GPG Pinentry on macOS

[molleweide]

For what it seems gpg with pinentry is not working properly for me on
macOS. Personally, I have read through the setup-git command and feel like
I understand it fyi. But I have to read through it a couple more times
to really feel like I understand everything.

I searched for neovim pinentry and found this plugin issue. Maybe it
will reveal some interesting information:

resources

jamessan/vim-gnupg#32
https://github.com/jamessan/vim-gnupg
https://gist.github.com/troyfontaine/18c9146295168ee9ca2b30c00bd1b41e

[molleweide]

I believe that the problem could be that this is what shows in agent conf on
my intel after we ran setup-git together yesterday:

pinentry-program /usr/local/bin/pinentry

Does it say pinentry-mac on your machine?

[molleweide]

using pinentry-mac on cli did the trick.
i had to restart agent with: gpgconf --kill gpg-agent

next: test inside of neovim.

[molleweide]

it did not work in neovim. I shall install the plugin, test and report back.
I will create a pr to add pinentry-mac if i get it to work.

[molleweide]

but now that I think about it. didn't pinentry work when we used it together during zoom. this makes me a little bit confused.
However, I guess this is only regarding "unlocking" the gpg-agent from what I understand. I believe that commit from within neovim works if I first supply my password outside neovim first.

[molleweide]

There is an export variable called GPG_TTY that this thread mentions you should export https://gist.github.com/troyfontaine/18c9146295168ee9ca2b30c00bd1b41e#step-4-modify-your-shell

By greping dorothy does not seem to make use of this variable.

[balupton]

It should be inside the ssh source files, perhaps I forgot to commit it, will look tomorrow

[molleweide]

Ok, or maybe I made a mistake when searching

[balupton]

Is it not set for you?

dorothy/sources/ssh.sh

Lines 8 to 19 in 47b79d0

	# fix gpg errors, caused by lack of authentication of gpg key, caused by pinentry not being aware of tty
	# error: gpg failed to sign the data
	# fatal: failed to write commit object
	# you can test it is working via:
	# setup-git
	# echo "test" | gpg --clearsign
	# if you are still getting those errors, check via `key list` that your key has not expired
	# if it has, then run `key extend`
	if command-exists gpg; then
	export GPG_TTY
	GPG_TTY="$(tty)"
	fi

[molleweide]

Yo! It is set! I was searching on the wrong computer.

[balupton]

So all good, was the pinentry to pinentry-mac change still needed?

[molleweide]

At the moment, I am not sure. It was necessary yesterday when I did the testing but I will have to do some more test rounds.

I was writing from phone above.

I need to test some more combinations to be sure. I am assuming you have only pinentry-mac in your conf since that is what setup-git writes.
Under the vim plugin issue many people have liked the reply saying that pinentry-mac worked for them on mac, and it did for me as well, but if I recall it worked initially for us during zoom with regular pinentry. let's keep this issue open for now. i am feeling a bit sick so I just don't have the energy to test it atm. maybe later today.

i installed the vim plugin and it did not resolve the issue for neovim. a lot of people however, have upvoted one of the replies pertaining to macos so it seems that some people have it working in neovim.

I will also test on M1.

[balupton]

Ok cool, keep me posted, hope you feel better

[molleweide]

gpg seems to work and the neovim issue is unrelated so I'll close. But I think we should add a check
for darwin and use pinentry-mac instead. It seems to be more approriate, or what do you think?

[balupton]

gpg seems to work and the neovim issue is unrelated so I'll close. But I think we should add a check
for darwin and use pinentry-mac instead. It seems to be more approriate, or what do you think?

I'll review later today.

[molleweide]

How often is one expected to have to supply the gpg passw after having ran the setup-git script? Do you know this?
I am not sure what pattern is atm.

[molleweide]

it turns out that editing encrypted files works with neovim with the current configuration and pinentry-mac and the issue seems to be with the neogit plugin. I have filed  a started the process of filing a report to neogit.

[balupton]

The upgrades to gpg-helper over the past few months have definitely resolved this.