]> git.sev.monster Git - dotfiles.git/blame_incremental - etc/zsh/.zprofile
projects / sev's projects / dotfiles.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
zsh: fixup env vars and update a comment
[dotfiles.git] / etc / zsh / .zprofile
... / ...
CommitLineData
1# NOTE:
2# our .zprofile can be expensive, so we keep track of what has been run
3# already, and only set up what is necessary. this also allows us to re-source
4# the file to reinitialize specific parts when desired.
5#
6# in order to ensure future interactive environments are set up as early as
7# possible, we source this file from .zshenv for non-login shells, under some
8# specific conditions outlined there.
9#
10# this file respects non-interactive sessions and will not intentionally emit
11# output.
12
13### fix path after system profile scripts have possibly mangled it
14if [[ ! -v _sev_setup_path || -o login ]] {
15 _sev_setpath
16 export _sev_setup_path=
17}
18
19### dbus
20if [[ ! -v DBUS_SESSION_BUS_ADDRESS && -v commands[dbus-launch] ]] {
21 eval $(dbus-launch)
22 export DBUS_SESSION_BUS_ADDRESS DBUS_SESSION_BUS_PID
23}
24
25### gpg agent + forwarding
26# NOTE: while ssh manages its auth sock in-protocol when ForwardSsh is enabled,
27# GPG must be forwarded manually over Unix socket. to support this, we
28# forward the restricted gpg-agent extra socket to the remote host with a
29# RemoteForward rule in ~/.ssh/config that uses the _GNUPG_SOCK_* vars.
30#
31# to avoid conflicts with other ssh sessions where the same user is
32# connecting to the same host from different machines, gpg should utilize
33# its own forwarded socket for each session. previously, you could
34# provide a path to the agent socket in GPG_AGENT_INFO, but that was
35# deprecated in GPG v2.1; instead, we must replace the socket in gpg's
36# socket dir.
37#
38# gnupg commits fb88f37–aab8a0b moved sockets from GNUPGHOME by default
39# to directories under /run. aab8a0b in particular solidifies the
40# functionality shift to utilize systemd-logind's user runtime
41# directories. if the dir isn't found, gpg will fall back to the homedir.
42# since previous functionality allowed multiple homedirs with multiple
43# sockets, a provision was added where changing GNUPGHOME will also
44# change the socket dir to a hashed dir under the usual runtime dir.
45#
46# utilizing this information, we can conclude:
47# - on systems with user runtime dirs, changing GNUPGHOME will also
48# give us a unique socket dir under the user runtime dir;
49# - on other systems, the socket dir follows GNUPGHOME.
50# therefore, the safest way to ensure unique sockets while not having to
51# write specific logic for both scenarios is to simply change GNUPGHOME.
52# the easiest way to do this is to create a new dir and link the contents
53# of GNUPGHOME to the new home. we can then replace all of the agent
54# sockets wherever they now are with the forwarded one. in either case we
55# will be overwriting the session-specific sockets.
56#
57# NOTE: since Unix sockets are not supported under Windows, this will not work
58# under msys, cygwin, mingw, etc., but may work under wsl2.
59#
60# HACK: without SendEnv, which is disabled by default in most sshd configs,
61# there is no foolproof way to prevent race conditions via socket
62# filename collisions or to pass the desired forward path to the remote
63# host environment. we just have to guess the path we choose is good on
64# the desination, and assume the newest matching socket is the correct
65# one after connecting. in theory, we could occlude the ssh binary on
66# PATH with an alias or script that would allow us to communicate with
67# the remote host before opening a shell, so that we can have the host
68# communicate back to the client where it wants a socket created or ask
69# the host if the path the client wants to use is writable. however, this
70# would open up too many edge cases where it wouldn't work or be too
71# clunky (e.g. asking for password twice) to make it worth it.
