GnuPG key on macOS with nix
Solving a mysterious pinentry problem
Recently I switched from using homebrew to nix as my macOS package manager. That means that some of the configuration bits I had stopped working due to path changes. One of the misconfigured things was GnuPG. In hindsight, it seems obvious that this was the source of the problem, but I arrived at that conclusion only after a considerable amount of time trying to figure out how to solve my problem.
It all started from a need to generate new GnuPG key. In theory that should be a simple operation. Just a gpg2 --gen-key
away, but when doing so I was gritted with the following error:
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry
Because GnuPG is not something I’m using too often, it took me a while to find a solution to this problem. In the end, it turns out that the path to the pinentry program, the path which is stored in ~/.gnupg/gpg-agent.conf
was wrong. It was pointing to the program which was installed by Homebrew, but which now didn’t exist.
I expected that finding a solution will be easy. It should be just a matter of installing another pinentry program, this time with nix.
The installation was quick:
$ nix-env -i pientry
Then there was also a matter of changing the path in the configuration file and restarting gpg-agent
. Despite my expectation that everything will return to normal, it wasn’t the case. Even though, I managed to make progress. The new error was pointing that something else was wrong:
gpg: pinentry launched (348 unknown 0.9.7 ? ? ?)
gpg: agent_genkey failed: No such file or directory
Key generation failed: No such file or directory
It took me a bit longer to figure out, and although I’m not certain what was the cause of the problem I managed to find a solution. The thing which worked was switching from tty based pinentry to one which was specifically created for macOS. By doing:
$ nix-env -e pinentry
$ nix-env -i pinentry-mac
And updating configuration file:
$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /Users/lukasz/.nix-profile/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac
$ killall gpg-agent
One caveat is that the path to the pinentry program needs to be absolute.
I managed to get the new GnuPG key generated. The pinentry dialog showed at the right time and everything seems to be working fine.