‘No pinentry’ on macOS

tl;dr: The path for pinentry-mac was wrong

I recently got a YubiKey 5 Nano and set it up thanks to this guide by Dr. Duh.

Everything was working fine, but that changed when I changed a few things to settings Jessie (@jessfraz) shared in her dotfiles. I started getting some errors finding pinentry.

Now, I had a feeling that since Jessie’s dotfiles are mainly for Debian there might be issues, but I had no idea what it was causing this problem.

~ ❯❯❯ ssh git@github.com
gpg-connect-agent: no running gpg-agent - starting '/usr/local/Cellar/gnupg/2.2.10/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).

Note: She has this awesome bit to add to your .zshrc/.bashrc which makes sure the agent is running before someone runs ssh. One of many things I copied from her dotfiles

# add alias for ssh to update the tty
alias ssh="gpg-connect-agent updatestartuptty /bye >/dev/null; ssh"

What people recommended online from that error was that my key wasn’t getting unlocked and so just doing a simple gpg encrypt/decrypt would fix things. But I’d already tried that and got errors like this:

~ ❯❯❯ echo "test message string" | gpg --encrypt --armor --recipient $KEY_ID | pbcopy
~ ❯❯❯ gpg -d --armor

gpg: encrypted with 4096-bit RSA key, ID 0xB4D1EC0E456EEAC5, created 2018-10-18
    "Chris Portela <chris@chrisportela.com>"
gpg: public key decryption failed: No pinentry
gpg: decryption failed: No secret key
gpg: signal Interrupt caught ... exiting

How frustrating.

But, what caught my eye was No pinentry. How is that possible? I’d followed the guide and was previously using pinentry and pinentry-curses at the end of the guide to make sure I’d done everything correctly. I had switched to using pinentry-mac, which I’d been having issues getting to actually be used, but I figured it wasn’t that big a deal.

Here was my config for ~/.gnupg/gpg-agent.conf

pinentry-program /usr/bin/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200

The problem is that path there was for where pinentry would be if I were in Linux, but thanks to SIP on macOS Homebrew installs everything in /usr/local/bin.

Adding local/ to the path made everything work again after I ran this command to reload the agent.

gpg-connect-agent reloadagent /bye

Another good way to figure out the path is to use which and copy the path it gives you

which pinentry-mac | pbcopy

Hope this helped

As usual, I saw this issue everywhere, but very few people “solving” the issue. Many times it’s that ssh-agent is running at the same time as gpg-agent, but in my case it was a bad pinentry-mac path.