macos support

.gitignore

@@ -26,6 +26,9 @@ waybar/.config/waybar-crypto/config.ini
 waybar/.local/share/fonts/TTF/*
 waybar/.config/waybar/theme.css
 xdg/.config/mimeapps.list
+hyprland/.config/hypr/themes/colors.conf
+.DS_Store
+gpg/.gnupg/gpg-agent.conf
 !bat/.config/bat/themes/.gitkeep
 !continue/.continue/config.json
 !corectrl/.config/corectrl/profiles/.gitkeep
@@ -46,4 +49,3 @@ xdg/.config/mimeapps.list
 !vscodium/.vscode-oss/argv.json
 !waybar/.config/waybar/modules/crypto/.gitkeep
 !waybar/.local/share/fonts/TTF/.gitkeep
-hyprland/.config/hypr/themes/colors.conf

data/gpg/gpg-agent.conf

@@ -0,0 +1,4 @@
+enable-ssh-support
+ttyname $GPG_TTY
+default-cache-ttl 60
+max-cache-ttl 120

git/.gitconfig

@@ -1,6 +1,5 @@
 [core]
 	pager = delta
-	askpass = wayprompt-ssh-askpass
 
 [interactive]
 	diffFilter = delta --color-only --features=interactive
@@ -100,9 +99,6 @@
 [credential]
 	helper = cache timeout=14400
 
-[gpg]
-	program = /usr/bin/gpg2
-
 [init]
 	defaultBranch = main
 

gpg/.gnupg/gpg.conf

@@ -1,9 +1,5 @@
 # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Options.html
 # 'gpg --version' to get capabilities
-
-# Default key ID to use (helpful with throw-keyids)
-default-key 0x2B7340DB13C85766
-trusted-key 0x2B7340DB13C85766
 # Use AES256, 192, or 128 as cipher
 personal-cipher-preferences AES256 AES192 AES
 # Use SHA512, 384, or 256 as digest
@@ -45,5 +41,27 @@ armor
 use-agent
 # Disable recipient key ID in messages (breaks Mailvelope)
 throw-keyids
+# Default key ID to use (helpful with throw-keyids)
+default-key 0x2B7340DB13C85766
+trusted-key 0x2B7340DB13C85766
+# Group recipient keys (preferred ID last)
+#group keygroup = 0xFF00000000000003 0xFF00000000000002 0xFF00000000000001
+# Keyserver URL
+#keyserver hkps://keys.openpgp.org
+#keyserver hkps://keys.mailvelope.com
+#keyserver hkps://keyserver.ubuntu.com:443
+#keyserver hkps://pgpkeys.eu
+#keyserver hkps://pgp.circl.lu
+#keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
+# Keyserver proxy
+#keyserver-options http-proxy=http://127.0.0.1:8118
+#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
+# Enable key retrieval using WKD and DANE
+#auto-key-locate wkd,dane,local
+#auto-key-retrieve
 # Trust delegation mechanism
 trust-model tofu+pgp
+# Show expired subkeys
+#list-options show-unusable-subkeys
+# Verbose output
+#verbose

gpg/.gnupg/scdaemon.conf

@@ -1,4 +1 @@
 disable-ccid
-pcsc-driver /usr/lib/libpcsclite.so
-card-timeout 5
-reader-port Yubico Yubikey

gpg/.local/bin/pinentry-auto

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -Ceu
+
+_exists() {
+    type "$1" > /dev/null 2>&1
+}
+
+if [ -n "${DISPLAY-}" ]; then
+    _exists pinentry-dmenu && pe=$(which pinentry-dmenu)
+    _exists pinentry-wayprompt && pe=$(which pinentry-wayprompt)
+else
+    _exists pinentry-tty && pe=$(which pinentry-tty)
+    _exists pinentry-curses && pe=$(which pinentry-curses)
+    _exists pinentry-mac && pe=$(which pinentry-mac)
+fi
+
+case "${PINENTRY_USER_DATA-}" in
+    *USE_TTY=1*) pe=$(which pinentry-tty);;
+    *USE_CURSES=1*) pe=$(which pinentry-curses) ;;
+esac
+
+exec $pe "$@"

macos/Library/LaunchAgents/gnupg.gpg-agent-symlink.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ProperyList-1.0/dtd">
+<plist version="1.0">
+    <dict>
+        <key>Label</key>
+        <string>gnupg.gpg-agent-symlink</string>
+        <key>ProgramArguments</key>
+        <array>
+            <string>/bin/sh</string>
+            <string>-c</string>
+            <string>/bin/ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK</string>
+        </array>
+        <key>RunAtLoad</key>
+        <true />
+    </dict>
+</plist>

macos/Library/LaunchAgents/gnupg.gpg-agent.plist

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>Label</key>
+        <string>gnupg.gpg-agent</string>
+        <key>RunAtLoad</key>
+        <true />
+        <key>KeepAlive</key>
+        <false />
+        <key>ProgramArguments</key>
+        <array>
+            <string>/usr/local/MacGPG2/bin/gpg-connect-agent</string>
+            <string>/bye</string>
+        </array>
+    </dict>
+</plist>

