Kyber support through gnupg 2.5.14 (post-quantum resistancy)

[FabrizioRomanoGenovese]

So I am a nix noob but with some AI help I wrote this little module for my nixos config:

{ pkgs, ... }:

let
  # --- VERSIONS ---
  versions = {
    gnupg        = "2.5.14";
    libgcrypt    = "1.11.2";
    libassuan    = "3.0.2"; 
    libksba      = "1.6.7";
    libgpg-error = "1.58"; 
    npth         = "1.8";
  };

  # --- HELPER ---
  fetchGnuPG = pname: version: hash: pkgs.fetchurl {
    url = "mirror://gnupg/${pname}/${pname}-${version}.tar.bz2";
    sha256 = hash;
  };

  # --- OVERRIDES ---
  # 1. libgpg-error (Base dependency)
  gpgErrorCustom = pkgs.libgpg-error.overrideAttrs (old: {
    version = versions.libgpg-error;
    src = fetchGnuPG "libgpg-error" versions.libgpg-error "09qc4vhhra0ifv9c7x2z4aij9kmfxxwva92iis9vva1hm2lswhzr";
  });

  # 2. libgcrypt (Depends on custom gpg-error)
  gcryptCustom = (pkgs.libgcrypt.override { 
    libgpg-error = gpgErrorCustom; 
  }).overrideAttrs (old: {
    version = versions.libgcrypt;
    src = fetchGnuPG "libgcrypt" versions.libgcrypt "1b0a6ca5h8sbnp206bdh1wgvrkaxv43imd6x48fqq3i7jb8rv9bb";
  });

  # 3. libassuan (Depends on custom gpg-error)
  assuanCustom = (pkgs.libassuan.override { 
    libgpg-error = gpgErrorCustom; 
  }).overrideAttrs (old: {
    version = versions.libassuan;
    src = fetchGnuPG "libassuan" versions.libassuan "1xin9h3vhx94j5w9p7xi3csmw1a6yfif2w4r1x8k7rk6sbd1r4yj";
  });

  # 4. libksba (Depends on custom gpg-error)
  ksbaCustom = (pkgs.libksba.override { 
    libgpg-error = gpgErrorCustom; 
  }).overrideAttrs (old: {
    version = versions.libksba;
    src = fetchGnuPG "libksba" versions.libksba "0qxpmadxggx5808326i9g4ya0xrnv14mfxpg7rlvckmviq5m2wng";
  });

  # 5. npth
  npthCustom = pkgs.npth.overrideAttrs (old: {
    version = versions.npth;
    src = fetchGnuPG "npth" versions.npth "0gnaj176jjfi6ldrq1l1sx7ym0z7kjx8ms96bdp5s1m34d7lpllb";
  });

  # --- MAIN PACKAGE ---
  # We first override the dependencies, THEN override the attributes (src/version)
  gnupg25 = (pkgs.gnupg.override {
    libgpg-error = gpgErrorCustom;
    libgcrypt = gcryptCustom;
    libassuan = assuanCustom;
    libksba = ksbaCustom;
    npth = npthCustom;
    guiSupport = true; 
  }).overrideAttrs (old: {
    pname = "gnupg";
    version = versions.gnupg;
    src = fetchGnuPG "gnupg" versions.gnupg "0426443yka5w8a2vnbqf2xcngf02ppravxz3nmw91k514pk259i5";
    patches = [];     # 1. Remove 2.4-specific patches that break the build
    doCheck = false;  # 2. Disable tests (often fail on dev branches)
  });

in
{
  # This tells NixOS to install our custom package
  environment.systemPackages = [ gnupg25 ];
}

What it does is it compiles the new bleeding edge version of gpg, which supports Kyber for encryption. I named the artifact gnupg25 to avoid having to recompile A LOT of stuff (nix wanted to download more than 12GB of data, a tad too much for me).

Anyways, I am able to create Kyber keys from terminal, to successfully use them in .sops.yaml, and to call sops secrets.yaml to see my secrets decrypted. Unfortunately tho, I do not seem able to tell sops-nix to use gnupg25 as its gpg version. It may just be my nix noobness, but in any case any help here would be appreciated. Again, "pure" sops has zero problems with bleeding edge gpg, so I guess I'm either missing something or encountering some trivial compatibility issue.

[SuperSandro2000]

Could be this reference

sops-nix/modules/sops/default.nix

Line 445 in 443a7f2

lib.mkDefault "${pkgs.gnupg}/bin/gpg"

[FabrizioRomanoGenovese]

It would be useful to have a sops.gnupg.package option to solve this I guess. I'm trying by wrapping sops-nix atm but it doesn't seem to work :( Specifically, I'm doing more or less as follows:

{ pkgs, lib, ... }: 
let
  # Create a custom 'sops' executable that knows exactly where to find your GPG
  sopsWithCustomGpg = pkgs.symlinkJoin {
    name = "sops-custom-gpg";
    paths = [ pkgs.sops-install-secrets pkgs.sops ];
    buildInputs = [ pkgs.makeWrapper ];
    postBuild = ''
      # Wrap sops-install-secrets (used at boot)
      wrapProgram $out/bin/sops-install-secrets \
        --prefix PATH : "${pkgs.gnupg25}/bin" \
        --set GPG_TTY "/dev/console" \
        --set GNUPGHOME "/root/.gnupg"

      # Wrap sops (used in shell)
      wrapProgram $out/bin/sops \
        --prefix PATH : "${pkgs.gnupg25}/bin"
    '';
  };
in
{
  environment.systemPackages = with pkgs; [ sopsWithCustomGpg ];

  programs.gnupg = {
    package = pkgs.gnupg25;
    agent = {
      enable = true;
      enableSSHSupport = true;
    };
  };

  sops = {
    package = sopsWithCustomGpg;
    defaultSopsFile   = ./secrets.yaml;
    defaultSopsFormat = "yaml";
    gnupg = {
      home = "/root/.gnupg/";
      sshKeyPaths = [];
    };
    secrets.hello = { };
  };

}

Still, decryption of secrets.hello fails. I admit I'm way out of my depth here so probably I'm failing for very stupid reasons!

[FabrizioRomanoGenovese]

Yay! I edited the source code and made it work! I'm using Kyber with sops-nix (this is very important as if you never used sops-nix before, you can now and you'll be protected against store now/decrypt later).

If it's useful, I opened a PR here:
#876