Skip to content

Instantly share code, notes, and snippets.

Last active February 23, 2025 02:50
Show Gist options
  • Save koshatul/2427643668d4e89c0086f297f9ed2130 to your computer and use it in GitHub Desktop.
Save koshatul/2427643668d4e89c0086f297f9ed2130 to your computer and use it in GitHub Desktop.
use Apple Keychain to store GPG Passphrases

gpg-agent setup

Need to setup gpg-agent first, on OSX I use keychain (it also does ssh-agent)

$ brew info keychain
keychain: stable 2.8.5
User-friendly front-end to ssh-agent(1)
/usr/local/Cellar/keychain/2.8.5 (7 files, 108.5KB) *
  Built from source on 2018-10-23 at 14:44:08
==> Analytics
install: 267 (30 days), 841 (90 days), 3,910 (365 days)
install_on_request: 262 (30 days), 817 (90 days), 3,661 (365 days)
build_error: 0 (30 days)

gpg passphrase in keychain

brew install gpg gpg2 pinentry-mac
mkdir -m 0700 ~/.gnupg
echo "pinentry-program $(brew --prefix)/bin/pinentry-mac" | tee ~/.gnupg/gpg-agent.conf
pkill -TERM gpg-agent

Close and reopen shell.

test gpg passphrase stored in keychain

Assuming you've already created or imported a key, select an identity to test:

$ gpg --list-keys
pub   rsa4096 2019-06-18 [SC]
uid           [ultimate] Koshatul <[email protected]>
sub   rsa4096 2019-06-18 [E]

Test (replace [email protected] with the identity of your certificate):

$ echo test | gpg -e -r [email protected] | gpg -d
gpg: encrypted with rsa4096 key, ID 3AF58C6962796950, created 2019-06-18
      "Koshatul <[email protected]>"
Copy link

If you have an M1/Apple Silicon computer Homebrew will install pinentry-mac in /opt/homebrew/bin/pinentry-mac instead of /usr/local/bin/pinentry-mac so you will want to change your gpg-agent.conf step to following:

echo 'pinentry-program /opt/homebrew/bin/pinentry-mac' | tee ~/.gnupg/gpg-agent.conf

Copy link

This worked perfectly! Thank you!

I used the following to test it:

echo "Let's do the time warp again\!" | gpg -e -r [email protected] | gpg -d

Copy link

I posted a link to your GitHub Gist on my LinkedIn profile: link

Copy link

updated to use $(brew --prefix) so it works for both new and old.

Copy link

Thank you, worked perfectly!

Copy link

toshke commented Mar 25, 2022

pinentry-mac binary doesn't does not work for me, it was installed just as pinentry in $BREW_HOME/bin

version info

pinentry: stable 1.2.0 (bottled)
Passphrase entry dialog utilizing the Assuan protocol
/Users/nikolatari/brew/brew/Cellar/pinentry/1.2.0 (12 files, 366.5KB) *

Copy link

I just had a colleague with the same issue, there is a pinentry-mac in homebrew which is the macOS specific version that uses keychain for passphrase storage and uses a native cocoa popup window prompt.

I haven't tried pinentry, but it wasn't working for my colleague (it would just stall waiting for the passphrase but no prompting), but pinentry-mac worked.


brew install pinentry-mac

Copy link

pinentry-mac in homebrew

pinentry-mac: stable (bottled), HEAD
Pinentry for GPG on Mac
/opt/homebrew/Cellar/pinentry-mac/ (17 files, 482.7KB) *

Copy link

toshke commented Mar 25, 2022

@koshatul nice, that worked actually better.

Copy link

tanuva commented Mar 31, 2022

Either I'm doing it wrong or using brew --prefix in gpg-agent.conf does not work. I had to put the literal path there, otherwise gpg will note:

gpg: public key decryption failed: No pinentry
gpg: decryption failed: No pinentry

Copy link

koshatul commented Apr 1, 2022

It might be misleading but that command was designed to put the correct path in the file for you directly.

If you run

echo "pinentry-program $(brew --prefix)/bin/pinentry-mac"

In your terminal it will return what you need to put in the file.

Copy link

tanuva commented Apr 1, 2022

Oh, of course. That's what I get for being smart and just copying the echo'd line into gpg-agent.conf myself instead of running the command. :)

Copy link

0x3333 commented Apr 12, 2022

My pinentry-mac doesn't have an option to Save in Keychain. Does anyone have this problem?

Copy link

It should look like this, with the "save to keychain" ticked by default.

Screen Shot 2022-04-12 at 17 08 56

Copy link

Oh, of course. That's what I get for being smart and just copying the echo'd line into gpg-agent.conf myself instead of running the command. :)

The example isn't the greatest anyway, I should use sed and replace it if it exists instead of blindly overwriting the config file.

But this was meant to be for someone who hasn't setup their gpg-agent yet.

Copy link

0x3333 commented Apr 12, 2022

It should look like this, with the "save to keychain" ticked by default.

Screen Shot 2022-04-12 at 17 08 56

Yeah I know. But the latest version doesn’t show… I build an old version and it worked, don’t know why… will have to investigate.

Copy link

@0x3333 did you install from homebrew ?

Copy link

0x3333 commented Apr 12, 2022

Yep. I found out why.

Looks like the problem is a missing key in defaults:

defaults write org.gpgtools.pinentry-mac DisableKeychain -bool no

You must set this to no, otherwise, it will be "true" and doesn't show, even if you have UseKeychain = yes.

Copy link

I never changed that, but good find.

Copy link

0x3333 commented Apr 12, 2022

Looks like using GPGTools Preference pane sets this entry.

Copy link

btw, if someone is looking for a simple installation alternative gpgtools have a simple installer that bundle this nicely:

Copy link

thank you

Copy link

works fine, thanks!

Copy link


Copy link

Works like a charm, thanks.

Copy link

arcs- commented Mar 13, 2023

awesome, thanks!

Copy link

stevencch99 commented Mar 23, 2023

Has anyone had a problem with pinentry-mac not being able to input passphrase?
The entered text is still in the terminal and cannot be entered into pinentry-mac.
Ran on: macOS 13.2.1 (22D68), Apple M2 Pro
CleanShot 2023-03-23 at 15 14 05@2x

Copy link

Has anyone had a problem with pinentry-mac not being able to input passphrase?

Solved, turns out I should restart pinentry-mac after setup gpg-agent too, leave notes here for those who also ran into this issue.
$ killall pinentry-mac gpg-agent

Copy link

Yep. I found out why.

Looks like the problem is a missing key in defaults:

defaults write org.gpgtools.pinentry-mac DisableKeychain -bool no

You must set this to no, otherwise, it will be "true" and doesn't show, even if you have UseKeychain = yes.

For those who land here trying to disable the 'Save to Keychain' being on by default in pin entry-mac, I found that this worked for me (got this answer from here):

$ defaults write org.gpgtools.pinentry-mac UseKeychain -bool NO
$ killall pinentry-mac gpg-agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment