Merge pull request #133542 from fpletz/refactor/pinentry-remove-multiple-outputs

pinentry: remove multiple outputs

nixos/modules/config/no-x-libs.nix

@@ -66,7 +66,7 @@ with lib;
       networkmanager-sstp = super.networkmanager-vpnc.override { withGnome = false; };
       networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; };
       pango = super.pango.override { x11Support = false; };
-      pinentry = super.pinentry.override { enabledFlavors = [ "curses" "tty" "emacs" ]; withLibsecret = false; };
+      pinentry-curses = super.pinentry-curses.override { withLibsecret = false; };
       pipewire = super.pipewire.override { vulkanSupport = false; x11Support = false; };
       pythonPackagesExtensions = super.pythonPackagesExtensions ++ [
         (python-final: python-prev: {

nixos/modules/programs/gnupg.nix

@@ -1,8 +1,7 @@
 { config, lib, pkgs, ... }:
 
-with lib;
-
 let
+  inherit (lib) mkRemovedOptionModule mkOption mkPackageOption types mkIf optionalString;
 
   cfg = config.programs.gnupg;
 
@@ -26,8 +25,10 @@ let
       "curses";
 
 in
-
 {
+  imports = [
+    (mkRemovedOptionModule [ "programs" "gnupg" "agent" "pinentryFlavor" ] "Use programs.gnupg.agent.pinentryPackage instead")
+  ];
 
   options.programs.gnupg = {
     package = mkPackageOption pkgs "gnupg" { };
@@ -66,17 +67,17 @@ in
       '';
     };
 
-    agent.pinentryFlavor = mkOption {
+    agent.pinentryPackage = mkOption {
-      type = types.nullOr (types.enum pkgs.pinentry.flavors);
+      type = types.nullOr types.package;
-      example = "gnome3";
+      example = lib.literalMD "pkgs.pinentry-gnome3";
-      default = defaultPinentryFlavor;
+      default = pkgs.pinentry-curses;
-      defaultText = literalMD ''matching the configured desktop environment'';
+      defaultText = lib.literalMD "matching the configured desktop environment or `pkgs.pinentry-curses`";
       description = lib.mdDoc ''
-        Which pinentry interface to use. If not null, the path to the
+        Which pinentry package to use. The path to the mainProgram as defined in
-        pinentry binary will be set in /etc/gnupg/gpg-agent.conf.
+        the package's meta attriutes will be set in /etc/gnupg/gpg-agent.conf.
-        If not set at all, it'll pick an appropriate flavor depending on the
+        If not set by the user, it'll pick an appropriate flavor depending on the
-        system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce
+        system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce,
-        4.12, gnome3 on all other systems with X enabled, ncurses otherwise).
+        gnome3 on all other systems with X enabled, curses otherwise).
       '';
     };
 
@@ -102,9 +103,8 @@ in
   };
 
   config = mkIf cfg.agent.enable {
-    programs.gnupg.agent.settings = {
+    programs.gnupg.agent.settings = mkIf (cfg.agent.pinentryPackage != null) {
-      pinentry-program = lib.mkIf (cfg.agent.pinentryFlavor != null)
+      pinentry-program = lib.getExe cfg.agent.pinentryPackage;
-        "${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry";
     };
 
     environment.etc."gnupg/gpg-agent.conf".source =
@@ -207,9 +207,9 @@ in
       wantedBy = [ "sockets.target" ];
     };
 
-    services.dbus.packages = mkIf (cfg.agent.pinentryFlavor == "gnome3") [ pkgs.gcr ];
+    services.dbus.packages = mkIf (lib.elem "gnome3" (cfg.agent.pinentryPackage.flavors or [])) [ pkgs.gcr ];
 
-    environment.systemPackages = with pkgs; [ cfg.package ];
+    environment.systemPackages = [ cfg.package ];
 
     environment.interactiveShellInit = ''
       # Bind gpg-agent to this TTY if gpg commands are used.
@@ -230,12 +230,10 @@ in
     '';
 
     assertions = [
-      { assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;
+      {
+        assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;
         message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";
       }
     ];
   };
-
-  # uses attributes of the linked package
-  meta.buildDocsInSandbox = false;
 }

nixos/modules/programs/wayland/sway.nix

@@ -152,6 +152,7 @@ in {
             '';
           }
         ];
+
         environment = {
           systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages;
           # Needed for the default wallpaper:
@@ -166,8 +167,12 @@ in {
             "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config";
           };
         };
+
+        programs.gnupg.agent.pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3;
+
         # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913
         xdg.portal.config.sway.default = mkDefault [ "wlr" "gtk" ];
+
         # To make a Sway session available if a display manager like SDDM is enabled:
         services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; }
       (import ./wayland-session.nix { inherit lib pkgs; })

nixos/modules/services/security/yubikey-agent.nix

@@ -6,9 +6,6 @@ with lib;
 
 let
   cfg = config.services.yubikey-agent;
-
-  # reuse the pinentryFlavor option from the gnupg module
-  pinentryFlavor = config.programs.gnupg.agent.pinentryFlavor;
 in
 {
   ###### interface
@@ -41,13 +38,8 @@ in
     # This overrides the systemd user unit shipped with the
     # yubikey-agent package
     systemd.user.services.yubikey-agent = mkIf (pinentryFlavor != null) {
-      path = [ pkgs.pinentry.${pinentryFlavor} ];
+      path = [ config.programs.gnupg.agent.pinentryPackage ];
-      wantedBy = [
+      wantedBy = [ "default.target" ];
-        (if pinentryFlavor == "tty" || pinentryFlavor == "curses" then
-          "default.target"
-        else
-          "graphical-session.target")
-      ];
     };
 
     # Yubikey-agent expects pcsd to be running in order to function.

nixos/modules/services/x11/desktop-managers/deepin.nix

@@ -66,6 +66,7 @@ in
       services.upower.enable = mkDefault config.powerManagement.enable;
       networking.networkmanager.enable = mkDefault true;
       programs.dconf.enable = mkDefault true;
+      programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt;
 
       fonts.packages = with pkgs; [ noto-fonts ];
       xdg.mime.enable = true;

nixos/modules/services/x11/desktop-managers/lxqt.nix

@@ -62,6 +62,8 @@ in
     # Link some extra directories in /run/current-system/software/share
     environment.pathsToLink = [ "/share" ];
 
+    programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt;
+
     # virtual file systems support for PCManFM-QT
     services.gvfs.enable = true;
 

nixos/modules/services/x11/desktop-managers/plasma5.nix

@@ -336,6 +336,7 @@ in
         serif = [ "Noto Serif" ];
       };
 
+      programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt;
       programs.ssh.askPassword = mkDefault "${pkgs.plasma5Packages.ksshaskpass.out}/bin/ksshaskpass";
 
       # Enable helpful DBus services.

nixos/modules/services/x11/desktop-managers/plasma6.nix

@@ -210,6 +210,7 @@ in {
       serif = ["Noto Serif"];
     };
 
+    programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt;
     programs.ssh.askPassword = mkDefault "${kdePackages.ksshaskpass.out}/bin/ksshaskpass";
 
     # Enable helpful DBus services.

nixos/modules/services/x11/desktop-managers/xfce.nix

@@ -131,6 +131,7 @@ in
         xfdesktop
       ] ++ optional cfg.enableScreensaver xfce4-screensaver) excludePackages;
 
+    programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;
     programs.xfconf.enable = true;
     programs.thunar.enable = true;
 

nixos/modules/services/x11/xserver.nix

@@ -749,6 +749,8 @@ in
     boot.kernel.sysctl."fs.inotify.max_user_instances" = mkDefault 524288;
     boot.kernel.sysctl."fs.inotify.max_user_watches" = mkDefault 524288;
 
+    programs.gnupg.agent.pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3;
+
     systemd.defaultUnit = mkIf cfg.autorun "graphical.target";
 
     systemd.services.display-manager =

nixos/tests/pass-secret-service.nix

@@ -26,7 +26,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
 
       programs.gnupg = {
         agent.enable = true;
-        agent.pinentryFlavor = "tty";
         dirmngr.enable = true;
       };
     };

pkgs/applications/version-management/blackbox/default.nix

@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
     expect
     which
     coreutils
-    pinentry.tty
+    pinentry
     git
     gnutar
     procps

pkgs/by-name/go/goldwarden/package.nix

@@ -4,7 +4,7 @@
 , makeBinaryWrapper
 , libfido2
 , dbus
-, pinentry
+, pinentry-gnome3
 , nix-update-script
 }:
 
@@ -29,7 +29,7 @@ buildGoModule rec {
 
   postInstall = ''
     wrapProgram $out/bin/goldwarden \
-      --suffix PATH : ${lib.makeBinPath [dbus pinentry]}
+      --suffix PATH : ${lib.makeBinPath [dbus pinentry-gnome3]}
 
     install -Dm644 $src/resources/com.quexten.goldwarden.policy -t $out/share/polkit-1/actions
   '';

pkgs/tools/security/pinentry/default.nix

@@ -1,100 +1,120 @@
-{ fetchurl, mkDerivation, fetchpatch, stdenv, lib, pkg-config, autoreconfHook, wrapGAppsHook
+{ stdenv
-, libgpg-error, libassuan, qtbase, wrapQtAppsHook
+, lib
-, ncurses, gtk2, gcr
+, fetchurl
-, withLibsecret ? true, libsecret
+, fetchpatch
-, enabledFlavors ? [ "curses" "tty" "gtk2" "emacs" ]
+, pkg-config
-  ++ lib.optionals stdenv.isLinux [ "gnome3" ]
+, autoreconfHook
-  ++ lib.optionals (!stdenv.isDarwin) [ "qt" ]
+, wrapGAppsHook
+, libgpg-error
+, libassuan
+, libsForQt5
+, ncurses
+, gtk2
+, gcr
+, withLibsecret ? true
+, libsecret
 }:
 
-assert lib.isList enabledFlavors && enabledFlavors != [];
-
 let
-  pinentryMkDerivation =
-    if (builtins.elem "qt" enabledFlavors)
-      then mkDerivation
-      else stdenv.mkDerivation;
-
-  enableFeaturePinentry = f:
-    let
-      flag = flavorInfo.${f}.flag or null;
-    in
-      lib.optionalString (flag != null)
-        (lib.enableFeature (lib.elem f enabledFlavors) ("pinentry-" + flag));
-
   flavorInfo = {
-    curses = { bin = "curses"; flag = "curses"; buildInputs = [ ncurses ]; };
+    tty = { flag = "tty"; };
-    tty = { bin = "tty"; flag = "tty"; };
+    curses = {
-    gtk2 = { bin = "gtk-2"; flag = "gtk2"; buildInputs = [ gtk2 ]; };
+      flag = "curses";
-    gnome3 = { bin = "gnome3"; flag = "gnome3"; buildInputs = [ gcr ]; nativeBuildInputs = [ wrapGAppsHook ]; };
+      buildInputs = [ ncurses ];
-    qt = { bin = "qt"; flag = "qt"; buildInputs = [ qtbase ]; nativeBuildInputs = [ wrapQtAppsHook ]; };
+    };
-    emacs = { bin = "emacs"; flag = "emacs"; buildInputs = []; };
+    gtk2 = {
+      flag = "gtk2";
+      buildInputs = [ gtk2 ];
+    };
+    gnome3 = {
+      flag = "gnome3";
+      buildInputs = [ gcr ];
+      nativeBuildInputs = [ wrapGAppsHook ];
+    };
+    qt = {
+      flag = "qt";
+      buildInputs = [ libsForQt5.qtbase ];
+      nativeBuildInputs = [ libsForQt5.wrapQtAppsHook ];
+    };
+    emacs = { flag = "emacs"; };
   };
 
+  buildPinentry = pinentryExtraPname: buildFlavors:
+    let
+      enableFeaturePinentry = f:
+        lib.enableFeature (lib.elem f buildFlavors) ("pinentry-" + flavorInfo.${f}.flag);
+
+      pinentryMkDerivation =
+        if (lib.elem "qt" buildFlavors)
+        then libsForQt5.mkDerivation
+        else stdenv.mkDerivation;
+
+    in
+    pinentryMkDerivation rec {
+      pname = "pinentry-${pinentryExtraPname}";
+      version = "1.2.1";
+
+      src = fetchurl {
+        url = "mirror://gnupg/pinentry/pinentry-${version}.tar.bz2";
+        hash = "sha256-RXoYXlqFI4+5RalV3GNSq5YtyLSHILYvyfpIx1QKQGc=";
+      };
+
+      nativeBuildInputs = [ pkg-config autoreconfHook ]
+        ++ lib.concatMap (f: flavorInfo.${f}.nativeBuildInputs or [ ]) buildFlavors;
+
+      buildInputs = [ libgpg-error libassuan ]
+        ++ lib.optional withLibsecret libsecret
+        ++ lib.concatMap (f: flavorInfo.${f}.buildInputs or [ ]) buildFlavors;
+
+      dontWrapGApps = true;
+      dontWrapQtApps = true;
+
+      patches = [
+        ./autoconf-ar.patch
+      ] ++ lib.optionals (lib.elem "gtk2" buildFlavors) [
+        (fetchpatch {
+          url = "https://salsa.debian.org/debian/pinentry/raw/debian/1.1.0-1/debian/patches/0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch";
+          sha256 = "15r1axby3fdlzz9wg5zx7miv7gqx2jy4immaw4xmmw5skiifnhfd";
+        })
+      ];
+
+      configureFlags = [
+        "--with-libgpg-error-prefix=${libgpg-error.dev}"
+        "--with-libassuan-prefix=${libassuan.dev}"
+        (lib.enableFeature withLibsecret "libsecret")
+      ] ++ (map enableFeaturePinentry (lib.attrNames flavorInfo));
+
+      postInstall =
+        lib.optionalString (lib.elem "gnome3" buildFlavors) ''
+          wrapGApp $out/bin/pinentry-gnome3
+        '' + lib.optionalString (lib.elem "qt" buildFlavors) ''
+          wrapQtApp $out/bin/pinentry-qt
+        '';
+
+      passthru = { flavors = buildFlavors; };
+
+      meta = with lib; {
+        homepage = "https://gnupg.org/software/pinentry/index.html";
+        description = "GnuPG’s interface to passphrase input";
+        license = licenses.gpl2Plus;
+        platforms =
+          if elem "gnome3" buildFlavors then platforms.linux else
+          if elem "qt" buildFlavors then (remove "aarch64-darwin" platforms.all) else
+          platforms.all;
+        longDescription = ''
+          Pinentry provides a console and (optional) GTK and Qt GUIs allowing users
+          to enter a passphrase when `gpg' or `gpg2' is run and needs it.
+        '';
+        maintainers = with maintainers; [ fpletz ];
+        mainProgram = "pinentry";
+      };
+    };
 in
-
+{
-pinentryMkDerivation rec {
+  pinentry-curses = buildPinentry "curses" [ "curses" "tty" ];
-  pname = "pinentry";
+  pinentry-gtk2 = buildPinentry "gtk2" [ "gtk2" "curses" "tty" ];
-  version = "1.2.1";
+  pinentry-gnome3 = buildPinentry "gnome3" [ "gnome3" "curses" "tty" ];
-
+  pinentry-qt = buildPinentry "qt" [ "qt" "curses" "tty" ];
-  src = fetchurl {
+  pinentry-emacs = buildPinentry "emacs" [ "emacs" "curses" "tty" ];
-    url = "mirror://gnupg/pinentry/${pname}-${version}.tar.bz2";
+  pinentry-all = buildPinentry "all" [ "curses" "tty" "gtk2" "gnome3" "qt" "emacs" ];
-    sha256 = "sha256-RXoYXlqFI4+5RalV3GNSq5YtyLSHILYvyfpIx1QKQGc=";
-  };
-
-  nativeBuildInputs = [ pkg-config autoreconfHook ]
-    ++ lib.concatMap(f: flavorInfo.${f}.nativeBuildInputs or []) enabledFlavors;
-
-  buildInputs = [ libgpg-error libassuan ]
-    ++ lib.optional withLibsecret libsecret
-    ++ lib.concatMap(f: flavorInfo.${f}.buildInputs or []) enabledFlavors;
-
-  dontWrapGApps = true;
-  dontWrapQtApps = true;
-
-  patches = [
-    ./autoconf-ar.patch
-  ] ++ lib.optionals (lib.elem "gtk2" enabledFlavors) [
-    (fetchpatch {
-      url = "https://salsa.debian.org/debian/pinentry/raw/debian/1.1.0-1/debian/patches/0007-gtk2-When-X11-input-grabbing-fails-try-again-over-0..patch";
-      sha256 = "15r1axby3fdlzz9wg5zx7miv7gqx2jy4immaw4xmmw5skiifnhfd";
-    })
-  ];
-
-  configureFlags = [
-    "--with-libgpg-error-prefix=${libgpg-error.dev}"
-    "--with-libassuan-prefix=${libassuan.dev}"
-    (lib.enableFeature withLibsecret "libsecret")
-  ] ++ (map enableFeaturePinentry (lib.attrNames flavorInfo));
-
-  postInstall =
-    lib.concatStrings (lib.flip map enabledFlavors (f:
-      let
-        binary = "pinentry-" + flavorInfo.${f}.bin;
-      in ''
-        moveToOutput bin/${binary} ${placeholder f}
-        ln -sf ${placeholder f}/bin/${binary} ${placeholder f}/bin/pinentry
-      '' + lib.optionalString (f == "gnome3") ''
-        wrapGApp ${placeholder f}/bin/${binary}
-      '' + lib.optionalString (f == "qt") ''
-        wrapQtApp ${placeholder f}/bin/${binary}
-      '')) + ''
-      ln -sf ${placeholder (lib.head enabledFlavors)}/bin/pinentry-${flavorInfo.${lib.head enabledFlavors}.bin} $out/bin/pinentry
-    '';
-
-  outputs = [ "out" ] ++ enabledFlavors;
-
-  passthru = { flavors = enabledFlavors; };
-
-  meta = with lib; {
-    homepage = "http://gnupg.org/aegypten2/";
-    description = "GnuPG’s interface to passphrase input";
-    license = licenses.gpl2Plus;
-    platforms = platforms.all;
-    longDescription = ''
-      Pinentry provides a console and (optional) GTK and Qt GUIs allowing users
-      to enter a passphrase when `gpg' or `gpg2' is run and needs it.
-    '';
-    maintainers = with maintainers; [ ttuegel fpletz ];
-  };
 }

pkgs/top-level/aliases.nix

@@ -902,12 +902,23 @@ mapAliases ({
   timescaledb = postgresqlPackages.timescaledb;
   tsearch_extras = postgresqlPackages.tsearch_extras;
 
+  # pinentry was using multiple outputs, this emulates the old interface for i.e. home-manager
+  # soon: throw "'pinentry' has been removed. Pick an appropriate variant like 'pinentry-curses' or 'pinentry-gnome3'";
+  pinentry = pinentry-all // {
+    curses = pinentry-curses;
+    gtk2 = pinentry-gtk2;
+    gnome2 = pinentry-gnome3;
+    qt = pinentry-qt;
+    emacs = pinentry-emacs;
+    flavors = [ "curses" "gtk2" "gnome2" "qt" "emacs" ];
+  }; # added 2024-01-15
   pinentry_curses = throw "'pinentry_curses' has been renamed to/replaced by 'pinentry-curses'"; # Converted to throw 2023-09-10
   pinentry_emacs = throw "'pinentry_emacs' has been renamed to/replaced by 'pinentry-emacs'"; # Converted to throw 2023-09-10
   pinentry_gnome = throw "'pinentry_gnome' has been renamed to/replaced by 'pinentry-gnome'"; # Converted to throw 2023-09-10
   pinentry_gtk2 = throw "'pinentry_gtk2' has been renamed to/replaced by 'pinentry-gtk2'"; # Converted to throw 2023-09-10
   pinentry_qt = throw "'pinentry_qt' has been renamed to/replaced by 'pinentry-qt'"; # Converted to throw 2023-09-10
   pinentry_qt5 = pinentry-qt; # Added 2020-02-11
+
   PlistCpp = plistcpp; # Added 2024-01-05
   pocket-updater-utility = pupdate; # Added 2024-01-25
   poetry2nix = throw "poetry2nix is now maintained out-of-tree. Please use https://github.com/nix-community/poetry2nix/"; # Added 2023-10-26

pkgs/top-level/all-packages.nix

@@ -11990,13 +11990,13 @@ with pkgs;
 
   piknik = callPackage ../tools/networking/piknik { };
 
-  pinentry = libsForQt5.callPackage ../tools/security/pinentry { };
+  inherit (callPackages ../tools/security/pinentry { })
-
+    pinentry-curses
-  pinentry-curses = (lib.getOutput "curses" pinentry);
+    pinentry-emacs
-  pinentry-emacs = (lib.getOutput "emacs" pinentry);
+    pinentry-gtk2
-  pinentry-gtk2 = (lib.getOutput "gtk2" pinentry);
+    pinentry-gnome3
-  pinentry-qt = (lib.getOutput "qt" pinentry);
+    pinentry-qt
-  pinentry-gnome = (lib.getOutput "gnome3" pinentry);
+    pinentry-all;
 
   pinentry_mac = callPackage ../tools/security/pinentry/mac.nix {
     inherit (darwin.apple_sdk.frameworks) Cocoa;
@@ -30341,7 +30341,9 @@ with pkgs;
 
   bgpq4 = callPackage ../tools/networking/bgpq4 { };
 
-  blackbox = callPackage ../applications/version-management/blackbox { };
+  blackbox = callPackage ../applications/version-management/blackbox {
+    pinentry = pinentry-curses;
+  };
 
   bleachbit = callPackage ../applications/misc/bleachbit { };
 
@@ -41242,7 +41244,9 @@ with pkgs;
 
   linkchecker = callPackage ../tools/networking/linkchecker { };
 
-  tomb = callPackage ../os-specific/linux/tomb { };
+  tomb = callPackage ../os-specific/linux/tomb {
+    pinentry = pinentry-curses;
+  };
 
   sccache = callPackage ../development/tools/misc/sccache { };
 

pkgs/top-level/python-packages.nix

@@ -14972,7 +14972,9 @@ self: super: with self; {
 
   treq = callPackage ../development/python-modules/treq { };
 
-  trezor-agent = callPackage ../development/python-modules/trezor-agent { };
+  trezor-agent = callPackage ../development/python-modules/trezor-agent {
+    pinentry = pkgs.pinentry-curses;
+  };
 
   trezor = callPackage ../development/python-modules/trezor { };