GnuPG pinentry depending on GUI presence

All we need is an easy explanation of the problem, so here it is.

On MacOSX I’m using gnupg21 in order to sign git commit. Depending on project I’m currently working sometime I’m using IDE (here IntellijIDEA) to interact with git and sometime directly in terminal.

I had to setup

pinentry-program /usr/local/bin/pinentry-mac

to be able to continue working on IntellijIDEA.

However I’m not really fan about prompting GUI when I’m using terminal. Do you think is possible to configure gnupg21 to choose pinentry program regarding the situation?

  • On GUI -> /usr/local/bin/pinentry-mac
  • On terminal -> /usr/local/bin/pinentry

Edit: My current config files


default-cache-ttl 14400
max-cache-ttl 86400
log-file /var/log/gpg-agent.log
pinentry-program /usr/local/bin/pinentry-mac


keyserver hkp://

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

Running Multiple gpg-agents

GnuPG’s gpg-agent could be configured to use different sockets before GnuPG 2.1; you could have used different gpg-agents running in parallel with different configuration (pinentry implementations).

With GnuPG 2.1, this is not possible any more. GnuPG since 2.1 always uses a fixed socket path.

Pinentry Switching

The only clean possibility to enable such a feature is probably writing a pinentry "switch" implementation, deciding which actual pinentry to call depending on whether called from a command line or the GUI (for example, depending on what DISPLAY or tty variables are set).

Loopback Pinentry Mode

An alternative would be to use the loopback pinentry feature, which is disabled in gpg-agent by default for security reasons. Pinentry loopback will have gpg-agent query gpg for the passphrase instead of the out-of-band pinentry password query. This potentially opens security issues, as the rather large and complex GnuPG application (with a larger chance of vulnerabilities) gets access to the passphrase and thus the private key, which would otherwise be limited to the gpg-agent and pinentry implementation.

To do so anyway, add a line allow-loopback-pinentry in ~/.gnupg/gpg-agent.conf, killall gpg-agent (so it is restarted with the option enabled on the next time GnuPG wants to use it). When you want to use GUI pinentry, start GnuPG as normal; for command line operations, call gpg21 --pinentry-mode loopback instead (which of course could be an alias for gpg21).

Method 2

Sorry for the late answer but I had the same question and found a solution that seems cleaner than changing the pinentry-program configuration and restarting gpg-agent every time.

Although it’s not documented anywhere outside of the source, pinentry-mac will fall back to the curses CLI pin entry method if the PINENTRY_USER_DATA environment variable is set to USE_CURSES=1. You can leave pinentry-mac as the default in your gpg-agent.conf and slap:


in your bash profile or equivalent.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply