfY71IcMG4Kr5p3l-7xst3qhibI78OjNQ8RF1Nkc6tHA-lmkeDs-X4hcEsDBcDEbfEII2-de4=@protonmail.com
I give up.

So far, the cleanest workaround is to explicitly declare `gnupg` installation.
I decided to use that going forward.

```
(inputs (list gnupg guile-2.0 python-3 python-trezor python-trezor-agent))

(add-before 'check 'wrap-more
(lambda* (#:key inputs outputs #:allow-other-keys)
(wrap-script (string-append #$output "/bin/trezor_agent.py")
'("PATH" ":" prefix '("/gnu/store/3bpq5knfvzhxhqfwzqm9br917nz7r0yp-gnupg-2.2.32/bin")))))
```

This is as far as I was able to go while maintaining any sense of understanding and control over the code.
All attempts to progress end with this failure:

```
Backtrace [...]

ERROR:
1. &wrap-error:
program: "/gnu/store/rb3wzd5pi899mlvv4wj35afc4z8ys60m-trezor-agent-0.14.4/bin/trezor_agent.py"
type: no-interpreter-found
```

Clearly, the wrapping documentation assumes something and fails to mention it - and now a programming noob like me is totally lost.

My conclusions:
1. Current state of `trezor-agent` - broken critical functionality by default.
2. Presence of `gnupg` in profile fixes the above.
3. `propagated-inputs` also fixes 1., but is not acceptable.
4. In theory, it should be possible to expose a PATH to `gnupg` in `inputs`; but after days of working towards it, I am still not capable of reaching this solution.
A
A
Attila Lendvai wrote on 11 Oct 2022 16:44
(No Subject)
(name . 57345@debbugs.gnu.org)(address . 57345@debbugs.gnu.org)
UQYpv4MON1iX7VF-C4StKWIH3rp3m6gjHUeCR3QHvaI3E0RjSRkGNSg0qusZUl5NMaigsjKx3wl1dMAfnBclLbZlEQ4tufzmVwYIRr1vVNY=@lendvai.name
the problem is that there's no #! shebang line at the head of trezor_agent.py

but i'm not sure that file needs to be patched. the user-facing entry point is trezor-agent, not the .py file.

--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“There is no reason ever to have the same thought twice, unless you like having that thought.”
— David Allen (1945–), 'Getting Things Done'
?