Page MenuHome GnuPG
Create Task
Maniphest T6991

Adding XDG Base Directory paths as *fallbacks* over the existing ~/.gnupg paths
Open, LowPublic
Actions

Description

Hello. Prior to this post, I attempted to start this discussion on the gnupg-devel mailing list, however it seems like both of my attempts at sending to those list failed. Hence, I would like to make this into a feature request on the issuer tracker instead.

I'm aware that the issue of following the XDG Base Directory Specification has been brought up multiple times before and turned down consistently, however, I would like to suggest a compromise that doesn't sacrifice the existing ~/.gnupg convention. I'd even be happy to contribute this myself as a patch or a pull request wherever necessary.

In the event that $GNUPGHOME isn't set, and any files such as configs are not present in their usual ~/.gnupg location, let GnuPG also search the relevant XDGBDS paths to see if those files exist there. If they do, load them as normal, but if they don't, continue to prioritise and even create ~/.gnupg to retain backwards compatibility and users' existing expectations. Not too long ago, this approach ended up being taken into consideration by the developer of Bash, which was also historically opposed for many years to adding support for the XDGBDS until this compromise and the prioritisation of legacy paths was brought forward.

The main reason why I ask for this is because it is somewhat annoying having to mix (potentially version-controlled) configuration files in the same directory as private keys and keyring data, which has to be kept secret at all times. Hence, it would be nice for things such as gpg-agent to also search for a config at $XDG_CONFIG_HOME/gnupg/gpg-agent.conf just in case the default ~/.gnupg/gpg-agent.conf or $GNUPGHOME/gpg-agent.conf aren't found.

Kind regards.

Event Timeline

90 created this task.Feb 11 2024, 7:45 PM
gniibe triaged this task as Low priority.Feb 15 2024, 3:40 AM
gniibe added a subscriber: gniibe.

It's true that under $GNUPGHOME (~/.gnupg/), there are multiple things: configuration files, user-specific data files (private keys, public keys, the trust database, and revocation certificates), user-specific state files (like the lock files and random seed), possibly runtime sockets, and executable/script for card reader. Some careful handling might be needed for making backup and doing version control for that.

Since those things in ~/.gnupg/ is a kind of established standard (and it's not only for POSIX system), we don't have any plan to adopt this kind of Feature Request. Sorry.

If we want to put configuration files under $XDG_CONFIG_HOME/gnupg/, possible workaround is use of symbolic links or overlay filesystem. A user with intention could do that.

Possible drawback of adding fallback is: introducing complexity to application and support/testing will be harder.

gniibe added projects: gnupg, Support.Feb 15 2024, 3:41 AM
90 added a comment.Feb 15 2024, 5:36 PM

Funnily enough, runtime sockets already adhere to the XDGBDS somewhat by using $XDG_RUNTIME_DIR/gnupg as their path, while everything else uses strictly $GNUPGHOME or ~/.gnupg with no other alternative. Of course, I completely understand that the priority for this is rather low, but I am still happy to look into providing a patch myself that would add these fallbacks if it would help expedite the whole process.

werner added a subscriber: werner.Feb 15 2024, 5:44 PM

That is simply because your XDG_RUNTIME is set to the same directory gnupg uses. See gnupg/common/homedir.c:_gnupg_socketdir_internal

thesamesam added a subscriber: thesamesam.Feb 15 2024, 10:47 PM
90 added a comment.Feb 19 2024, 11:28 AM

Since there are some files that would simply have to be created each time under $GNUPGHOME, I've been thinking a bit more about what sort of approach to take for "fallbacks."

What might work better in order to cover everything is an opt-in environment variable, say, $GNUPG_USE_XDG, that tells GnuPG to forego ~/.gnupg entirely in favour of XDG-compliant paths for different kinds of files. By default, of course, this should be equivalent to 0 such that GnuPG continues to use the existing expected paths.

Does that sound good? I'm happy to work on it in my own time as an external contribution.