Commit `0da3c8013024`

Vincent Demeester <vincent@sbr.pm>

2026-02-12 10:31:59

fix: suppressed SSH askpass popup for git signing

Replaced system SSH_ASKPASS with a silent wrapper that auto-confirms FIDO2 touch prompts (exit 0) while falling back to GTK askpass for PIN/passphrase prompts. The ssh-agent spawns SSH_ASKPASS from its own environment, so the fix must be at the system level, not in ssh-keygen.

main

1 parent 90ad570

Changed files (1)

systems

common

hardware

yubikey.nix

@@ -50,12 +50,23 @@
 
   programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
 
-  # SSH agent with FIDO2 PIN prompt support
-  # Uses NixOS's startAgent which properly sets SSH_ASKPASS in the agent's environment
+  # SSH agent with FIDO2 support
+  # Uses NixOS's startAgent which sets SSH_ASKPASS in the agent's environment.
+  # The silent askpass auto-confirms "Confirm user presence" prompts (yubikey-touch-detector
+  # already shows a desktop notification), while falling back to GTK for PIN/passphrase prompts.
   programs.ssh = {
     startAgent = true;
     enableAskPassword = true;
-    askPassword = "${pkgs.openssh-askpass}/libexec/gtk-ssh-askpass";
+    askPassword = "${
+      pkgs.writeShellScript "ssh-askpass-silent" ''
+        case "$1" in
+          *PIN*|*passphrase*|*password*)
+            exec ${pkgs.openssh-askpass}/libexec/gtk-ssh-askpass "$@"
+            ;;
+        esac
+        exit 0
+      ''
+    }";
   };
 
   # Disable GNOME's gcr-ssh-agent (conflicts with programs.ssh.startAgent)

Commit 0da3c8013024

Commit `0da3c8013024`