16

GitHub recently announced verified commits, so I took this opportunity to implement GPG and start using keys. When I want to start committing, I get the following:

$ git commit

You need a passphrase to unlock the secret key for
user: "John Doe <johndoe@email.com>"
4096-bit RSA key, ID ABCD1234, created 2016-04-08

gpg: problem with the agent - disabling agent use
error: gpg failed to sign the data
fatal: failed to write commit object

I went online and searched for a solution, and one site (for a mail provider) suggested to killall gpg-agent, and it worked. Now, I can sign commits by entering my passphrase.

Is gpg-agent necessary? It seems to come with GPG when I installed it, but if I have to kill it to sign my commits, it would seem that I there is something that I am not understanding. How can I fix this so that I can have gpg-agentrunning and be able to sign my commits?

Chris Duncan
  • 721
  • 1
  • 6
  • 21

1 Answers1

24

I just figured out how to use gpg-agent on my Mac today. I was blocked after hitting the same error as you:

gpg: problem with the agent - disabling agent use

tldr; How I fixed it

For my setup, I was able to fix this by installing pinentry-mac and pointing gpg-agent to use it, thus popping up a GUI prompt as required.

1. install pinentry-mac
% brew install pinentry-mac
2. update gpg-agent conf
# manually change ~/.gnupg/gpg-agent.conf's pinentry-program to /usr/local/bin/pinentry-mac
3. update shell's view of PATH contents
% hash -r
4. restart gpg-agent
# however you normally do it (see below for how I run it manually)

Details on debugging

I debugged this by restarting the gpg-agent manually. I first commented out the configs in ~/.gnupg/gpg-agent.conf, then I ran this command to restart the gpg-agent with --verbose:

% killall gpg-agent && \
  eval $(gpg-agent --pinentry-program /usr/local/bin/pinentry --default-cache-ttl 60 --daemon --verbose)

Then I ran a test command and saw the error we've both listed above, as well as a new one:

# update the MY_GPG_KEY_ID as appropriate
% echo hi | gpg -e -r $(MY_GPG_KEY_ID) | gpg -d --use-agent
...
gpg-agent[60604]: command get_passphrase failed: Device not configured
gpg: problem with the agent - disabling agent use
...

I eventually realized (after reading this article and this GPG page) that GPG_TTY was not set by the steps I was following for starting up gpg-agent. So once I set that variable everything "worked":

% killall gpg-agent && \
  eval $(gpg-agent --pinentry-program /usr/local/bin/pinentry --default-cache-ttl 60 --daemon --verbose)
% export GPG_TTY=`tty`
# Now the below command succeeds
% echo hi | gpg -e -r $(MY_GPG_KEY_ID) | gpg -d --use-agent

In the midst of this exercise I was trying a lot of different options, and discovered that the pinentry-mac GUI prompter "just worked".

Avoiding GUI passphrase prompter

If you don't want a GUI prompter popping up, then I think it would be sufficient to ensure that the following env variables are being set in every terminal:

  • GPG_TTY
    • e.g., you can put this line into your .bashrc:
    • export GPG_TTY=$(tty)
  • GPG_AGENT_INFO
erik.weathers
  • 821
  • 1
  • 8
  • 13
  • I forgot to mention that I use Ubuntu. :sweat_smile: Let me see if I can apply your research to my problem. – Chris Duncan Apr 10 '16 at 01:47
  • 1
    The solution to my problem apparently was simpler. According to [this manual](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html), I have to specify to GPG which TTY I am using, once that was done, everything worked great. If you modify your answer to reflect this, I can accept your answer. – Chris Duncan Apr 10 '16 at 02:06
  • @cj-duncan I put the detail about setting `GPT_TTY` in your `.bashrc` (I have no idea how to "@" you with the space in your username :) ) – erik.weathers Apr 10 '16 at 03:07
  • Worked great for me on my Mac, I was just about to resort to entering my password a bajillion times to do a release. Thanks! – funkybro Apr 15 '16 at 13:43
  • 1
    @funkybro: glad it helped you! – erik.weathers Apr 17 '16 at 00:56