cmp is on the web

tl;dr: The path for pinentry-mac was wrong

I recently got a YubiKey 5 Nano and set it up thanks to this guide by Dr. Duh.

Everything was working fine, but that changed when I changed a few things to settings Jessie (@jessfraz) shared in her dotfiles. I started getting some errors finding pinentry.

Now, I had a feeling that since Jessie’s dotfiles are mainly for Debian there might be issues, but I had no idea what it was causing this problem.

~ ❯❯❯ ssh git@github.com
gpg-connect-agent: no running gpg-agent - starting '/usr/local/Cellar/gnupg/2.2.10/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).

Note: She has this awesome bit to add to your .zshrc/.bashrc which makes sure the agent is running before someone runs ssh. One of many things I copied from her dotfiles
# add alias for ssh to update the tty
alias ssh="gpg-connect-agent updatestartuptty /bye >/dev/null; ssh"

What people recommended online from that error was that my key wasn’t getting unlocked and so just doing a simple gpg encrypt/decrypt would fix things. But I’d already tried that and got errors like this:

~ ❯❯❯ echo "test message string" | gpg --encrypt --armor --recipient $KEY_ID | pbcopy
~ ❯❯❯ gpg -d --armor
-----BEGIN PGP MESSAGE-----

hQIMA7TR7A5FburFARAAp4ZKDVnF+B27GbtRxFGk2XrS+j4Vranr+495vqWyHO7T
VD9VQp20iFVCLb9E0csC9pxug+9AwWBolu7S1zqq4Q7B2xZu7iHysK7d30KIXanq
kfXz2G2U63cOowHa2LVzT9vg0VU3IL7R8bfw6bQNitTFXx746NtSHT/mYTfooNJo
Nha/Vo/s8sO9IMHNnKbl5hkUTo2L91ni4x5XcC0c/mtm/83bJJCoNGquzeXdD1AI
rSLs+dOzMvOLB1fhxkm2G7KWQdA0f5q14esyQeKSXw4D8rTz37cn+2LVK7NJomrq
hA+IJkIt+ouONlgR0Mv37LFeaCv4yhKbhO3gPJ5LZtCnPbnNA8x9r2I45m2Zue/9
mz+mM9pPk4ZAt8x9SNVNPWhxB0WMxtWkRMJ6BD5ZufvjNBeeAOAx+fMOcwOPHjek
ADTSRBWJ8TXo3KrmtBs5dNn997XmHRgG33LAZlmjXFR1hqphwjZqSBv+rr4BmlL3
56mr/4/rYwoX+13vHPndrF8scpn9nCt6w5XQ+DO4Q41HMFAd926GiD9+iSf/5LO4
ZNzViln57Q+LRCFVi0ClGXMxW3ziJTPeuBImCuHNupsiJzyyfUtoMB3zG0yFlH9M
DHlOuVg2NEsLIm+iTLPyJww4axfZxGzMophtlA/sV/a5vQ+Gumy75fOq5MpaMPXS
TwFIMBdW81brkQ97yh9f0z+d6MCAi76BmqjXJGnIYpC0mlDqY38vaZg8dI3Tu9ML
eElq/a+iPoCgmw8KYJQU1lOJe+gSMbXG3dyDccdYVTk=
=0Qx0
-----END PGP MESSAGE-----
gpg: encrypted with 4096-bit RSA key, ID 0xB4D1EC0E456EEAC5, created 2018-10-18
    "Chris Portela <chris@chrisportela.com>"
gpg: public key decryption failed: No pinentry
gpg: decryption failed: No secret key
^C
gpg: signal Interrupt caught ... exiting

How frustrating.

But, what caught my eye was No pinentry. How is that possible? I’d followed the guide and was previously using pinentry and pinentry-curses at the end of the guide to make sure I’d done everything correctly. I had switched to using pinentry-mac, which I’d been having issues getting to actually be used, but I figured it wasn’t that big a deal.

Here was my config for ~/.gnupg/gpg-agent.conf

enable-ssh-support
pinentry-program /usr/bin/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200

The problem is that path there was for where pinentry would be if I were in Linux, but thanks to SIP on macOS Homebrew installs everything in /usr/local/bin.

Adding local/ to the path made everything work again after I ran this command to reload the agent.

gpg-connect-agent reloadagent /bye

Another good way to figure out the path is to use which and copy the path it gives you

which pinentry-mac | pbcopy

Hope this helped

As usual, I saw this issue everywhere, but very few people “solving” the issue. Many times it’s that ssh-agent is running at the same time as gpg-agent, but in my case it was a bad pinentry-mac path.