setup-macos.sh

@@ -0,0 +1,175 @@
+#!/usr/bin/env bash
+
+gpg_primary_key=0x2B7340DB13C85766
+gpg_encryption_subkey=0x79C70BBE4865D828
+
+base_path=$PWD
+data_path="$base_path"/data
+
+declare -a brew_pkgs=(
+    bat
+    gnupg
+    go
+    helix
+    neovim
+    pinentry-mac
+    python
+    rust
+    stow
+    wget
+    ykman
+    yubikey-personalization
+)
+
+brew update || {
+    echo "failed to update homebrew"
+}
+
+brew install "${brew_pkgs[@]}" || {
+    echo "failed to install brew packages"
+}
+
+git submodule update --init --remote --progress omz/.oh-my-zsh/themes/powerlevel10k || {
+    echo "failed to update git submodules"
+    exit 1
+}
+
+git submodule foreach --recursive git clean -xfd || {
+    echo "failed to clean git submodules"
+    exit 1
+}
+
+git submodule foreach --recursive git reset --hard || {
+    echo "failed to reset git submodules"
+    exit 1
+}
+
+echo "Setting up GPG/SSH"
+gpg --list-keys >/dev/null
+
+declare -a mk_dirs=(
+    ~/.cargo
+    ~/.cargo
+    ~/.config
+    ~/.continue
+    ~/.local/bin
+    ~/.ssh
+)
+
+for mk_dir in "${mk_dirs[@]}"; do
+    mkdir -p "${mk_dir}"
+done
+
+declare -a conflict_paths=(
+    ~/.bashrc
+    ~/.continue/config.json
+    ~/.gnupg/common.conf
+    ~/.zshenv
+    ~/.zshrc
+)
+
+rm_if_not_stowed() {
+    if [[ -L "${1}" ]]; then
+        local symlink_path
+        symlink_path=$(readlink -f "${1}")
+        if [[ $symlink_path == *"${base_path}"* ]]; then
+            return 0
+        fi
+    fi
+
+    rm -rfv "${1}"
+}
+
+echo "Checking for files/directories that will conflict with stow"
+for conflict_path in "${conflict_paths[@]}"; do
+    rm_if_not_stowed "${conflict_path}"
+done
+
+echo "Appending custom pinentry script to gpg-agent.conf"
+# GNUPG is ridiculous and only allows env-vars in some of the options here, so we have to do this the convoluted way with a line append
+cp -v "$data_path"/gpg/gpg-agent.conf "$base_path"/gpg/.gnupg/gpg-agent.conf || {
+    echo "failed to copy gpg-agent.conf from data dir"
+    exit 1
+}
+echo "pinentry-program $HOME/.local/bin/pinentry-auto" | tee -a "$HOME"/.gnupg/gpg-agent.conf
+
+stow_config() {
+    stow -v "$1" || {
+        echo "Failed to stow ${1} config"
+        exit 1
+    }
+}
+
+declare -a stow_dirs_setup=(
+    bash
+    git
+    gpg
+    stow
+    zsh
+)
+
+echo "Stowing setup configs"
+for stow_dir in "${stow_dirs_setup[@]}"; do
+    stow_config "$stow_dir"
+done
+
+rsync --progress -ruacv -- macos/* "$HOME"/ || {
+    echo "failed to rsync macos config"
+    return 1
+}
+
+declare -a launch_agents=(
+    "$HOME"/Library/LaunchAgents/gnupg.gpg-agent.plist
+    "$HOME"/Library/LaunchAgents/gnupg.gpg-agent-symlink.plist
+)
+
+for launch_agent_dir in "${launch_agents[@]}"; do
+    launchctl unload "$launch_agent_dir"
+    launchctl load "$launch_agent_dir" || {
+        echo "failed to load $launch_agent_dir"
+        exit 1
+    }
+    echo "Loaded $launch_agent_dir"
+done
+
+# If our primary GPG key is not yet imported, import it
+if [[ ! $(gpg --list-keys "$gpg_primary_key") ]]; then
+    gpg --import "$data_path"/gpg/2B7340DB13C85766.asc || {
+        echo "failed to import GPG pubkey"
+        exit 1
+    }
+
+    gpg --tofu-policy good "$gpg_primary_key" || {
+        echo "failed to set gpg tofu policy"
+        exit 1
+    }
+fi
+
+echo "Decrypting data"
+declare -a decrypt_data_paths_tuples=(
+    "${data_path}/ssh/config.asc.gpg ${base_path}/ssh/.ssh/config"
+)
+
+for decrypt_data_paths_tuple in "${decrypt_data_paths_tuples[@]}"; do
+    read -ra decrypt_data_paths <<<"$decrypt_data_paths_tuple"
+    if [[ -f "${decrypt_data_paths[0]}" ]]; then
+        gpg --quiet --no-verbose --local-user "${gpg_encryption_subkey}" --armor --decrypt --yes --output "${decrypt_data_paths[1]}" "${decrypt_data_paths[0]}"  >/dev/null || {
+            echo "failed to decrypt file ${decrypt_data_paths[0]} to ${decrypt_data_paths[1]}"
+            exit 1
+        }
+    fi
+done
+
+declare -a stow_dirs_general=(
+    bat
+    continue
+    helix
+    nvim
+    rust
+    ssh
+)
+
+echo "Stowing general configs"
+for stow_dir in "${stow_dirs_general[@]}"; do
+    stow_config "$stow_dir"
+done

setup_all.sh → setup.sh

@@ -462,7 +462,7 @@ systemd_user_enable_start /usr/lib/systemd/user/gpg-agent.service
 
 gpg_ssh_agent
 
-# If our primary GPG key is not yet imported, do that and
+# If our primary GPG key is not yet imported, import it
 if [[ ! $(gpg --list-keys "$gpg_primary_key") ]]; then
     gpg --import "$data_path"/gpg/2B7340DB13C85766.asc || {
         echo "failed to import GPG pubkey"