| 9 Jan 2026 |
|  Ivy joined the room. | 05:49:09 |
 alexfmpe | huh what gives?
$ uname -a
Darwin MacBookPro.Home 24.6.0 Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:29 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T6000 arm64
$ nix-shell -p hello --run 'uname -a'
Darwin MacBookPro.Home 24.6.0 Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:29 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T6000 arm64 arm Darwin
| 15:38:30 |
| alexfmpe | my outer shell is zsh, the nix-shell is bash, but calling bash directly doesn't add whatever that suffix is, so it doesn't look like a shell thing | 15:39:31 |
| alexfmpe | this divergence also doesn't show up on my nixos | 15:39:49 |
| alexfmpe | so maybe it's a nix+mac or nix-darwin thing? | 15:40:01 |
| Ivy | discovered a catastrophic bug in gpg-agent for macos on home-manager | 16:10:52 |
| Ivy | gpg-agent has a core problem that goes upstream and means that gpg-agent fundamentally doesnt work on darwin in supervised mode adn the launchd agent is useless | 16:11:28 |
 Katalin 🔪 | perhaps MacGPG has patches for this or at least a workaround? that’s what I use and gpg-agent runs automatically there | 16:16:37 |
| Ivy | one part of it is having a wrapper to get the sockets
// Simple wrapper to activate launchd sockets
// and set them up in the same way systemd would
// so that we can use gpg-agent in --supervised mode
#include <errno.h>
#include <err.h>
#include <unistd.h>
#include <launch.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
int get_launchd_socket(const char *sockName)
{
// Get our sockets from launchd
int *fds = NULL;
size_t count = 0;
errno = launch_activate_socket(sockName, &fds, &count);
if (errno != 0 || fds == NULL || count < 1)
{
warn("Error getting socket FD from launchd");
return 0;
}
if (count != 1)
{
warnx("Expected one FD from launchd, got %zu. Only using first socket.", count);
}
// Unset FD_CLOEXEC bit
fcntl(fds[0], F_SETFD, fcntl(fds[0], F_GETFD, 0) & ~FD_CLOEXEC);
if (fds)
{
free(fds);
}
return 1;
}
int main(int argc, char **argv)
{
// List of sockets we're going to check for
const char *sockets[] = {
"ssh",
"browser",
"extra",
"std"};
int fds = 0;
char *fdsString = NULL;
char *fdNames = NULL;
char *tmpfdNames = NULL;
// Activate the sockets and count and store names
for (int i = 0; i < sizeof(sockets) / sizeof(sockets[0]); i++)
{
if (get_launchd_socket(sockets[i]))
{
fds++;
asprintf(&fdNames, (tmpfdNames == NULL ? "%s%s" : "%s:%s"), (tmpfdNames == NULL ? "" : tmpfdNames), sockets[i]);
if (tmpfdNames)
{
free(tmpfdNames);
}
tmpfdNames = fdNames;
}
}
// Set the ENV var for our PID
char *pidString = NULL;
asprintf(&pidString, "%ld", (long)getpid());
setenv("LISTEN_PID", pidString, 0);
free(pidString);
// Set the number of FDs we've opened
asprintf(&fdsString, "%d", fds);
setenv("LISTEN_FDS", fdsString, 0);
free(fdsString);
// And their names
setenv("LISTEN_FDNAMES", (fdNames == NULL ? "" : fdNames), 0);
free(fdNames);
// Launch the command we were passed
++argv;
if (*argv)
{
execvp(*argv, argv);
err(1, "Error executing command");
}
else
{
errx(1, "No command specified");
}
}
| 16:16:37 |
| Ivy | perhaps it does | 16:16:46 |
| Ivy | it does not | 16:17:12 |
| Ivy | https://github.com/search?q=repo%3AGPGTools%2FMacGPG2%20launch_activate_socket&type=code | 16:17:16 |
| Ivy | this function needs to be called to get the sockets | 16:17:26 |
| Ivy | because otherwise it cant get the sockets from launchd | 16:18:07 |
| Katalin 🔪 | right, they have a launch agent for killing gpg-agent when the user logs out instead | 16:19:08 |
| Katalin 🔪 | I wonder how they set it up | 16:19:15 |
| Ivy | still doesnt properly manage the sockets tho | 16:19:35 |
| Ivy | utterly a hack | 16:19:40 |
| Katalin 🔪 | mhm | 16:19:50 |
| Ivy | additionally this does nothing https://github.com/nix-community/home-manager/blob/0e4217b2c4827e71e2e612accccb01981c16afda/modules/services/gpg-agent.nix#L451-L453 | 16:21:03 |
| Ivy | as the names are far not what gpg actually wants | 16:21:20 |
| Ivy | nor does it know how to get them | 16:21:27 |
| Ivy | the only way to get them is through launch_activate_socket | 16:21:42 |
| Ivy | they could be used as the names but then there would have to be major translation to the real names | 16:22:20 |
| Ivy | which have to be "ssh", "extra", "browser" and always finally "std" | 16:22:37 |
| Ivy | this commit which added that literally seems to be untested https://github.com/nix-community/home-manager/commit/ef506124579ff6280a43a9596bb2a5049872bf8e as it will not work | 16:24:04 |
| Ivy | additionally, patching this is hard as it shouldnt actually be used the gpgConf we need to wrap gpg-agent | 16:26:19 |
| Ivy | i personally have it working but it required a lot of changes | 16:27:49 |
| Ivy | including this https://github.com/auscyber/dotfiles/blob/e69c5ae454167f21dbaca7eace8e50e69d5d3454/overlays/literal.nix#L33C1-L39C4 https://github.com/auscyber/dotfiles/blob/master/packages/gpg/default.nix | 16:28:35 |
| Ivy | * additionally, patching this is hard as it shouldnt actually be used the gpgPkg we need to wrap gpg-agent | 16:32:41 |
