All we need is an easy explanation of the problem, so here it is.
On MacOSX I’m using
gnupg21 in order to sign
git commit. Depending on project I’m currently working sometime I’m using IDE (here
IntellijIDEA) to interact with
git and sometime directly in
I had to setup
to be able to continue working on
However I’m not really fan about prompting GUI when I’m using
terminal. Do you think is possible to configure
gnupg21 to choose
pinentry program regarding the situation?
- On GUI ->
- On terminal ->
Edit: My current config files
enable-ssh-support default-cache-ttl 14400 max-cache-ttl 86400 log-file /var/log/gpg-agent.log pinentry-program /usr/local/bin/pinentry-mac
keyserver hkp://keys.gnupg.net no-tty use-agent
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
gpg-agent could be configured to use different sockets before GnuPG 2.1; you could have used different
gpg-agents running in parallel with different configuration (pinentry implementations).
With GnuPG 2.1, this is not possible any more. GnuPG since 2.1 always uses a fixed socket path.
The only clean possibility to enable such a feature is probably writing a pinentry "switch" implementation, deciding which actual pinentry to call depending on whether called from a command line or the GUI (for example, depending on what
tty variables are set).
Loopback Pinentry Mode
An alternative would be to use the loopback pinentry feature, which is disabled in
gpg-agent by default for security reasons. Pinentry loopback will have
gpg for the passphrase instead of the out-of-band pinentry password query. This potentially opens security issues, as the rather large and complex GnuPG application (with a larger chance of vulnerabilities) gets access to the passphrase and thus the private key, which would otherwise be limited to the
gpg-agent and pinentry implementation.
To do so anyway, add a line
killall gpg-agent (so it is restarted with the option enabled on the next time GnuPG wants to use it). When you want to use GUI pinentry, start GnuPG as normal; for command line operations, call
gpg21 --pinentry-mode loopback instead (which of course could be an alias for
Sorry for the late answer but I had the same question and found a solution that seems cleaner than changing the
pinentry-program configuration and restarting gpg-agent every time.
Although it’s not documented anywhere outside of the source,
pinentry-mac will fall back to the curses CLI pin entry method if the
PINENTRY_USER_DATA environment variable is set to
USE_CURSES=1. You can leave pinentry-mac as the default in your gpg-agent.conf and slap:
in your bash profile or equivalent.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