Replace gnome-keyring ssh-agent by gcr and implement NixOS module

[nezia1]

This PR effectively deprecates gnome-keyring, in favor of gcr, that has been deprecated since version 1.46.0. A new option has been added under services.gnome.gcr-ssh-agent.enable in order to set it up. Fixes #140824

• gcr_4 has been updated to build with the ssh agent
• gnome-keyring has been updated to completely remove the now deprecated ssh component
• An option has been added, under services.gnome.gcr-ssh-agent.enable, which effectively sets up systemd services and SSH_AUTH_SOCK

Since this PR adds a GNOME module, I also want to make sure the GNOME team approves of it.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[nezia1]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 379731

---

x86_64-linux

⏩ 4 packages marked as broken and skipped:

• chatty
• mailnagWithPlugins
• mailnagWithPlugins.dist
• xmonad_log_applet

⏩ 2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

✅ 193 packages built:

• adapta-gtk-theme
• almanah
• ayatana-indicator-datetime
• ayatana-indicator-session
• beyond-identity
• bitwarden-desktop
• bubblemail
• bubblemail.dist
• budgie-analogue-clock-applet
• budgie-control-center
• budgie-control-center.debug
• budgie-desktop
• budgie-desktop-with-plugins
• budgie-desktop.dev
• budgie-desktop.man
• budgie-gsettings-overrides
• budgie-session
• budgie-session.debug
• budgie-session.man
• budgie-user-indicator-redux
• calls
• calls.devdoc
• cheese
• cheese.devdoc
• cheese.man
• cinnamon-common
• cinnamon-control-center
• cinnamon-gsettings-overrides
• cinnamon-screensaver
• devtoolbox
• endeavour
• eolie
• epiphany
• evolution
• evolution-data-server
• evolution-data-server-gtk4
• evolution-data-server-gtk4.dev
• evolution-data-server.dev
• evolution-ews
• evolutionWithPlugins
• firewalld-gui
• folks
• folks.dev
• folks.devdoc
• gcr_4
• gcr_4.bin
• gcr_4.dev
• gcr_4.devdoc
• geary
• gfbgraph
• gfbgraph.dev
• gfbgraph.devdoc
• github-desktop
• gnome-applets
• gnome-browser-connector
• gnome-calendar
• gnome-contacts
• gnome-control-center
• gnome-control-center.debug
• gnome-disk-utility
• gnome-flashback
• gnome-initial-setup
• gnome-keyring
• gnome-keyring.dev
• gnome-music
• gnome-notes
• gnome-online-accounts
• gnome-online-accounts-gtk
• gnome-online-accounts.debug
• gnome-online-accounts.dev
• gnome-online-accounts.devdoc
• gnome-online-accounts.man
• gnome-panel
• gnome-panel-with-modules
• gnome-panel.dev
• gnome-panel.man
• gnome-photos
• gnome-photos.installedTests
• gnome-recipes
• gnome-session
• gnome-session.debug
• gnome-session.sessions
• gnome-settings-daemon
• gnome-settings-daemon46 (pantheon.gnome-settings-daemon)
• gnome-shell
• gnome-shell.debug
• gnome-shell.devdoc
• gnome-tweaks
• gnome.gvfs
• gnome.gvfs.debug
• gnome.nixos-gsettings-overrides
• gnomeExtensions.easyScreenCast
• gnomeExtensions.gsconnect
• gnomeExtensions.gsconnect.installedTests
• gpaste
• grilo-plugins
• htb-toolkit
• keeweb
• libgdata
• libgdata.dev
• libgdata.installedTests
• libmsgraph
• libmsgraph.dev
• libmsgraph.devdoc
• libnma
• libnma-gtk4
• libnma-gtk4.dev
• libnma-gtk4.devdoc
• libnma.dev
• libnma.devdoc
• libzapojit
• libzapojit.dev
• lomiri.lomiri
• lomiri.lomiri-history-service
• lomiri.lomiri-history-service.dev
• lomiri.lomiri-session
• lomiri.lomiri-system-settings
• lomiri.lomiri-system-settings-unwrapped
• lomiri.lomiri-system-settings-unwrapped.dev
• lomiri.lomiri-telephony-service
• magpie
• magpie.debug
• magpie.dev
• magpie.devdoc
• matrix-gtk-theme
• mojave-gtk-theme
• monitor
• mutter
• mutter.debug
• mutter.dev
• mutter.devdoc
• mutter.man
• mutter46 (pantheon.mutter)
• mutter46.debug (pantheon.mutter.debug)
• mutter46.dev (pantheon.mutter.dev)
• mutter46.devdoc (pantheon.mutter.devdoc)
• mutter46.man (pantheon.mutter.man)
• networkmanager-fortisslvpn
• networkmanager-iodine
• networkmanager-l2tp
• networkmanager-openconnect
• networkmanager-openvpn
• networkmanager-sstp
• networkmanager-vpnc
• networkmanager_strongswan
• networkmanagerapplet
• networkmanagerapplet.man
• pantheon.elementary-calendar
• pantheon.elementary-capnet-assist
• pantheon.elementary-greeter
• pantheon.elementary-gsettings-schemas
• pantheon.elementary-mail
• pantheon.elementary-onboarding
• pantheon.elementary-session-settings
• pantheon.elementary-shortcut-overlay
• pantheon.elementary-tasks
• pantheon.epiphany
• pantheon.gala
• pantheon.switchboard-plug-bluetooth
• pantheon.switchboard-plug-keyboard
• pantheon.switchboard-plug-mouse-touchpad
• pantheon.switchboard-plug-network
• pantheon.switchboard-plug-onlineaccounts
• pantheon.switchboard-plug-pantheon-shell
• pantheon.switchboard-plug-power
• pantheon.switchboard-plug-security-privacy
• pantheon.switchboard-with-plugs
• pantheon.wingpanel
• pantheon.wingpanel-applications-menu
• pantheon.wingpanel-indicator-a11y
• pantheon.wingpanel-indicator-bluetooth
• pantheon.wingpanel-indicator-datetime
• pantheon.wingpanel-indicator-keyboard
• pantheon.wingpanel-indicator-network
• pantheon.wingpanel-indicator-nightlight
• pantheon.wingpanel-indicator-notifications
• pantheon.wingpanel-indicator-power
• pantheon.wingpanel-indicator-sound
• pantheon.wingpanel-quick-settings
• pantheon.wingpanel-with-indicators
• phoc
• phosh
• phosh-mobile-settings
• planify
• skypeforlinux
• streamcontroller
• tokyonight-gtk-theme
• totem
• valent
• vimix-gtk-themes
• wingpanel-indicator-ayatana
• wingpanel-indicator-namarupa
• xdg-desktop-portal-gtk

[jtojnar]

Thanks, looks mostly good, did not yet test.

[jtojnar]

I would expect this to be handled by gcr-ssh-agent.socket.

[nezia1]

I have been told that ExecStartPost=-/usr/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gcr/ssh might not set it for the rest of the session in most non-gnome setups, but I might be wrong. This is why I did it like this. I'd be welcome to remove if it does though

[jtojnar]

I would expect it to work in other DEs as well, as long as the default.target (which gcr-ssh-agent.service is WantedBy) is executed before the session.

Or does #81138 apply? (I do not recall, it might have only been an issue for system services.)

Either way, the reason including examples of affected DEs should be documented in a comment.

[nezia1]

I can test this on my machine and see what happens if I remove the extraInit part. I'll let you know how it goes. I'm also on Hyprland so this can additionally be tested with a non-GNOME environment

[nezia1]

Nevermind. I did test my current PR with simply commenting the extraInit part , and the variable does get set correctly in Hyprland on login

[jtojnar]

However, after tests with another other DE/session manager (Cosmic), it did not seem to work because Cosmic's session manager does not pull environment variables from systemd. So we do need that extraInit line.

That sounds to me like a bug in Cosmic packaging then.

[nezia1]

Well, desktop environment/session managers don't have to source these, so I think it would make sense if we at least added a condition for it. To be fair, they don't have to source /etc/profile either, so that's why I think having both makes sense here.

It would allow for full coverage, even if the display manager or DE is not implementing one or the other.

EDIT: Unless this is also a freedesktop I'm unfamiliar with (having to pull systemd user variables), in which case it would make sense to only keep the "ExecStartPost".

[jtojnar]

There should be no need for any sourcing – systemd should start default.target, which should start this service and then the DE, the latter should, as a child process, automatically inherit the environment.

If some DE needs this hack, it should go to its module. But preferably, we should find out what is wrong in its activation sequence and fix that.

[lilyinstarlight]

That sounds to me like a bug in Cosmic packaging then.

This does not have to do with COSMIC or COSMIC packaging. COSMIC actually does import systemd user manager env specifically to solve issues like this (iirc similarly to KDE Plasma) and using the standard COSMIC launcher does not exhibit any issue when SSH_AUTH_SOCK is set in the systemd user manager but not in the wider user session

systemd should start default.target, which should start this service and then the DE, the latter should, as a child process, automatically inherit the environment

Most compositors/DEs do not run as systemd units (though some launch applications, for example a terminal emulator, via systemd units -- that is not universal though)

we should find out what is wrong in its activation sequence and fix that

As far as I can tell, there is nothing wrong with the activation sequence. The environment.extraInit is just applying the variable to the entire user session instead of just to spawned processes of systemd user manager

Is ensuring the user session as a whole has the variable set (in parallel to the .socket unit setting it in the user manager) causing issues?

[nezia1]

I would also like to point out that, having tested running Hyprland without the use of a systemd wrapper (and having my session variables set in environment.d), all of the variables set there were empty in my terminal emulator (spawned with the compositor itself).

I don't think we can ensure that this will be set on every DE, and even less more barebones compositors, considering most of them don't spawn applications using systemd. This is where the /etc/profile variable sourcing would come in handy, and allow for full coverage of environments that do not import user environment.

[jtojnar]

Also, systemd.user.sockets.gcr-ssh-agent.wantedBy = [ "sockets.target" ] was missing in the original service definition. I'll add it too

Why is that needed? Reading https://www.freedesktop.org/software/systemd/man/latest/systemd.special.html#sockets.target, I do not think it applies:

• It cannot start after boot since it is a user service.
• It cannot rely on socket activation because by the time something could do it, we would already need to have a session the something could run in, and then it would be too late for the environment to be updated. That’s why the service is WantedBy=default.target, I believe.

[nezia1]

That does make sense. I'll remove it, I have just seen it on other socket services, but I did not read the freedesktop documentation for it.

[lilyinstarlight]

It cannot start after boot since it is a user service.

This code is setting the socket to be enabled for the user manager by default, it has nothing to do with boot

It cannot rely on socket activation because by the time something could do it, we would already need to have a session the something could run in, and then it would be too late for the environment to be updated.

It relies on socket activation just fine. If you only enable the service and not the socket, then you don't get environment updating at all since that is only done as an ExecStartPost on the .socket unit (though I have seen noise upstream about stopping setting it from systemd units by default and use some other mechanism)