I just started using
gpg-agent for the first time on OS X. Coming from my familiarity with
ssh-add, there were some surprises.
If you use Homebrew, it’s easy:
brew install gpg-agent
The reason I started investigating this is so I could do batch encryption and decryption from a within a shell script.
Here the command I want to run is something like:
gpg -a -q --batch --no-tty --yes -r email@example.com -o $FILE.encrypted -e $FILE
Encryption is done with the public key, so you don’t need to enter a passphrase, but I was nevertheless getting derailed by a prompt:
It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes.
I believe the cause is that my key pair was generated on another machine, and when I switched machines, it lost its trust settings. They can be restored (to "ultimate" trust) with:
gpg --edit-key firstname.lastname@example.org
and then entering
trust at the prompt, entering and confirming the desired trust level (
5) and then issuing a
Decryption requires the private key, so to avoid entering a passphrase repeatedly, I wanted to use
Specifically, the kind of command I wanted to run was like:
gpg -q --yes --batch --no-tty --use-agent -o $OUTFILE -d $INFILE
--use-agent switch which instructs
gpg to try and use
To make this work, we either need to do:
eval $(gpg-agent --daemon --allow-preset-passphrase)
eval $(gpg-agent --daemon)
(Which requires us to add
This all works without the
allow-preset-passphrase stuff, but the
gpg-agent is configured to remember passphrases for only 600 seconds, unlike
ssh-agent. It is possible to increase that time span with the
--max-cache-ttl settings, but if you want to make it permanent you need to use the
This is where it gets tricky. As I said above, there is no man page. Furthermore, the tool is not installed in your
$PATH by default, but can be found at
/usr/local/opt/gpg-agent/libexec/gpg-preset-passphrase when installed via Homebrew.
Finally, you need a
KEYGRIP, which this mailing list post informs us is actually the fingerprint of the key, and not just the fingerprint, but the subkey fingerprint, which you can display with the arcane
gpg --fingerprint --fingerprint command.
KEYGRIP=$(gpg --fingerprint --fingerprint email@example.com | grep fingerprint | tail -1 | cut -d= -f2 | sed -e 's/ //g') /usr/local/opt/gpg-agent/libexec/gpg-preset-passphrase --preset $KEYGRIP
That "remembers" passphrase for the given key. Note that whatever you type into standard in will be echoed directly to the screen without obfuscation, so be careful.
You can get the agent to "forget" the passphrase with:
/usr/local/opt/gpg-agent/libexec/gpg-preset-passphrase --forget $KEYGRIP