Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
use Apple Keychain to store GPG Passphrases

gpg-agent setup

Need to setup gpg-agent first, on OSX I use keychain (it also does ssh-agent)

$ brew info keychain
keychain: stable 2.8.5
User-friendly front-end to ssh-agent(1)
https://www.funtoo.org/Keychain
/usr/local/Cellar/keychain/2.8.5 (7 files, 108.5KB) *
  Built from source on 2018-10-23 at 14:44:08
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/keychain.rb
==> Analytics
install: 267 (30 days), 841 (90 days), 3,910 (365 days)
install_on_request: 262 (30 days), 817 (90 days), 3,661 (365 days)
build_error: 0 (30 days)

gpg passphrase in keychain

brew install gpg gpg2 pinentry-mac
mkdir -m 0700 ~/.gnupg
echo "pinentry-program $(brew --prefix)/bin/pinentry-mac" | tee ~/.gnupg/gpg-agent.conf
pkill -TERM gpg-agent

Close and reopen shell.

test gpg passphrase stored in keychain

Assuming you've already created or imported a key, select an identity to test:

$ gpg --list-keys
/Users/kosh/.gnupg/pubring.kbx
------------------------------
pub   rsa4096 2019-06-18 [SC]
      C577EB80271726F2C2B75728BC90B58A3E7FC375
uid           [ultimate] Koshatul <koshatul@users.noreply.github.com>
sub   rsa4096 2019-06-18 [E]

Test (replace koshatul@users.noreply.github.com with the identity of your certificate):

$ echo test | gpg -e -r koshatul@users.noreply.github.com | gpg -d
gpg: encrypted with rsa4096 key, ID 3AF58C6962796950, created 2019-06-18
      "Koshatul <koshatul@users.noreply.github.com>"
test
@peterjirak
Copy link

peterjirak commented Jan 5, 2022

This worked perfectly! Thank you!

I used the following to test it:

echo "Let's do the time warp again\!" | gpg -e -r peter.jirak@gmail.com | gpg -d

@peterjirak
Copy link

peterjirak commented Jan 5, 2022

I posted a link to your GitHub Gist on my LinkedIn profile: link

@koshatul
Copy link
Author

koshatul commented Jan 14, 2022

updated to use $(brew --prefix) so it works for both new and old.

@estevaoam
Copy link

estevaoam commented Feb 16, 2022

Thank you, worked perfectly!

@toshke
Copy link

toshke commented Mar 25, 2022

pinentry-mac binary doesn't does not work for me, it was installed just as pinentry in $BREW_HOME/bin

version info

pinentry: stable 1.2.0 (bottled)
Passphrase entry dialog utilizing the Assuan protocol
https://www.gnupg.org/related_software/pinentry/
/Users/nikolatari/brew/brew/Cellar/pinentry/1.2.0 (12 files, 366.5KB) *

@koshatul
Copy link
Author

koshatul commented Mar 25, 2022

I just had a colleague with the same issue, there is a pinentry-mac in homebrew which is the macOS specific version that uses keychain for passphrase storage and uses a native cocoa popup window prompt.

I haven't tried pinentry, but it wasn't working for my colleague (it would just stall waiting for the passphrase but no prompting), but pinentry-mac worked.

try

brew install pinentry-mac

@koshatul
Copy link
Author

koshatul commented Mar 25, 2022

pinentry-mac in homebrew

pinentry-mac: stable 1.1.1.1 (bottled), HEAD
Pinentry for GPG on Mac
https://github.com/GPGTools/pinentry
/opt/homebrew/Cellar/pinentry-mac/1.1.1.1 (17 files, 482.7KB) *

@toshke
Copy link

toshke commented Mar 25, 2022

@koshatul nice, that worked actually better.

@tanuva
Copy link

tanuva commented Mar 31, 2022

Either I'm doing it wrong or using brew --prefix in gpg-agent.conf does not work. I had to put the literal path there, otherwise gpg will note:

gpg: public key decryption failed: No pinentry
gpg: decryption failed: No pinentry

@koshatul
Copy link
Author

koshatul commented Apr 1, 2022

It might be misleading but that command was designed to put the correct path in the file for you directly.

If you run

echo "pinentry-program $(brew --prefix)/bin/pinentry-mac"

In your terminal it will return what you need to put in the file.

@tanuva
Copy link

tanuva commented Apr 1, 2022

Oh, of course. That's what I get for being smart and just copying the echo'd line into gpg-agent.conf myself instead of running the command. :)

@0x3333
Copy link

0x3333 commented Apr 12, 2022

My pinentry-mac doesn't have an option to Save in Keychain. Does anyone have this problem?

@koshatul
Copy link
Author

koshatul commented Apr 12, 2022

It should look like this, with the "save to keychain" ticked by default.

Screen Shot 2022-04-12 at 17 08 56

@koshatul
Copy link
Author

koshatul commented Apr 12, 2022

Oh, of course. That's what I get for being smart and just copying the echo'd line into gpg-agent.conf myself instead of running the command. :)

The example isn't the greatest anyway, I should use sed and replace it if it exists instead of blindly overwriting the config file.

But this was meant to be for someone who hasn't setup their gpg-agent yet.

@0x3333
Copy link

0x3333 commented Apr 12, 2022

It should look like this, with the "save to keychain" ticked by default.

Screen Shot 2022-04-12 at 17 08 56

Yeah I know. But the latest version doesn’t show… I build an old version and it worked, don’t know why… will have to investigate.

@koshatul
Copy link
Author

koshatul commented Apr 12, 2022

@0x3333 did you install from homebrew ?

@0x3333
Copy link

0x3333 commented Apr 12, 2022

Yep. I found out why.

Looks like the problem is a missing key in defaults:

defaults write org.gpgtools.pinentry-mac DisableKeychain -bool no

You must set this to no, otherwise, it will be "true" and doesn't show, even if you have UseKeychain = yes.

@koshatul
Copy link
Author

koshatul commented Apr 12, 2022

I never changed that, but good find.

@0x3333
Copy link

0x3333 commented Apr 12, 2022

Looks like using GPGTools Preference pane sets this entry.

@estevaoam
Copy link

estevaoam commented Apr 15, 2022

btw, if someone is looking for a simple installation alternative gpgtools have a simple installer that bundle this nicely: https://gpgtools.org/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment