Using GPG Agent on OS-X

gistfile1.txt

launchctl unload -w -S Aqua /System/Library/LaunchAgents/gpg.agent.daemon.plist
launchctl load -w -S Aqua /System/Library/LaunchAgents/gpg.agent.daemon.plist

gpg-agent.conf

use-standard-socket
enable-ssh-support
default-cache-ttl 14400
max-cache-ttl 86400
#pinentry-program /usr/local/bin/pinentry-mac
log-file /var/log/gpg-agent.log
write-env-file /Users/remco/.gnupg/gpg-agent-info
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac

gpg.agent.daemon.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
            <key>Label</key>
            <string>gpg.agent.daemon</string>
            <key>ProgramArguments</key>
            <array>
                <string>/usr/local/MacGPG2/bin/gpg-agent</string>
                <string>--daemon</string>
                <string>--options</string>
                <string>/Users/remco/.gnupg/gpg-agent.conf</string>
                <string>--enable-ssh-support</string>
                <string>--log-file</string>
                <string>/var/log/gpg-agent.log</string>
                <string>--write-env-file</string>
                <string>/Users/remco/.gnupg/gpg-agent-info</string>
            </array>
            <key>Sockets</key>
            <dict>
                    <key>Listeners</key>
                    <dict>
                            <key>SecureSocketWithKey</key>
                            <string>SSH_AUTH_SOCK</string>
                    </dict>
            </dict>
            <key>StandardOutPath</key>
            <string>/var/log/gpg-agent.stdout.log</string>
            <key>StandardErrorPath</key>
            <string>/var/log/gpg-agent.error.log</string>
            <!--
            <key>RunAtLoad</key>
            <true/>
            <key>EnableTransactions</key>
            <true/>
            -->
            <key>Umask</key>
            <integer>63</integer>
    </dict>
</plist>

FYI, this launch daemon and the write-env-file option are obsolete as of GnuPG 2.1. From What's New in GnuPG 2.1 (emphasis mine):

Auto-start of the gpg-agent

The gpg-agent is the central part of the GnuPG system. It takes care of all private (secret) keys and if required diverts operations to a smartcard or other token. It also provides support for the Secure Shell by implementing the ssh-agent protocol.

The classic way to run gpg-agent on Unix systems is by launching it at login time and use an environment variable (GPG_AGENT_INFO) to tell the other GnuPG modules how to connect to the agent. However, correctly managing the start up and this environment variable is cumbersome so that that an easier method is required. Since GnuPG 2.0.16 the --use-standard-socket option already allowed to start the agent on the fly; however the environment variable was still required.

With GnuPG 2.1 the need of GPG_AGENT_INFO has been completely removed and the variable is ignored. Instead a fixed Unix domain socket named S.gpg-agent in the GnuPG home directory (by default ~/.gnupg) is used. The agent is also started on demand by all tools requiring services from the agent.

If the option --enable-ssh-support is used the auto-start mechanism does not work because ssh does not know about this mechanism. Instead it is required that the environment variable SSH_AUTH_SOCK is set to the S.gpg-agent.ssh socket in the GnuPG home directory. Further gpg-agent must be started: Either by using a GnuPG command which implicitly starts gpg-agent or by using gpgconf --launch gpg-agent to explicitly start it if not yet done.

If the option --enable-ssh-support is used the auto-start mechanism does not work

if you're using GPG in place of ssh-agent it looks like this solution (or some variation of it) is still necessary

Does anyone succeeded interchanging ssh-agent with gpg-agent on MacOS(High Sierra here). How would you guys set globally the SSH_AUTH_SOCK env var? Tried it with launchctl setenv:

$ launchctl setenv SSH_AUTH_SOCK ${HOME}/.gnupg/S.gpg-agent.ssh
$ launchctl getenv SSH_AUTH_SOCK
/Users/drew/.gnupg/S.gpg-agent.ssh

But then:

$ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.IjNASGcnxM/Listeners

So it seems like the variable set with launchd is ignored...

Does anyone succeeded interchanging ssh-agent with gpg-agent on MacOS(High Sierra here). How would you guys set globally the SSH_AUTH_SOCK env var? Tried it with launchctl setenv:

$ launchctl setenv SSH_AUTH_SOCK ${HOME}/.gnupg/S.gpg-agent.ssh
$ launchctl getenv SSH_AUTH_SOCK
/Users/drew/.gnupg/S.gpg-agent.ssh

But then:

$ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.IjNASGcnxM/Listeners

So it seems like the variable set with launchd is ignored...

@drew-kun You'd need to start a new shell that doesn't overwrite that env var, IIRC.

     setenv key value
              Specify an environment variable to be set on all future processes launched by launchd in the
              caller's context.

Confirming the first post still works on Mojave.

Totally outdated. It doesn't work at all.

it doesn't work for me