GnuPG key on macOS with nix

Recently I switched from using homebrew to nix as my macOS package manager. That means that some of the configuration bits I had stopped working due to path changes. One of the misconfigured things was GnuPG. In hindsight, it seems obvious that this was the source of the problem, but I arrived at that conclusion only after a considerable amount of time trying to figure out how to solve my problem.

It all started from a need to generate new GnuPG key. In theory that should be a simple operation. Just a gpg2 --gen-key away, but when doing so I was gritted with the following error:

gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry

Because GnuPG is not something I’m using too often, it took me a while to find a solution to this problem. In the end, it turns out that the path to the pinentry program, the path which is stored in ~/.gnupg/gpg-agent.conf was wrong. It was pointing to the program which was installed by Homebrew, but which now didn’t exist.

I expected that finding a solution will be easy. It should be just a matter of installing another pinentry program, this time with nix.

The installation was quick:

$ nix-env -i pientry

Then there was also a matter of changing the path in the configuration file and restarting gpg-agent. Despite my expectation that everything will return to normal, it wasn’t the case. Even though, I managed to make progress. The new error was pointing that something else was wrong:

gpg: pinentry launched (348 unknown 0.9.7 ? ? ?)
gpg: agent_genkey failed: No such file or directory
Key generation failed: No such file or directory

It took me a bit longer to figure out, and although I’m not certain what was the cause of the problem I managed to find a solution. The thing which worked was switching from tty based pinentry to one which was specifically created for macOS. By doing:

$ nix-env -e pinentry
$ nix-env -i pinentry-mac

And updating configuration file:

$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /Users/lukasz/.nix-profile/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac

$ killall gpg-agent

One caveat is that the path to the pinentry program needs to be absolute.

I managed to get the new GnuPG key generated. The pinentry dialog showed at the right time and everything seems to be working fine.