Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggest alternatives (use gpg-agent systemd unit) #138

Open
uhthomas opened this issue Feb 1, 2022 · 2 comments
Open

Suggest alternatives (use gpg-agent systemd unit) #138

uhthomas opened this issue Feb 1, 2022 · 2 comments

Comments

@uhthomas
Copy link

uhthomas commented Feb 1, 2022

At the time of writing, keychain has seen no activity in over four years. It might be helpful to suggest alternatives given there is no desire to maintain the project.

I've found that gpg-agent and systemd have not only proven to be a suitable replacement, but also have improved quality of life by reducing shell startup times by 64ms~ (130ms~ at the extreme). There is an excellent article on the Arch Linux wiki which explains how to setup and configure gpg-agent. Most importantly, gpg-agent can emulate ssh-agent.

keychain performance

One of the main reasons for seeking alternatives is the poor performance and consequential large impact keychain imposed on shell startup times.

# -Q for quick (seems slower?)
❯ hyperfine 'keychain -q -Q --noask --agents gpg,ssh 86930F1CE9E00625 id_ed25519'
Benchmark 1: keychain -q -Q --noask --agents gpg,ssh 86930F1CE9E00625 id_ed25519
  Time (mean ± σ):      64.0 ms ±  13.8 ms    [User: 60.3 ms, System: 14.2 ms]
  Range (min … max):    56.3 ms … 126.2 ms    23 runs

  Warning: The first benchmarking run for this command was significantly slower than the rest (126.2 ms). This could be caused by (filesystem) caches that were not filled until after the first run. You should consider using the '--warmup' option to fill those caches before the actual benchmark. Alternatively, use the '--prepare' option to clear the caches before each timing run.
❯ hyperfine 'keychain -q --noask --agents gpg,ssh 86930F1CE9E00625 id_ed25519'
Benchmark 1: keychain -q --noask --agents gpg,ssh 86930F1CE9E00625 id_ed25519
  Time (mean ± σ):      55.6 ms ±   2.5 ms    [User: 49.3 ms, System: 15.9 ms]
  Range (min … max):    50.4 ms …  62.0 ms    45 runs

gpg-agent systemd user unit

Rather than reading the Arch Linux wiki, this should work as a quick-start and tl;dr.

The gpg-agent systemd user units are enabled by default (at least on Arch Linux).

❯ systemctl --user status gpg-agent
● gpg-agent.service - GnuPG cryptographic agent and passphrase cache
     Loaded: loaded (/usr/lib/systemd/user/gpg-agent.service; static)
     Active: active (running) since Tue 2022-02-01 11:54:18 GMT; 11min ago
TriggeredBy: ● gpg-agent.socket
             ● gpg-agent-ssh.socket
             ● gpg-agent-extra.socket
             ● gpg-agent-browser.socket
       Docs: man:gpg-agent(1)
   Main PID: 1708 (gpg-agent)
      Tasks: 1 (limit: 19177)
     Memory: 428.0K
        CPU: 66ms
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/gpg-agent.service
             └─1708 /usr/bin/gpg-agent --supervised

Feb 01 11:54:18 matryoshka systemd[459]: Started GnuPG cryptographic agent and passphrase cache.
Feb 01 11:54:18 matryoshka gpg-agent[1708]: gpg-agent (GnuPG) 2.2.32 starting in supervised mode.
Feb 01 11:54:18 matryoshka gpg-agent[1708]: using fd 3 for std socket (/run/user/1000/gnupg/S.gpg-agent)
Feb 01 11:54:18 matryoshka gpg-agent[1708]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 01 11:54:18 matryoshka gpg-agent[1708]: using fd 5 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
Feb 01 11:54:18 matryoshka gpg-agent[1708]: using fd 6 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
Feb 01 11:54:18 matryoshka gpg-agent[1708]: listening on: std=3 extra=5 browser=6 ssh=4

Emulate ssh-agent:

/etc/security/pam_env.conf
SSH_AGENT_PID  DEFAULT=
SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"

Cache passphrases for a really long time:

~/.gnupg/gpg-agent.conf
max-cache-ttl 60480000
default-cache-ttl 60480000

default-cache-ttl-ssh 60480000
max-cache-ttl-ssh 60480000

Restart the gpg-agent systemd user unit to apply changes.

❯ systemctl --user restart gpg-agent

Assuming keys have already been added to gpg-agent, everything should work as expected. This approach doesn't ask for all passphrases upfront, at shell login, but I'm sure it's possible to write something to do this if desired. Personally, I don't want that functionality as it is incompatible with some terminal configurations (i.e zsh4humans).

I hope this is helpful!

@basnijholt
Copy link

This is great, thanks a lot.

Is anyone aware of a solution that would work on MacOS too?

@mrl5
Copy link

mrl5 commented Jul 16, 2022

hello @uhthomas - if you'd like to report a bug kindly use https://bugs.funtoo.org/

you can also reach us on Discord - for more info check https://www.funtoo.org/Welcome

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants