From 644785859ac960c0da64016065a800bf660ffbcf Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Fri, 17 Apr 2026 14:47:34 +0100
Subject: refactor: revert GNUPGHOME to default ~/.gnupg

Drop custom GNUPGHOME=~/.local/share/gnupg which required 6 systemd
socket/service overrides with hardcoded directory hashes. GnuPG
periodically changes its hash algorithm on updates, silently breaking
systemd socket activation and pam-gnupg passphrase presetting.

With default GNUPGHOME, stock systemd units work out of the box.

- Move gpg.conf, gpg-agent.conf, sshcontrol to home/.gnupg/
- Delete all gpg-agent socket/service/dirmngr override dirs
- Remove GNUPGHOME from .zprofile, .pam_environment, pam-gnupg
- Remove GNUPGHOME from vdirsyncer and bridge service overrides
---
 home/.config/pam-gnupg                                  |  1 -
 .../.config/systemd/user/bridge.service.d/override.conf |  1 -
 .../.config/systemd/user/dirmngr.socket.d/override.conf |  3 ---
 .../user/gpg-agent-browser.socket.d/override.conf       |  3 ---
 .../systemd/user/gpg-agent-extra.socket.d/override.conf |  3 ---
 .../systemd/user/gpg-agent-ssh.socket.d/override.conf   |  3 ---
 .../systemd/user/gpg-agent.service.d/override.conf      |  2 --
 .../systemd/user/gpg-agent.socket.d/override.conf       |  3 ---
 .../systemd/user/vdirsyncer.service.d/override.conf     |  1 -
 home/.config/zsh/.zprofile                              |  1 -
 home/.gnupg/gpg-agent.conf                              |  8 ++++++++
 home/.gnupg/gpg.conf                                    | 11 +++++++++++
 home/.gnupg/sshcontrol                                  | 17 +++++++++++++++++
 home/.local/share/gnupg/gpg-agent.conf                  |  8 --------
 home/.local/share/gnupg/gpg.conf                        | 11 -----------
 home/.local/share/gnupg/sshcontrol                      | 17 -----------------
 home/.pam_environment                                   |  1 -
 17 files changed, 36 insertions(+), 58 deletions(-)
 delete mode 100644 home/.config/systemd/user/dirmngr.socket.d/override.conf
 delete mode 100644 home/.config/systemd/user/gpg-agent-browser.socket.d/override.conf
 delete mode 100644 home/.config/systemd/user/gpg-agent-extra.socket.d/override.conf
 delete mode 100644 home/.config/systemd/user/gpg-agent-ssh.socket.d/override.conf
 delete mode 100644 home/.config/systemd/user/gpg-agent.service.d/override.conf
 delete mode 100644 home/.config/systemd/user/gpg-agent.socket.d/override.conf
 create mode 100644 home/.gnupg/gpg-agent.conf
 create mode 100644 home/.gnupg/gpg.conf
 create mode 100644 home/.gnupg/sshcontrol
 delete mode 100644 home/.local/share/gnupg/gpg-agent.conf
 delete mode 100644 home/.local/share/gnupg/gpg.conf
 delete mode 100644 home/.local/share/gnupg/sshcontrol

diff --git a/home/.config/pam-gnupg b/home/.config/pam-gnupg
index b6deeb6..9a6c85b 100644
--- a/home/.config/pam-gnupg
+++ b/home/.config/pam-gnupg
@@ -1,4 +1,3 @@
-~/.local/share/gnupg
 5110851E65983C892CC09B51B17F50B3073C3F13
 613F4BBF6E877E8CF55E18C24A429474B2F1A6AD
 91191A4A6E86279A901A7D38A7512EC126518FA5
diff --git a/home/.config/systemd/user/bridge.service.d/override.conf b/home/.config/systemd/user/bridge.service.d/override.conf
index 50c7feb..3938b3c 100644
--- a/home/.config/systemd/user/bridge.service.d/override.conf
+++ b/home/.config/systemd/user/bridge.service.d/override.conf
@@ -1,3 +1,2 @@
 [Service]
-Environment="GNUPGHOME=%h/.local/share/gnupg"
 Environment="PASSWORD_STORE_DIR=%h/.local/share/password-store"
\ No newline at end of file
diff --git a/home/.config/systemd/user/dirmngr.socket.d/override.conf b/home/.config/systemd/user/dirmngr.socket.d/override.conf
deleted file mode 100644
index 95ac960..0000000
--- a/home/.config/systemd/user/dirmngr.socket.d/override.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[Socket]
-ListenStream=
-ListenStream=%t/gnupg/d.hmaqciuk8y8ye3gwt9b6eth1/S.dirmngr
\ No newline at end of file
diff --git a/home/.config/systemd/user/gpg-agent-browser.socket.d/override.conf b/home/.config/systemd/user/gpg-agent-browser.socket.d/override.conf
deleted file mode 100644
index 8c8e5c9..0000000
--- a/home/.config/systemd/user/gpg-agent-browser.socket.d/override.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[Socket]
-ListenStream=
-ListenStream=%t/gnupg/d.199epr64wmzkrnk8u8qgricf/S.gpg-agent.browser
\ No newline at end of file
diff --git a/home/.config/systemd/user/gpg-agent-extra.socket.d/override.conf b/home/.config/systemd/user/gpg-agent-extra.socket.d/override.conf
deleted file mode 100644
index de8e3cc..0000000
--- a/home/.config/systemd/user/gpg-agent-extra.socket.d/override.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[Socket]
-ListenStream=
-ListenStream=%t/gnupg/d.199epr64wmzkrnk8u8qgricf/S.gpg-agent.extra
\ No newline at end of file
diff --git a/home/.config/systemd/user/gpg-agent-ssh.socket.d/override.conf b/home/.config/systemd/user/gpg-agent-ssh.socket.d/override.conf
deleted file mode 100644
index b3934ed..0000000
--- a/home/.config/systemd/user/gpg-agent-ssh.socket.d/override.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[Socket]
-ListenStream=
-ListenStream=%t/gnupg/d.199epr64wmzkrnk8u8qgricf/S.gpg-agent.ssh
\ No newline at end of file
diff --git a/home/.config/systemd/user/gpg-agent.service.d/override.conf b/home/.config/systemd/user/gpg-agent.service.d/override.conf
deleted file mode 100644
index 3a220a3..0000000
--- a/home/.config/systemd/user/gpg-agent.service.d/override.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[Service]
-Environment="GNUPGHOME=%h/.local/share/gnupg"
\ No newline at end of file
diff --git a/home/.config/systemd/user/gpg-agent.socket.d/override.conf b/home/.config/systemd/user/gpg-agent.socket.d/override.conf
deleted file mode 100644
index 2794cfc..0000000
--- a/home/.config/systemd/user/gpg-agent.socket.d/override.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[Socket]
-ListenStream=
-ListenStream=%t/gnupg/d.199epr64wmzkrnk8u8qgricf/S.gpg-agent
\ No newline at end of file
diff --git a/home/.config/systemd/user/vdirsyncer.service.d/override.conf b/home/.config/systemd/user/vdirsyncer.service.d/override.conf
index 8cca0f8..6bc6060 100644
--- a/home/.config/systemd/user/vdirsyncer.service.d/override.conf
+++ b/home/.config/systemd/user/vdirsyncer.service.d/override.conf
@@ -1,3 +1,2 @@
 [Service]
-Environment="GNUPGHOME=%h/.local/share/gnupg"
 Environment="PASSWORD_STORE_DIR=%h/.local/share/password-store"
diff --git a/home/.config/zsh/.zprofile b/home/.config/zsh/.zprofile
index f02ee06..c1af85d 100644
--- a/home/.config/zsh/.zprofile
+++ b/home/.config/zsh/.zprofile
@@ -39,7 +39,6 @@ export LESS="-F --RAW-CONTROL-CHARS"
 [[ -r /usr/bin/source-highlight-esc.sh ]] && export LESSOPEN="| /usr/bin/source-highlight-esc.sh %s"
 
 # ── GPG / SSH ─────────────────────────────────────────────────────────────────
-export GNUPGHOME="$XDG_DATA_HOME/gnupg"
 export GPG_TTY=$TTY
 unset SSH_AGENT_PID
 export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
diff --git a/home/.gnupg/gpg-agent.conf b/home/.gnupg/gpg-agent.conf
new file mode 100644
index 0000000..0826efe
--- /dev/null
+++ b/home/.gnupg/gpg-agent.conf
@@ -0,0 +1,8 @@
+max-cache-ttl 60480000
+default-cache-ttl 60480000
+allow-preset-passphrase
+enable-ssh-support
+default-cache-ttl-ssh 60480000
+max-cache-ttl-ssh 60480000
+pinentry-program /usr/bin/pinentry-curses
+allow-loopback-pinentry
diff --git a/home/.gnupg/gpg.conf b/home/.gnupg/gpg.conf
new file mode 100644
index 0000000..e6672bf
--- /dev/null
+++ b/home/.gnupg/gpg.conf
@@ -0,0 +1,11 @@
+personal-digest-preferences SHA512
+cert-digest-algo SHA512
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES
+
+keyserver-options auto-key-retrieve
+
+keyid-format 0xlong
+with-fingerprint
+
+default-key B79D F5F3 7D7F 9B0F 3902  38D5 3298 945F 717C 85F8
diff --git a/home/.gnupg/sshcontrol b/home/.gnupg/sshcontrol
new file mode 100644
index 0000000..9197976
--- /dev/null
+++ b/home/.gnupg/sshcontrol
@@ -0,0 +1,17 @@
+# List of allowed ssh keys.  Only keys present in this file are used
+# in the SSH protocol.  The ssh-add tool may add new entries to this
+# file to enable them; you may also add them manually.  Comment
+# lines, like this one, as well as empty lines are ignored.  Lines do
+# have a certain length limit but this is not serious limitation as
+# the format of the entries is fixed and checked by gpg-agent. A
+# non-comment line starts with optional white spaces, followed by the
+# keygrip of the key given as 40 hex digits, optionally followed by a
+# caching TTL in seconds, and another optional field for arbitrary
+# flags.   Prepend the keygrip with an '!' mark to disable it.
+
+91191A4A6E86279A901A7D38A7512EC126518FA5
+22747ABA1B4502F186654CD84DC353B0C3BD353F
+9F3FCCA0F99AE1C5D05B834F0E89C79970A7B74A
+5E9259E1EFFFB85520F62A5C31C97033C1DEDBD8
+515584E3A76C03EEA4A563156882938003FBEC90
+E843F385FEEAE6CA2E1B9A67796241FDA5423CA3
diff --git a/home/.local/share/gnupg/gpg-agent.conf b/home/.local/share/gnupg/gpg-agent.conf
deleted file mode 100644
index 0826efe..0000000
--- a/home/.local/share/gnupg/gpg-agent.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-max-cache-ttl 60480000
-default-cache-ttl 60480000
-allow-preset-passphrase
-enable-ssh-support
-default-cache-ttl-ssh 60480000
-max-cache-ttl-ssh 60480000
-pinentry-program /usr/bin/pinentry-curses
-allow-loopback-pinentry
diff --git a/home/.local/share/gnupg/gpg.conf b/home/.local/share/gnupg/gpg.conf
deleted file mode 100644
index e6672bf..0000000
--- a/home/.local/share/gnupg/gpg.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-personal-digest-preferences SHA512
-cert-digest-algo SHA512
-default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
-personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES
-
-keyserver-options auto-key-retrieve
-
-keyid-format 0xlong
-with-fingerprint
-
-default-key B79D F5F3 7D7F 9B0F 3902  38D5 3298 945F 717C 85F8
diff --git a/home/.local/share/gnupg/sshcontrol b/home/.local/share/gnupg/sshcontrol
deleted file mode 100644
index 9197976..0000000
--- a/home/.local/share/gnupg/sshcontrol
+++ /dev/null
@@ -1,17 +0,0 @@
-# List of allowed ssh keys.  Only keys present in this file are used
-# in the SSH protocol.  The ssh-add tool may add new entries to this
-# file to enable them; you may also add them manually.  Comment
-# lines, like this one, as well as empty lines are ignored.  Lines do
-# have a certain length limit but this is not serious limitation as
-# the format of the entries is fixed and checked by gpg-agent. A
-# non-comment line starts with optional white spaces, followed by the
-# keygrip of the key given as 40 hex digits, optionally followed by a
-# caching TTL in seconds, and another optional field for arbitrary
-# flags.   Prepend the keygrip with an '!' mark to disable it.
-
-91191A4A6E86279A901A7D38A7512EC126518FA5
-22747ABA1B4502F186654CD84DC353B0C3BD353F
-9F3FCCA0F99AE1C5D05B834F0E89C79970A7B74A
-5E9259E1EFFFB85520F62A5C31C97033C1DEDBD8
-515584E3A76C03EEA4A563156882938003FBEC90
-E843F385FEEAE6CA2E1B9A67796241FDA5423CA3
diff --git a/home/.pam_environment b/home/.pam_environment
index 806faf7..febcf8d 100644
--- a/home/.pam_environment
+++ b/home/.pam_environment
@@ -1,2 +1 @@
-GNUPGHOME DEFAULT=@{HOME}/.local/share/gnupg
 XDG_CONFIG_HOME DEFAULT=@{HOME}/.config
-- 
cgit v1.2.3-70-g09d2