+
+## gpg forwarding
+# NOTE: while ssh manages its auth sock in its protocol when ForwardSsh is
+# enabled, GPG must be forwarded manually over Unix socket. to support
+# this, we forward the restricted gpg-agent extra socket to the remote
+# host with a RemoteForward rule in ~/.ssh/config that uses the
+# _GNUPG_SOCK_* env vars. to avoid conflicts with other ssh sessions
+# where the same user is connecting to the same host from different
+# machines, gpg in each environment should utilize its own forwarded
+# socket, rather than replace the sockets in GNUPGHOME which will be
+# overridden on the next connection. previously, you could provide a path
+# to the agent socket in GPG_AGENT_INFO, but that was deprecated in GPG
+# v2.1. instead, we must clone GNUPGHOME and replace the agent sockets
+# there with the forwarded one.
+# NOTE: since Unix sockets are not supported under Windows, this will not work
+# under msys, cygwin, mingw, etc.
+# HACK: without SendEnv, which is disabled by default in most sshd configs,
+# there is no foolproof way to prevent race conditions via filename
+# collisions or to pass the desired forward path to the remote host
+# environment. we just have to guess the path we choose is good on the
+# desination, and assume the newest matching socket is the correct one
+# after connecting. in theory, we could occlude the ssh binary on PATH
+# with an alias or script that would allow us to communicate with the
+# remote host before opening a shell, so that we can have the host
+# communicate back to the client where it wants a socket created or ask
+# the host if the path the client wants to use is writable. however, this
+# would open up too many edge cases where it wouldn't work or be clunky
+# (e.g. asking for password twice) to make it worth it.
+if [[ ! -v _sev_setup_gpg ]] {
+ # helper function for decoding gpgconf socket paths
+ function _socketpath {
+ # dirs are percent-encoded
+ # https://stackoverflow.com/a/64312099
+ local x=${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}}
+ # remove \r from Windows paths
+ if [[ -v commands[cygpath] ]] {
+ x=$(cygpath -u -- ${x/%$'\r'} 2>/dev/null)
+ }
+ echo $x
+ }
+
+ if [[ ! -v _sev_gpg_forwarded && -v commands[gpg] ]] {
+ export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward
+ export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM
+ export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT
+ export _sev_gpg_forward_dir=${GNUPGHOME:-~/.gnupg}/.ssh_forward
+ # clean up forwards if its session is dead or we ask for it
+ if [[ -d $_sev_gpg_forward_dir ]] {
+ find $_sev_gpg_forward_dir -type d -mindepth 1 -maxdepth 1 |
+ while read -r x; do
+ # NOTE: the only way we can get here is if we have not been
+ # forwarded before. if our own pid already has a dir, it
+ # is most likely stale, or something is very broken—
+ # assume the former.
+ p=$(basename $x)
+ if [[ -v _sev_gpg_forward_clean || $$ == $p ]] ||
+ ! kill -0 $p 2>/dev/null; then
+ find $x -mindepth 1 -maxdepth 1 | while read -r y; do
+ unlink $y
+ done
+ rmdir $x
+ fi
+ done
+ unset x p y
+ }
+
+ # find our forwarded socket
+ s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1]))
+ if [[ -n $s && -v SSH_CLIENT ]] {
+ # create new forward dir
+ export _sev_gpg_forwarded=
+ mkdir -pm700 $_sev_gpg_forward_dir
+ h=$_sev_gpg_forward_dir/$$
+ mkdir -pm700 $h
+ # XXX: is it safe to link scdaemon socket? can its name be changed?
+ for x in S.scdaemon gpg.conf gpg-agent.conf sshcontrol \
+ pubring.kbx trustdb.gpg private-keys-v1.d crls.d; do
+ ln -s ${GNUPGHOME:-~/.gnupg}/$x $h
+ done
+ export GNUPGHOME=$h
+ unset h
+ for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do
+ x=$(_socketpath ${x/#agent-*socket:})
+ if [[ ! -v orig ]] {
+ mv $s $x
+ orig=$x
+ } else {
+ ln -s $orig $x
+ }
+ done
+ unset x orig
+ }
+ unset s
+
+ # what we will forward if we start a new ssh connection
+ # NOTE: do this after setting up GNUPGHOME to pick up new socket path;
+ # if already connected over SSH, extra should be the remote one
+ export _GNUPG_SOCK_SRC=$(_socketpath \
+ $(gpgconf --list-dirs agent-extra-socket))
+ } else {
+ # required for RemoteForward to not error out if the vars are unset
+ [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent
+ [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent
+ }
+
+ ## gpg agent
+ if [[ -v commands[gpg-connect-agent] ]] {
+ [[ -o interactive ]] && print -nP '%F{blue}>>>%f GPG agent: %F{green}'
+ gpg-connect-agent /bye >/dev/null 2>&1
+ if [[ $? -ne 0 ]] {
+ [[ -o interactive ]] &&
+ print -P '%F{red}Error communicating with GPG agent%f'
+ } elif [[ ! -v _sev_gpg_forward && ! -v GPG_TTY &&
+ ( -o interactive || -v DISPLAY ) ]] {
+ # if we aren't forwarded, set up tty if it isn't and we're
+ # in an interactive session
+ export GPG_TTY=$(tty)
+ export PINENTRY_USER_DATA=USE_TTY=$((!${+DISPLAY}))
+ gpg-connect-agent UPDATESTARTUPTTY /bye >/dev/null 2>&1
+ [[ -o interactive ]] &&
+ print -P "Updated TTY%f"
+ } else {
+ [[ -o interactive ]] &&
+ print -P 'Ready%f'
+ }
+ }
+
+ ## ssh agent
+ # NOTE: preferred order of agents to check: okcagent, gnupg, openssh
+ # first block takes care of okcagent and openssh, second gnupg
+ [[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}'
+ if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] ||
+ ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] {
+ okc=${commands[okc-ssh-agent]:+okc-}
+ agentfile=~/tmp/${okc}ssh-agent-exports
+ typeset sock=
+ typeset -i pid=
+ if [[ -f $agentfile ]] {
+ IFS=$'\0' read -r sock pid <$agentfile
+ }
+ if [[ -S $sock && $pid > 0 ]] && kill -0 $pid; then
+ [[ -o interactive ]] && print -P "Reusing agent PID $pid%f"
+ export SSH_AUTH_SOCK=$sock
+ export SSH_AGENT_PID=$pid
+ else
+ e=${okc}ssh-agent
+ # TODO: ensure ssh-agent path looks legit to avoid unsafe eval?
+ # XXX: doesn't appear to be any other way to handle redirection.
+ # because eval needs to write to current scope environment
+ # subshells can't be used to capture output and print.
+ if [[ -o interactive ]] {
+ eval `$e`
+ print -nP '%f'
+ } else {
+ eval `$e` >/dev/null 2>&1
+ }
+ echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$agentfile
+ fi
+ unset okc agentfile sock pid
+ } elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] {
+ # since gpg agent was started above, we just have to export and notify
+ if [[ -o interactive ]] {
+ if [[ -v _sev_gpg_forwarded ]] {
+ echo 'Remote GPG agent'
+ } else {
+ gpg-connect-agent /subst /serverpid \
+ '/echo GPG agent PID ${get serverpid}' /bye
+ }
+ print -nP '%f'
+ }
+ export SSH_AUTH_SOCK=$(_socketpath \
+ $(gpgconf --list-dirs agent-ssh-socket))
+ } elif [[ -v SSH_AUTH_SOCK ]] {
+ [[ -o interactive ]] && print -P 'Preconfigured agent%f'
+ } else {
+ [[ -o interactive ]] && print -P '%F{red}No agent available%f'
+ }
+
+ ## cleanup
+ # unset gpg helper
+ unfunction _socketpath
+
+ ## perl local lib
+ [[ -v commands[perl] && -d $XDG_DATA_HOME/perl5/lib/perl5 ]] &&
+ eval $(perl -I$XDG_DATA_HOME/perl5/lib/perl5
+ -Mlocal::lib=$XDG_DATA_HOME/perl5 2>/dev/null)
+}
+
+unset is_cygwin
+
+# load site-specific
projects / sev's projects / dotfiles.git / blobdiff