`age-plugin-yubikey` support

[nekowinston]

Hi there!

Thanks for this project, I'm trying to add support for the rage YubiKey plugin.

What I've tried so far:

home.nix configuration:

{
  homeage = {
    pkg = pkgs.rage;
    identityPaths = [ "${config.home.homeDirectory}/yubikey.txt" ];
    installationType = "activation";
    file."test" = {
      source = ./data.age;
      symlinks = [ "${config.xdg.configHome}/secret" ];
    };
  };
  # ...other config
}

Create the secret data & create ~/yubikey.txt:

echo "foobar" | rage -i ~/yubikey.txt -e > ~/.config/nixpkgs/data.age
age-plugin-yubikey -i > ~/yubikey.txt

Changes to homeage itself:

diff --git a/homeage/default.nix b/homeage/default.nix
index 45b2ea8..df9130a 100644
--- a/homeage/default.nix
+++ b/homeage/default.nix
@@ -37,7 +37,16 @@ with lib; let
   }: let
     linksCmds = createFiles "ln -sf" path symlinks;
     copiesCmds = createFiles "cp -f" path copies;
+    yubikeyPlugin = pkgs.age-plugin-yubikey + "/bin";
+    pinentry = pkgs.pinentry-gtk2 + "/bin";
+    identity = builtins.head cfg.identityPaths;
   in ''
+    PATH="${yubikeyPlugin}:${pinentry}:$PATH"
+    echo "GETTING IDENTITY FILE CONTENT:"
+    cat ${identity}
+    echo "IDENTITIES PROVIDED: ${identities}"
+    echo "YUBIKEYS CONNECTED:"
+    age-plugin-yubikey -l
     echo "Decrypting secret ${source} to ${path}"
     TMP_FILE="${path}.tmp"
     $DRY_RUN_CMD mkdir $VERBOSE_ARG -p $(dirname ${path})

I added in pinentry-gtk2 after finding str4d/rage#280 and assuming that home.activation is unable to open pinentry-curses.

I'm logging the identity file content, identities provided, and yubikeys connected really only as sanity checks, which produces an output like this:

---

On an unrelated note, on macOS I'm getting an error mounting the secret tmpfs:
Edit: just learned about homeage.mount, my bad.

[andrewhamon]

I'm running into trouble here as well. Ive been trying this config:

{
  homeage = {
    # Wrap rage so that it can discover age-plugin-yubikey
    pkg = pkgs.writeShellApplication {
      name = "rage";
      runtimeInputs = [ pkgs.age-plugin-yubikey ];
      text = ''
        ${pkgs.rage}/bin/rage "$@"
      '';
    };
    identityPaths = [ "${../../secrets/keychain-yubikey-identity.txt}" ];
    installationType = "activation";
    # ... other config
  };
}

The Activating homeageDecryptCheck succeed, and I am prompted for my pin and tap my yubikey. But then during Activating homeageDecrypt rage fails instantly, without even asking for my pin, with Error: No matching keys found. Here is the relevant output:

Activating homeageDecryptCheck
Enter PIN for YubiKey with serial 23597600:
Enter PIN for YubiKey with serial 23597600:
Activating writeBoundary
Activating copyFonts
Activating homeageCleanup
[homeage] Cleaning up decrypted secret: /Users/andrewhamon/.config/secrets/buildkite_api_key
[homeage] Not removing secret file /Users/andrewhamon/.config/secrets/buildkite_api_key because does not exist.
[homeage] Cleaning up decrypted secret: /Users/andrewhamon/.config/secrets/jupyter_token
[homeage] Not removing secret file /Users/andrewhamon/.config/secrets/jupyter_token because does not exist.
[homeage] Finished cleanup of secrets.
Activating homeageDecrypt
Decrypting secret /nix/store/xn2cqjdznsd6gf2adwram15fkyhfph3i-buildkite_api_key.age to /Users/andrewhamon/.config/secrets/buildkite_api_key
Error: No matching keys found

[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report                            ]

[nekowinston]

FWIW I moved my secret management to Sops-Nix which doesn't have problems with the YubiKey, I can keep using OpenPGP, and it recently got support for HM as well.

I'll leave the issue open, but it's unlikely I'll be able to offer more input.

[andrewhamon]

and it recently got support for HM as well.

@nekowinston did you get it working on macOS? Looking at the docs it only mentions user-level systemd rather than an activation script.

[nekowinston]

@andrewhamon yes, it uses a launchd script on macOS instead, my config for it is pretty basic: https://github.com/nekowinston/dotfiles/blob/c8403e6b102e75d94ab99705b726cc42814e18fb/home/secrets/sops.nix

[andrewhamon]

Sadly sops doesn't seem to work with age-plugin-yubikey either. I am hoping to avoid gpg since its seems unnecessarily complex compared to age. sops-nix also seems a decent bit more complex that agenix (which I am using for my nixos hosts)

I tried some debugging by logging the args passed to rage in my wrapper script, but that didn't yield anything significant.

The next step the I can think of would be to use a modified age/age with detailed debugging logs there.

That feels like a fair bit more effort than simply writing my own activation script and invoking that manually, though, so I'll probably do that.

[MartinLoeper]

Using the system-wide ragenix instead of the user-scoped homeage works for me with age-plugin-yubikey:

{ pkgs, ragenix, ... }:

let
  ageWithYubikeyPlugin = pkgs.runCommand "age-wrapper" { buildInputs = [ pkgs.makeWrapper ]; } ''
    mkdir -p $out/bin
    makeWrapper ${pkgs.rage}/bin/rage $out/bin/rage \
      --set PATH ${pkgs.age-plugin-yubikey}/bin \
      --set PINENTRY_PROGRAM ${pkgs.pinentry-curses}/bin/pinentry-curses
  '';
in
{
  environment.systemPackages = [
    pkgs.rage
    pkgs.age-plugin-yubikey
    ragenix.packages.x86_64-linux.default
  ];

  age.secrets.test-secret.file = "/etc/nixos/secret1.age";
  age.identityPaths = [ "/etc/nixos/identities/age-yubikey-identity-d4162ec5.txt" ];
  age.ageBin = "${ageWithYubikeyPlugin}/bin/rage";
}