72function _gpg_socketpath {
73 # dirs are percent-encoded: https://stackoverflow.com/a/64312099
74 echo ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}}
75}
76if [[ ! -v _sev_setup_gpg_forward && -v commands[gpg] ]] {
77 # XXX: assuming /tmp exists and is writable on destination
78 export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward
79 export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM
80 export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT
81 export _sev_gpg_forward_dir=$XDG_RUNTIME_DIR/gnupg/.ssh_forward
82 _sev_zcleanup gpg-forward
83
84 # find our forwarded socket
85 s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1]))
86 if [[ -n $s && -v SSH_CLIENT ]] {
87 # create new forward dir
88 export _sev_setup_gpg_forward=
89 h=$_sev_gpg_forward_dir/$$
90 mkdir -pm700 $h
91 for x (gpg{,-agent}.conf sshcontrol random_seed
92 pubring.kbx{,~} trustdb.gpg private-keys-v1.d crls.d) {
93 ln -s ${GNUPGHOME:-~/.gnupg}/$x $h
94 }
95 export GNUPGHOME=$h
96 unset h
97 for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do
98 x=$(_gpg_socketpath ${x/#agent-*socket:})
99 if [[ ! -v primary ]] {
100 # move forwarded socket to first valid agent socket path
101 # XXX: if tmp is on different filesystem this may not work
102 mv $s $x
103 primary=$x
104 } else {
105 # make links to forwarded socket for any others
106 ln -s $primary $x
107 }
108 done
109 unset x primary
110 }
111 unset s
112
113 # what we will forward if we start a new ssh connection
114 # NOTE: do this after setting up GNUPGHOME to pick up new socket path;
115 # if already connected over SSH, extra should be the remote one
116 export _GNUPG_SOCK_SRC=$(_gpg_socketpath \
117 $(gpgconf --list-dirs agent-extra-socket))
118} elif [[ ! -v _sev_setup_gpg_forward ]] {
119 # required for RemoteForward to not error out if the vars are unset
120 [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent
121 [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent
122}
123
124### gpg agent
125if [[ -v commands[gpg-connect-agent] &&
126 ( ! -v _sev_setup_gpgagent || -v _sev_refresh_gpgagent ) ]] {
127 # avoid printing if we have already set up tty before
128 [[ ! -v _sev_setup_gpgagent && -o interactive ]] && p=true || p=false
129 if {$p} {
130 print -nP '%F{blue}>>>%f GPG: '
131 if [[ -v _sev_setup_gpg_forward ]] {
132 print -nP '%F{yellow}Forwarded agent '
133 } else {
134 print -nP '%F{green}Agent '
135 }
136 }
137 gpg-connect-agent /bye >/dev/null 2>&1
138 if [[ $? -ne 0 ]] {
139 $p && print -P '%F{red}communication error'
140 } else {
141 if [[ ! -v _sev_setup_gpg_forward ]] {
142 if [[ ${+GPG_TTY} -eq 0 && -o interactive ]]
143 export GPG_TTY=$(tty)
144 if [[ ( -v DISPLAY || -v WAYLAND_DISPLAY ) &&
145 ${PINENTRY_USER_DATA/USE_TTY=0} == $PINENTRY_USER_DATA ]]
146 export PINENTRY_USER_DATA=USE_TTY=$((
147 ${+DISPLAY} + ${+WAYLAND_DISPLAY} == 0))
148 # XXX: don't know if gpg-agent supports comments after directives
149 # XXX: path could have #
150 # XXX: we are assuming this is our pinentry from .local/bin
151 sed -Ei 's#^([[:space:]]*pinentry-program[[:space:]]).*$#\1'$HOME'/.local/bin/pinentry#' \
152 ${GNUPGHOME:-~/.gnupg}/gpg-agent.conf 2>/dev/null
153 # XXX: could check for changes before doing this to save perf
154 gpg-connect-agent RELOADAGENT UPDATESTARTUPTTY /bye >/dev/null 2>&1
155 if {$p} {
156 gpg-connect-agent /subst /serverpid \
157 "/echo pid \${get serverpid} on $GPG_TTY" /bye 2>/dev/null
158 print -nP '%f'
159 }
160 } elif {$p} {
161 print -P '%f'
162 }
163 export _sev_setup_gpgagent=
164 }
165 unset p _sev_refresh_gpgagent
166}
167
168### ssh agent
169if [[ ! -v _sev_setup_ssh ]] {
170 # NOTE: preferred order of agents to check: okcagent, gnupg, openssh
171 # first block takes care of okcagent and openssh, second gnupg
172 # XXX: doesn't actually check if ssh is enabled in gpg
173 [[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}'
174 if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] ||
175 ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] {
176 okc=${commands[okc-ssh-agent]:+okc-}
177 e=$_sev_tmp/${okc}ssh-agent-exports
178 typeset sock=
179 typeset -i pid=
180 if [[ -f $e ]] {
181 IFS=$'\0' read -r sock pid <$e
182 }
183 if [[ -S $sock && $pid > 0 ]] && kill -0 $pid >/dev/null 2>&1; then
184 [[ -o interactive ]] && print -P "Reusing agent PID $pid%f"
185 export SSH_AUTH_SOCK=$sock
186 export SSH_AGENT_PID=$pid
187 else
188 # TODO: ensure ssh-agent path looks legit to avoid unsafe eval?
189 # XXX: doesn't appear to be any other way to handle redirection.
190 # because eval needs to write to current scope environment
191 # subshells can't be used to capture output and print.
192 c='TMPDIR=$_sev_tmp ${okc}ssh-agent'
193 if [[ -o interactive ]] {
194 eval $(eval $=c)
195 print -nP '%f'
196 } else {
197 eval $(eval $=c) >/dev/null 2>&1
198 }
199 echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$e
200 unset c
201 fi
202 unset okc e sock pid
203 } elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] {
204 # since gpg should have been started above, just export and notify
205 if [[ -o interactive ]] {
206 if [[ -v _sev_setup_gpg_forward ]] {
207 echo 'Forwarded GPG agent'
208 } else {
209 gpg-connect-agent /subst /serverpid \
210 '/echo GPG agent pid ${get serverpid}' /bye
211 }
212 print -nP '%f'
213 }
214 export SSH_AUTH_SOCK=$(_gpg_socketpath \
215 $(gpgconf --list-dirs agent-ssh-socket))
216 } elif [[ -v SSH_AUTH_SOCK ]] {
217 [[ -o interactive ]] && print -P 'Preconfigured agent%f'
218 } else {
219 [[ -o interactive ]] && print -P '%F{red}No agent available%f'
220 }
221
222 export _sev_setup_ssh=
223}
224unfunction _gpg_socketpath
225
226### load site-specific
227load-site-dotfile zprofile
sev's dotfiles
This page took 0.034766 seconds and 4 git commands to generate.