Skip to content

Instantly share code, notes, and snippets.

Last active July 10, 2024 09:25
Show Gist options
  • Save koshatul/2427643668d4e89c0086f297f9ed2130 to your computer and use it in GitHub Desktop.
Save koshatul/2427643668d4e89c0086f297f9ed2130 to your computer and use it in GitHub Desktop.
use Apple Keychain to store GPG Passphrases

gpg-agent setup

Need to setup gpg-agent first, on OSX I use keychain (it also does ssh-agent)

$ brew info keychain
keychain: stable 2.8.5
User-friendly front-end to ssh-agent(1)
/usr/local/Cellar/keychain/2.8.5 (7 files, 108.5KB) *
  Built from source on 2018-10-23 at 14:44:08
==> Analytics
install: 267 (30 days), 841 (90 days), 3,910 (365 days)
install_on_request: 262 (30 days), 817 (90 days), 3,661 (365 days)
build_error: 0 (30 days)

gpg passphrase in keychain

brew install gpg gpg2 pinentry-mac
mkdir -m 0700 ~/.gnupg
echo "pinentry-program $(brew --prefix)/bin/pinentry-mac" | tee ~/.gnupg/gpg-agent.conf
pkill -TERM gpg-agent

Close and reopen shell.

test gpg passphrase stored in keychain

Assuming you've already created or imported a key, select an identity to test:

$ gpg --list-keys
pub   rsa4096 2019-06-18 [SC]
uid           [ultimate] Koshatul <>
sub   rsa4096 2019-06-18 [E]

Test (replace with the identity of your certificate):

$ echo test | gpg -e -r | gpg -d
gpg: encrypted with rsa4096 key, ID 3AF58C6962796950, created 2019-06-18
      "Koshatul <>"
Copy link

It should look like this, with the "save to keychain" ticked by default.

Screen Shot 2022-04-12 at 17 08 56

Copy link

Oh, of course. That's what I get for being smart and just copying the echo'd line into gpg-agent.conf myself instead of running the command. :)

The example isn't the greatest anyway, I should use sed and replace it if it exists instead of blindly overwriting the config file.

But this was meant to be for someone who hasn't setup their gpg-agent yet.

Copy link

0x3333 commented Apr 12, 2022

It should look like this, with the "save to keychain" ticked by default.

Screen Shot 2022-04-12 at 17 08 56

Yeah I know. But the latest version doesn’t show… I build an old version and it worked, don’t know why… will have to investigate.

Copy link

@0x3333 did you install from homebrew ?

Copy link

0x3333 commented Apr 12, 2022

Yep. I found out why.

Looks like the problem is a missing key in defaults:

defaults write org.gpgtools.pinentry-mac DisableKeychain -bool no

You must set this to no, otherwise, it will be "true" and doesn't show, even if you have UseKeychain = yes.

Copy link

I never changed that, but good find.

Copy link

0x3333 commented Apr 12, 2022

Looks like using GPGTools Preference pane sets this entry.

Copy link

btw, if someone is looking for a simple installation alternative gpgtools have a simple installer that bundle this nicely:

Copy link

thank you

Copy link

works fine, thanks!

Copy link


Copy link

Works like a charm, thanks.

Copy link

arcs- commented Mar 13, 2023

awesome, thanks!

Copy link

stevencch99 commented Mar 23, 2023

Has anyone had a problem with pinentry-mac not being able to input passphrase?
The entered text is still in the terminal and cannot be entered into pinentry-mac.
Ran on: macOS 13.2.1 (22D68), Apple M2 Pro
CleanShot 2023-03-23 at 15 14 05@2x

Copy link

Has anyone had a problem with pinentry-mac not being able to input passphrase?

Solved, turns out I should restart pinentry-mac after setup gpg-agent too, leave notes here for those who also ran into this issue.
$ killall pinentry-mac gpg-agent

Copy link

Yep. I found out why.

Looks like the problem is a missing key in defaults:

defaults write org.gpgtools.pinentry-mac DisableKeychain -bool no

You must set this to no, otherwise, it will be "true" and doesn't show, even if you have UseKeychain = yes.

For those who land here trying to disable the 'Save to Keychain' being on by default in pin entry-mac, I found that this worked for me (got this answer from here):

$ defaults write org.gpgtools.pinentry-mac UseKeychain -bool NO
$ killall pinentry-mac gpg-agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment