tl;dr: The path for
Now, I had a feeling that since Jessie’s dotfiles are mainly for Debian there might be issues, but I had no idea what it was causing this problem.
~ ❯❯❯ ssh firstname.lastname@example.org gpg-connect-agent: no running gpg-agent - starting '/usr/local/Cellar/gnupg/2.2.10/bin/gpg-agent' gpg-connect-agent: waiting for the agent to come up ... (5s) gpg-connect-agent: connection to agent established sign_and_send_pubkey: signing failed: agent refused operation Permission denied (publickey).
Note: She has this awesome bit to add to your
.bashrcwhich makes sure the agent is running before someone runs
ssh. One of many things I copied from her dotfiles
# add alias for ssh to update the tty alias ssh="gpg-connect-agent updatestartuptty /bye >/dev/null; ssh"
What people recommended online from that error was that my key wasn’t getting unlocked and so just doing a simple gpg encrypt/decrypt would fix things. But I’d already tried that and got errors like this:
~ ❯❯❯ echo "test message string" | gpg --encrypt --armor --recipient $KEY_ID | pbcopy ~ ❯❯❯ gpg -d --armor -----BEGIN PGP MESSAGE----- hQIMA7TR7A5FburFARAAp4ZKDVnF+B27GbtRxFGk2XrS+j4Vranr+495vqWyHO7T VD9VQp20iFVCLb9E0csC9pxug+9AwWBolu7S1zqq4Q7B2xZu7iHysK7d30KIXanq kfXz2G2U63cOowHa2LVzT9vg0VU3IL7R8bfw6bQNitTFXx746NtSHT/mYTfooNJo Nha/Vo/s8sO9IMHNnKbl5hkUTo2L91ni4x5XcC0c/mtm/83bJJCoNGquzeXdD1AI rSLs+dOzMvOLB1fhxkm2G7KWQdA0f5q14esyQeKSXw4D8rTz37cn+2LVK7NJomrq hA+IJkIt+ouONlgR0Mv37LFeaCv4yhKbhO3gPJ5LZtCnPbnNA8x9r2I45m2Zue/9 mz+mM9pPk4ZAt8x9SNVNPWhxB0WMxtWkRMJ6BD5ZufvjNBeeAOAx+fMOcwOPHjek ADTSRBWJ8TXo3KrmtBs5dNn997XmHRgG33LAZlmjXFR1hqphwjZqSBv+rr4BmlL3 56mr/4/rYwoX+13vHPndrF8scpn9nCt6w5XQ+DO4Q41HMFAd926GiD9+iSf/5LO4 ZNzViln57Q+LRCFVi0ClGXMxW3ziJTPeuBImCuHNupsiJzyyfUtoMB3zG0yFlH9M DHlOuVg2NEsLIm+iTLPyJww4axfZxGzMophtlA/sV/a5vQ+Gumy75fOq5MpaMPXS TwFIMBdW81brkQ97yh9f0z+d6MCAi76BmqjXJGnIYpC0mlDqY38vaZg8dI3Tu9ML eElq/a+iPoCgmw8KYJQU1lOJe+gSMbXG3dyDccdYVTk= =0Qx0 -----END PGP MESSAGE----- gpg: encrypted with 4096-bit RSA key, ID 0xB4D1EC0E456EEAC5, created 2018-10-18 "Chris Portela <email@example.com>" gpg: public key decryption failed: No pinentry gpg: decryption failed: No secret key ^C gpg: signal Interrupt caught ... exiting
But, what caught my eye was
No pinentry. How is that possible? I’d followed the guide and was previously using
pinentry-curses at the end of the guide to make sure I’d done everything correctly. I had switched to using
pinentry-mac, which I’d been having issues getting to actually be used, but I figured it wasn’t that big a deal.
Here was my config for
enable-ssh-support pinentry-program /usr/bin/pinentry-mac default-cache-ttl 600 max-cache-ttl 7200
The problem is that path there was for where
pinentry would be if I were in Linux, but thanks to SIP on macOS Homebrew installs everything in
local/ to the path made everything work again after I ran this command to reload the agent.
gpg-connect-agent reloadagent /bye
Another good way to figure out the path is to use
which and copy the path it gives you
which pinentry-mac | pbcopy
Hope this helped
As usual, I saw this issue everywhere, but very few people “solving” the issue. Many times it’s that
ssh-agent is running at the same time as
gpg-agent, but in my case it was a bad