diff --git a/common/flatpak-context-private.h b/common/flatpak-context-private.h
index 099b6275..d9a79777 100644
--- a/common/flatpak-context-private.h
+++ b/common/flatpak-context-private.h
@@ -49,6 +49,7 @@ typedef enum {
FLATPAK_CONTEXT_SOCKET_SSH_AUTH = 1 << 6,
FLATPAK_CONTEXT_SOCKET_PCSC = 1 << 7,
FLATPAK_CONTEXT_SOCKET_CUPS = 1 << 8,
+ FLATPAK_CONTEXT_SOCKET_GPG_AGENT = 1 << 9,
} FlatpakContextSockets;
typedef enum {
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 17f4d6c5..e0f52892 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -61,6 +61,7 @@ const char *flatpak_context_sockets[] = {
"ssh-auth",
"pcsc",
"cups",
+ "gpg-agent",
NULL
};
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 62bc21e9..523c5b31 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -601,6 +601,46 @@ flatpak_run_add_cups_args (FlatpakBwrap *bwrap)
NULL);
}
+static void
+flatpak_run_add_gpg_agent_args (FlatpakBwrap *bwrap)
+{
+ const char * agent_socket;
+ g_autofree char * sandbox_agent_socket = NULL;
+ g_autoptr(GError) gpgconf_error = NULL;
+ g_autoptr(GSubprocess) process = NULL;
+ g_autoptr(GInputStream) base_stream = NULL;
+ g_autoptr(GDataInputStream) data_stream = NULL;
+
+ process = g_subprocess_new (G_SUBPROCESS_FLAGS_STDOUT_PIPE,
+ &gpgconf_error,
+ "gpgconf", "--list-dir", "agent-socket", NULL);
+
+ if (gpgconf_error)
+ {
+ g_debug ("GPG-Agent directories: %s", gpgconf_error->message);
+ return;
+ }
+
+ base_stream = g_subprocess_get_stdout_pipe (process);
+ data_stream = g_data_input_stream_new (base_stream);
+
+ agent_socket = g_data_input_stream_read_line (data_stream,
+ NULL, NULL,
+ &gpgconf_error);
+
+ if (!agent_socket || gpgconf_error)
+ {
+ g_debug ("GPG-Agent directories: %s", gpgconf_error->message);
+ return;
+ }
+
+ sandbox_agent_socket = g_strdup_printf ("/run/user/%d/gnupg/S.gpg-agent", getuid ());
+
+ flatpak_bwrap_add_args (bwrap,
+ "--ro-bind-try", agent_socket, sandbox_agent_socket,
+ NULL);
+}
+
/* Try to find a default server from a pulseaudio confguration file */
static char *
flatpak_run_get_pulseaudio_server_user_config (const char *path)
@@ -1783,6 +1823,11 @@ flatpak_run_add_environment_args (FlatpakBwrap *bwrap,
flatpak_run_add_cups_args (bwrap);
}
+ if (context->sockets & FLATPAK_CONTEXT_SOCKET_GPG_AGENT)
+ {
+ flatpak_run_add_gpg_agent_args (bwrap);
+ }
+
flatpak_run_add_session_dbus_args (bwrap, proxy_arg_bwrap, context, flags, app_id);
flatpak_run_add_system_dbus_args (bwrap, proxy_arg_bwrap, context, flags);
flatpak_run_add_a11y_dbus_args (bwrap, proxy_arg_bwrap, context, flags);
diff --git a/doc/flatpak-build-finish.xml b/doc/flatpak-build-finish.xml
index 81a72452..fa5c9ff0 100644
--- a/doc/flatpak-build-finish.xml
+++ b/doc/flatpak-build-finish.xml
@@ -134,7 +134,7 @@
Expose a well-known socket to the application. This updates
the [Context] group in the metadata.
SOCKET must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
- ssh-auth, pcsc, cups.
+ ssh-auth, pcsc, cups, gpg-agent.
This option can be used multiple times.
The fallback-x11 option makes the X11 socket available only if
@@ -151,7 +151,7 @@
Don't expose a well known socket to the application. This updates
the [Context] group in the metadata.
SOCKET must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
- ssh-auth, pcsc, cups.
+ ssh-auth, pcsc, cups, gpg-agent.
This option can be used multiple times.
diff --git a/doc/flatpak-build.xml b/doc/flatpak-build.xml
index a48e2acd..d1157667 100644
--- a/doc/flatpak-build.xml
+++ b/doc/flatpak-build.xml
@@ -149,7 +149,7 @@
Expose a well-known socket to the application. This overrides to
the Context section from the application metadata.
SOCKET must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
- ssh-auth, pcsc, cups.
+ ssh-auth, pcsc, cups, gpg-agent.
This option can be used multiple times.
@@ -161,7 +161,7 @@
Don't expose a well-known socket to the application. This overrides to
the Context section from the application metadata.
SOCKET must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
- ssh-auth, pcsc, cups.
+ ssh-auth, pcsc, cups, gpg-agent.
This option can be used multiple times.
diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml
index 8a2e2ee5..bdd9d974 100644
--- a/doc/flatpak-override.xml
+++ b/doc/flatpak-override.xml
@@ -134,7 +134,7 @@
Expose a well-known socket to the application. This overrides to
the Context section from the application metadata.
SOCKET must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
- ssh-auth, pcsc, cups.
+ ssh-auth, pcsc, cups, gpg-agent.
This option can be used multiple times.
@@ -146,7 +146,7 @@
Don't expose a well-known socket to the application. This overrides to
the Context section from the application metadata.
SOCKET must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
- ssh-auth, pcsc, cups.
+ ssh-auth, pcsc, cups, gpg-agent.
This option can be used multiple times.
diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
index 56582ebf..e1aa5e1c 100644
--- a/doc/flatpak-run.xml
+++ b/doc/flatpak-run.xml
@@ -299,7 +299,7 @@
Expose a well known socket to the application. This overrides to
the Context section from the application metadata.
SOCKET must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
- ssh-auth, pcsc, cups.
+ ssh-auth, pcsc, cups, gpg-agent.
This option can be used multiple times.
@@ -311,7 +311,7 @@
Don't expose a well known socket to the application. This overrides to
the Context section from the application metadata.
SOCKET must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
- ssh-auth, pcsc, cups.
+ ssh-auth, pcsc, cups, gpg-agent.
This option can be used multiple times.