use Apple Keychain to store GPG Passphrases

README.md

gpg-agent setup

Need to setup gpg-agent first, on OSX I use keychain (it also does ssh-agent)

$ brew info keychain
keychain: stable 2.8.5
User-friendly front-end to ssh-agent(1)
https://www.funtoo.org/Keychain
/usr/local/Cellar/keychain/2.8.5 (7 files, 108.5KB) *
  Built from source on 2018-10-23 at 14:44:08
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/keychain.rb
==> Analytics
install: 267 (30 days), 841 (90 days), 3,910 (365 days)
install_on_request: 262 (30 days), 817 (90 days), 3,661 (365 days)
build_error: 0 (30 days)

gpg passphrase in keychain

brew install gpg gpg2 pinentry-mac

mkdir -m 0700 ~/.gnupg
echo "pinentry-program $(brew --prefix)/bin/pinentry-mac" | tee ~/.gnupg/gpg-agent.conf
pkill -TERM gpg-agent

Close and reopen shell.

test gpg passphrase stored in keychain

Assuming you've already created or imported a key, select an identity to test:

$ gpg --list-keys
/Users/kosh/.gnupg/pubring.kbx
------------------------------
pub   rsa4096 2019-06-18 [SC]
      C577EB80271726F2C2B75728BC90B58A3E7FC375
uid           [ultimate] Koshatul <koshatul@users.noreply.github.com>
sub   rsa4096 2019-06-18 [E]

Test (replace koshatul@users.noreply.github.com with the identity of your certificate):

$ echo test | gpg -e -r koshatul@users.noreply.github.com | gpg -d
gpg: encrypted with rsa4096 key, ID 3AF58C6962796950, created 2019-06-18
      "Koshatul <koshatul@users.noreply.github.com>"
test

Thank you, worked perfectly!

pinentry-mac binary doesn't does not work for me, it was installed just as pinentry in $BREW_HOME/bin

version info

pinentry: stable 1.2.0 (bottled)
Passphrase entry dialog utilizing the Assuan protocol
https://www.gnupg.org/related_software/pinentry/
/Users/nikolatari/brew/brew/Cellar/pinentry/1.2.0 (12 files, 366.5KB) *

I just had a colleague with the same issue, there is a pinentry-mac in homebrew which is the macOS specific version that uses keychain for passphrase storage and uses a native cocoa popup window prompt.

I haven't tried pinentry, but it wasn't working for my colleague (it would just stall waiting for the passphrase but no prompting), but pinentry-mac worked.

try

brew install pinentry-mac

pinentry-mac in homebrew

pinentry-mac: stable 1.1.1.1 (bottled), HEAD
Pinentry for GPG on Mac
https://github.com/GPGTools/pinentry
/opt/homebrew/Cellar/pinentry-mac/1.1.1.1 (17 files, 482.7KB) *

@koshatul nice, that worked actually better.

Either I'm doing it wrong or using brew --prefix in gpg-agent.conf does not work. I had to put the literal path there, otherwise gpg will note:

gpg: public key decryption failed: No pinentry
gpg: decryption failed: No pinentry

It might be misleading but that command was designed to put the correct path in the file for you directly.

If you run

echo "pinentry-program $(brew --prefix)/bin/pinentry-mac"

In your terminal it will return what you need to put in the file.

Oh, of course. That's what I get for being smart and just copying the echo'd line into gpg-agent.conf myself instead of running the command. :)

My pinentry-mac doesn't have an option to Save in Keychain. Does anyone have this problem?

It should look like this, with the "save to keychain" ticked by default.

Oh, of course. That's what I get for being smart and just copying the echo'd line into gpg-agent.conf myself instead of running the command. :)

The example isn't the greatest anyway, I should use sed and replace it if it exists instead of blindly overwriting the config file.

But this was meant to be for someone who hasn't setup their gpg-agent yet.

It should look like this, with the "save to keychain" ticked by default.

Yeah I know. But the latest version doesn’t show… I build an old version and it worked, don’t know why… will have to investigate.

@0x3333 did you install from homebrew ?

Yep. I found out why.

Looks like the problem is a missing key in defaults:

defaults write org.gpgtools.pinentry-mac DisableKeychain -bool no

You must set this to no, otherwise, it will be "true" and doesn't show, even if you have UseKeychain = yes.

I never changed that, but good find.

Looks like using GPGTools Preference pane sets this entry.

btw, if someone is looking for a simple installation alternative gpgtools have a simple installer that bundle this nicely: https://gpgtools.org/

thank you

works fine, thanks!

thanks!

Works like a charm, thanks.

awesome, thanks!

Has anyone had a problem with pinentry-mac not being able to input passphrase?
The entered text is still in the terminal and cannot be entered into pinentry-mac.
Ran on: macOS 13.2.1 (22D68), Apple M2 Pro

Has anyone had a problem with pinentry-mac not being able to input passphrase?

Solved, turns out I should restart pinentry-mac after setup gpg-agent too, leave notes here for those who also ran into this issue.
$ killall pinentry-mac gpg-agent

Yep. I found out why.

Looks like the problem is a missing key in defaults:

defaults write org.gpgtools.pinentry-mac DisableKeychain -bool no

You must set this to no, otherwise, it will be "true" and doesn't show, even if you have UseKeychain = yes.

For those who land here trying to disable the 'Save to Keychain' being on by default in pin entry-mac, I found that this worked for me (got this answer from here):

$ defaults write org.gpgtools.pinentry-mac UseKeychain -bool NO
$ killall pinentry-mac gpg-agent