No GPG passphrase prompt in Visual Studio Code on Windows 10 for signed git commits using WSL2

Question

I am unable to use signed commits within Visual Studio Code when committing code in WSL2 from Windows 10.

THE ISSUE

No passphrase prompt is shown within Windows 10 resulting in git failing with error: gpg failed to sign the data

---

SETUP

Windows Setup

Latest version of Windows 10 with WSL2 and Windows Terminal.

Visual Studio Code is installed within Windows 10 and is the latest version (1.48.0) and includes the latest Remote WSL Extension (v0.44.4).

My code is within WSL2 running Ubuntu 20.04 with all packages updated.

Visual Studio Code is opened via the command line using the code . command from within WSL2.

Git Setup

Git (2.25.1) is installed within WSL2 with the following global config:

[user]
    name = My Name
    email = my.email@example.com
    signingkey = A1B2C3D4E5F67890
[commit]
    gpgsign = true

The git repository is initiated using the command line within WSL2.

GPG Setup

gnupg (2.2.19) is installed within WSL2.

I have ~/.gnupg/gpg.conf settings

use-agent
default-key A1B2C3D4E5F67890

And ~/.gnupg/gpg-agent.conf

default-cache-ttl 34560000
max-cache-ttl 34560000
pinentry-program /usr/bin/pinentry-curses

And my ~/.zprofile

export GPG_TTY=$(tty)
export GPG_AGENT_INFO=${HOME}/.gnupg/S.gpg-agent:0:1

---

WHAT WORKS

If I run a git commit from within WSL2 in Windows Terminal it prompts me for my passphrase.

┌────────────────────────────────────────────────────────────────┐
│ Please enter the passphrase to unlock the OpenPGP secret key:  │
│ "My Name <my.email@example.com>"                               │
│ 4096-bit RSA key, ID A1B2C3D4E5F67890,                         │
│ created 2020-08-10.                                            │
│                                                                │
│                                                                │
│ Passphrase: __________________________________________________ │
│                                                                │
│         <OK>                                    <Cancel>       │
└────────────────────────────────────────────────────────────────┘

This passphrase is then cached for the rest of my Windows session until I restart my laptop. Any commit after this no longer prompts for the passphrase.

I am now able to use the Visual Studio Code git UI and VSCode's built-in terminal to commit changes.

---

The Question

If I restart my laptop then commits from Visual Studio Code do not work until I first cache the GPG passphrase within WSL2.

Maybe worth noting, but if I haven't cached the passphrase and open the code within Visual Studio Code and try to do a commit from the built-in VSCode terminal it also fails. It only works if the passphrase is first entered within WSL2 via Windows Terminal.

I appreciate that Windows 10 and WSL2 are really two different systems but is there any way to get Windows to display a prompt for the GPG passphrase for git running in WSL2?

Or do I need to set things up completely differently? I've used MacOS for development for a long time now so not sure what the best route may be on Windows 10.

Edit: 2020-08-17 I found https://github.com/diablodale/pinentry-wsl-ps1 and used the script as the pinentry. This works and shows a GUI in Windows 10 when the passphrase isn't cached. But I'd like to find a solution that doesn't rely on a script that may stop functioning.

Answer 1

Big thanks to @39digits for his useful answer!

Some updates as of August 2021:

with the latest version of gpg4win, you need to set the folloing config in you ~/.gnupg/gpg-agent.conf file in WSL2 ubuntu:

pinentry-program "/mnt/c/Program Files (x86)/Gpg4win/bin/pinentry.exe"

Afterwards, you may need to restart the GPG agent by running:

gpg-connect-agent reloadagent /bye

Also, you no longer need to subscribe to the windows insiders track.

Answer 2

I found a solution...but it has caveats at the time of writing.

Since Visual Studio Code is running in Windows 10 and git & gpg are within WSL2 I thought of trying a visual pinentry on the Windows 10 side.

This didn't work until I subscribed to the Windows Insider's track and updated to the latest Dev Build (2004 Build 20190.1000).

Steps required:

Join the Windows Insider program and update Windows 10 to the 2004 Build 20190.1000 (might work on earlier builds but that's the one I received first). This will come with some interesting extras for WSL2 with increased interoperability - you'll also notice a Linux option in Windows Explorer now.

Install GPG4Win from https://www.gpg4win.org. Nothing other than the default gnupg is required, but I installed Kleopatra too in case it came in handy elsewhere.

Edit ~/.gnupg/gpg-agent.conf and change the pinentry

pinentry-program "/mnt/c/Program Files (x86)/GnuPG/bin/pinentry-basic.exe"

Now when you are asked for your passphrase the GPG GUI shows up.

I have tested this restarting the machine to ensure the passphrase isn't cached and it works for:

• Commit from WSL2 command-line
• Commit using Visual Studio Code git UI
• Commit using Visual Studio Code built-in terminal

This meets my requirements but happy to hear if there are any bits I may have not considered.

Answer 3

In my case:

• I use wsl2 (ubuntu20.04 LTS) with X server (X410) configured, and find a solution by installing pinentry-gtk2.
• Then configure pinentry-program to /usr/bin/pinentry-gtk-2, everything works well.

Steps:

1. Config your X server.
2. Install pinentry-gtk2. sudo apt install pinentry-gtk-2
3. Config gpg-agent. Add pinentry-program /usr/bin/pinentry-gtk-2 to ~/.gnupg/gpg-agent.conf
4. Reload gpg-agent. Execute command gpg-connect-agent reloadagent /bye

Notes: Avaliable pinentries

The effect:

Answer 4

Just to add to this a little bit, It seems like now a simple

git config --local gpg.program /usr/bin/gpg

is enough (in your git repository) for VS Code to be able to sign commits with your local gpg installation properly

Answer 5

You've specified the pinentry-curses program, which means that when you want to be prompted for a passphrase, you need to have an appropriate TTY available to prompt you.

If you don't want that behavior, there are other pinentry programs you can use; Debian, for example, ships the pinentry-gtk3 package, which can provide a graphical prompt. However, this requires that you have a functional X11 server available in your environment. This is necessary because Linux environments generally only have support for graphics via X11 (or possibly Wayland, which is not any more likely to work here).

There are other possibilities like you've mentioned that may be able to provide a native Windows prompt, but all of those are going to rely on additional add-on software, since neither Linux distros nor Windows ship software to provide this functionality. Linux distros typically don't ship software for Windows graphical interfaces because they don't ship Windows, so most of their users will be unable to use it.

Microsoft plans to ship better graphical support for WSL in the future, but as of yet has not done so.

Answer 6

For WLS2 users:

if your GIT for >= v2.39.0

git config --global credential.helper "/mnt/c/Program\ Files/Git/mingw64/bin/git-credential-manager.exe"

GIT >= v2.36.1

git config --global credential.helper "/mnt/c/Program\ Files/Git/mingw64/libexec/git-core/git-credential-manager.exe"

GIT < v2.36.1

git config --global credential.helper "/mnt/c/Program\ Files/Git/mingw64/bin/git-credential-manager-core.exe"

Full tutorial:

https://learn.microsoft.com/pt-br/windows/wsl/tutorials/wsl-git