My Yubikey is generally working fine on macOS: * It can always write an OTP as a keyboard * ykman always works * gpg --card-status works for a while after I plug the Yubikey However, after a while when running on a USB hub, gpg --card-status stops working and shows the following error instead:

% gpg --card-status
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

Unplugging and replugging the Yubikey solves the problem... for a while. The Yubikey is plugged into my screen (which is plugged to the MacBook over USB-C). The exact same setup *always works* on Linux. What could be causing this? Could it be that macOS somehow does something with smart cards, which would interfere with the gpg-agent? I noticed that macOS regularly shows notifications that essentially say that "a smartcard was plugged" and "a smartcard was unplugged" (I would say every few minutes). This sounds like there may be something conflicting (maybe a macOS service trying to access the smartcard?).

I couldn't find a solution to this: I cannot decrypt my precious files anymore (on my main computer). I am using pass which relies on gnupg. Trying to decrypt a file just halts and doesn't give any result. macOS 13.5.1 space for 65536 bytes gpg: DBG: iobuf-1.0: underflow: A->FILTER (65536 bytes) gpg: DBG: iobuf-1.0: A->FILTER() returned rc=0 (ok), read 641 bytes gpg: DBG: parse_packet(iob=1): type=1 length=524 (parse.../../g10/mainproc.c.1641) gpg: public key is __KEY__ gpg: DBG: free_packet() type=1 gpg: DBG: parse_packet(iob=1): type=18 length=112 (new_ctb) (parse.../../g10/mainproc.c.1641) .... nothing is happening here .... ^C gpg: signal Interrupt caught ... exiting ``` Does someone have a hint as to where to look, and what to try?

When I was trying to configure my gpg-agent, there were was no command line tool i.e. /usr/local/bin/gpg-agent doesn't exist (nor does it exist in the other dirs in my PATH variable: /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/texlive/2022/bin/universal-darwin I'm running an M1 MacBook Pro, Monterey 12.3.1; I don't know what version of gpg-agent is running because I can't find it; also running gpg 2.3.4. This is a brand new machine and MacOS is very unfamiliar to me: I normally run Arch Linux but this is a work machine. This is confusing to me because I found a gpg-agent process running using top and similar programs. I don't know how Apple structures it's file system so I don't know were else I should look. Can someone help me understand how gpg-agent could be running even though it doesn't seem to be installed in any of the usual places? (Not sure if this is the right place this kind of question. I'm new here please be nice)

So I want to create a GPG so I can use it. I did gpg --gen-key, put in the information but it threw theNo such file or directory error (see below).

❯ gpg --gen-key
gpg (GnuPG) 2.3.1; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: oof2win2
Email address: a@a.com
You selected this USER-ID:
    "oof2win2 "

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: No such file or directory
Key generation failed: No such file or directory

So, I went from [this answer](https://unix.stackexchange.com/a/330226) and ran gpgconf --kill gpg-agent and restarted my computer. This still didn't change anything or let it work. So I checked file permissions and got: drwx------ 15 oof2win2 staff 480B Jun 17 22:42 .gnupg 700, which looks fine. Set it to 770 and got this, so I think that file permissions are good.

❯ gpg --list-keys
gpg: WARNING: unsafe permissions on homedir '/Users/oof2win2/.gnupg'
/Users/oof2win2/.gnupg/pubring.kbx

What could be the cause of the GPG issue? I tried reinstalling GPG multiple times, reinstalling my machine but neither worked. Running Catalina 10.15.7, GPG 2.3.1

I would always like to use the GUI version of entering my GPG passphrase. Currently my pinentry program is set the same on my laptop as my desktop. But the desktop always asks for my passphrase on the command line, and my laptop always asks using the GUI. What do I need to set to force the use of the GUI on the desktop? Current ~/.gnupg/gpg-agent.conf pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac default-cache-ttl 600 max-cache-ttl 7200 Current ~/.gnupg/gpg.conf default-key 26A32A76 require-cross-certification keyserver-options auto-key-retrieve keyserver hkps://hkps.pool.sks-keyservers.net auto-key-locate hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url comment GPG cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed personal-digest-preferences SHA512 SHA384 SHA256 SHA224 no-emit-version use-agent

I originally posted this on Information Security but am hoping to attract an answer here since this is OSX specific. So I'm fairly new to more secure forms of key management, I've been used to storing my keys inside key files on my computer. Recently I wanted to try and see if I could setup SSH authentication to my webserver using a key stored on my NitroKeyPro making my keychain more portable and secure in the process. I followed this guide http://xmodulo.com/linux-security-with-nitrokey-usb-smart-card.html pretty much step by step but noticed that in the end, I did not need my NitroKeyPro to be inserted into my computer at all for the authentication to succeed. I have a feeling that upon exporting my key it somehow got added to my local key storage making the NitroKey redundant but I am not knowledgable enough about the exact workings to be sure. Would anyone be able to help me ensure that I can only SSH into my web server while my NitroKey is inserted into my computer? Notes: - OS: OSX El Capitan 10.11.4 - NitroKeyPro - Even while the NitroKey is inserted into my computer it does NOT ask me to enter a pin when I attempt to SSH. - OpenSC 0.15.0 - gpg 2.0.28 I tried removing from ~/.ssh the following: id.rsa private_key.pem after attempting to SSH to my web server again I get: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). I assume this indicates that the SSH session cannot find my key to authenticate with, I checked if my computer was detecting the NitroKey by running: > gpg --card-status and received card information like I would expect.

I encrypt all of my documents before storing them in the cloud with GnuPG. My wife needs access to the documents, but running gpg -d foo.pdf.gpg at the command line is annoying to her. Does anyone know of a GUI app for PGP / GnuPG for MacOS X? It would be great to simply drag an encrypted file to it, be prompted for a private key passphrase, and then get the unencrypted file. If nothing like this exists, I can probably whip one up in Clojure pretty easily, but I figured it was worth looking for one first.

I've started taking security more seriously lately. (Why only now you may ask? Because I'm a trusting fool that's why.) I've now got emails signing automatically and encrypting where I have their key. Previously I only did this when necessary, but I'm trying to breed a sense of change around me and taking my own medicine seems sensible. I have no issue with GPG in Thunderbird, Outlook, or on Android with K9 Mail & APG, but I have no idea how to handle GPG on IOS. I can't accept there's no way, it seems ridiculous, or maybe I'm approaching the problem wrong and there is a more appropriate route than GPG that's better supported?

I have two Mail.app plug-ins installed: "GPGMailLoader.mailbundle" and "Smallcubed MailSuite.mailbundle". Currenly, GPG is enabled, and works, and MailSuite is disabled. However, when I toggle either plugin (i.e. MailSuite to on or GPG to off), and restart Mail, the change hasn't taken. So I cannot use MailSuite, nor disable GPG. I have tried: - Reinstalling MacOS Mojave in-place (did not fix). - Creating a new user (everything works for new user). How can I further investigate this?

Problem currently is that I find no way to simply configure or instruct Xcode to check out source code or dependencies over git+ssh using ssh agent. Does Xcode at all supports using the ssh-agent? I have not found any possibility to configure it without refering to its private key. (usually referred to ~/.ssh/id_rsa etc around on the web) Sadly I have no way of referring to the private key in Xcode when it is stored inaccessible for anyone else then the Yubikey (HSM). Meta information: My gpg-agent is configured into my environment and works flawless in the terminal with some simple setup: export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye unset SSH_AGENT_PID export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) (See https://www.engineerbetter.com/blog/yubikey-ssh/ for details on yubikey setup) gpg --card-status lists that my keypair is available, and it works in the terminal as ssh-agent -L lists my public key and I can use it to ssh into remote hosts accepting my ssh key or issue git clone.. in the terminal.

On my system, I'm trying to set up SSH authentication through my GPG agent (installed via brew). So far, I have this working in my terminal thanks to adding the following lines to ~/.profile: # Enable SSH support through GPG export "GPG_TTY=$(tty)" export "SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh" However, GUI applications (e.g. PyCharm) still use the SSH agent built into Mac (annoyingly). Is there any way/place I can use to set my SSH_AUTH_SOCK for my entire session? Ideally, I don't want to disable SIP to achieve my goal, and solutions like [this](https://support.shotgunsoftware.com/hc/en-us/articles/219042108-Setting-global-environment-variables-on-OS-X) don't seem to work. For example, running import os; os.environ['SSH_AUTH_SOCK'] in PyCharm's builtin Python Console will still show /private/tmp/com.apple.launchd.whatever/Listeners instead of my auth sock. Likewise, it will not prompt for my GPG key passcode but instead go through the standard authentication flow. This also persists in XCode, using a small sample program to get the value of SSH_AUTH_SOCK, so it's not PyCharm or a Python-only problem. I'm currently running Mojave 10.14.4 on my system.

In the Enigmail preferences, I checked the option of using GPG-AGENT and afterwards that option disappeared completely from the preferences pane. I am now unable to use the encryption since there is never any prompt for a passphrase. However I now wish to revert to using the old style with Enigmail/Thunderbird asking me the passphrase but I am now neither able to change it through Enigmail nor able to find the correct place to change the agent to be used. Is there a way to get around this? I do not wish to use GPG-AGENT/Pinentry, so I really need this to work.

I have installed GPG Suite and found out also during this time that my OS X has some app that stores all my passwords under my screenlock password - total news to me. Can I get rid of Apple app if I now have GPG? Really need help with this Apple app.. Thank you.

I have both a GPG key and an SSL certificate. I am able to sign emails by choosing OpenPGP or S/MIME in the upper right corner of the window: I can then activate the signing by clicking the appropriate icon: Now my question(s): - is it possible to sign by default? (always unless specified) - is it possible to sign by default only for a given account? **Edit 1** The ideal setup with three accounts would be 1. **account 1 always signs with S/MIME (the address is in the S/MIME certificate)** 2. account 2 always signs with GPG (the address is in the GPG certificate) 3. account 3 do not sign (the address is not present in any certificate) **Edit 2** The priority is the S/MIME certificate, I could also live without GPG where only account 1 is using the S/MIME certificate by default. **Edit 3** I was now able to set S/MIME as the default (see *Define the security method to be used*, in the GPGMail 2 hidden settings FAQ ). When I then switch to account 2 (the one with the GPG key) the default falls back to GPG (as the address of account 2 is not present in the S/MIME certificate). defaults write org.gpgtools.gpgmail DefaultSecurityMethod -int 2 So far so good, now I just have to find out how to sign by default with S/MIME (and not with GPG)

I have a monitored OS X laptop that I would like to put GNU Privacy Guard (gpg) on. Of course I can't because I don't have Admin rights, but I was hoping there is a way to install it in user space through a virtual environment or chroot, or some other wizardry, or by exacting the package files. Obviously I only need console access to the app.

I'm trying to get gpg-agent working on OS X, compiled with homebrew. Here's my gpg-agent.conf: djc@djc-mbp ~ $ cat .gnupg/gpg-agent.conf pinentry-program /usr/local/bin/pinentry-curses no-grab However, when I try to test it, it fails: djc@djc-mbp ~ $ echo "test" | gpg -ase -r 30380381 | gpg You need a passphrase to unlock the secret key for user: "Me " 4096-bit RSA key, ID 30380381, created 2013-09-16 gpg: cancelled by user gpg: no default secret key: bad passphrase gpg: [stdin]: sign+encrypt failed: bad passphrase gpg: processing message failed: eof Any clues on how to get this working?

Is there another way to get gpg-agent in? I need GPG2 signing for RVM in order to provision a server. The message bash-4.3$ brew install --vd gnupg2 ==> Installing dependencies for gnupg2: gpg-agent, dirmngr, libusb, libusb-compat ==> Installing gnupg2 dependency: gpg-agent ==> Downloading ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.26.tar.bz2 curl: (28) Connection timed out after 5004 milliseconds Trying a mirror... ==> Downloading ftp://ftp.mirrorservice.org/sites/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.26.tar.bz2 curl: (7) Failed to connect to ftp.mirrorservice.org port 21: Operation timed out Error: Failed to download resource "gpg-agent" Download failed: ftp://ftp.mirrorservice.org/sites/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.26.tar.bz2 Unfortunetly nothing too informative...

Is there a PGP/GPG plugin for TextWrangler? If so, what is it called and how do I go about downloading and installing it?

I regularly need to decrypt a gpg-encrypted file (always the same) to simply view it in TextEdit. I have a very simple shell script for that. It looks like this: #!/bin/sh outfile=mktemp -t $$ # Temporary file name gpg --output $outfile --decrypt /path/to/file.gpg open -a TextEdit $outfile sleep 1 rm $outfile When run from the terminal, all goes well. GPG asks for my passphrase in a pop-up window, TextEdit comes up, the temp file is deleted and all is great. Not so in Automator. I select "Run Shell Script", ignore the shell script input, paste the contents of the script (except for the first line). TextEdit pops up with a blank file and GPG never asks for the passphrase. I tried using the full path to GPG but that didn't do it. I know virtually nothing of Automator actions so the problem surely comes from me. Any help appreciated!

I have installed GPG Suite by GPG Tools on my Mac. I sent my public key to my associate, who encrypted a file and sent it to me. The file, myfile.gpg is now sitting on my desktop and I'm told by my associate that I just have to double-click on it, enter my private key, and the file will be decrypted. Sounds reasonable, but it doesn't work. I double-click on myfile.gpg and OS X reports there is no application to open the file. I restarted my Mac and the problem still exists. Do I need to manually setup a file association? What am I doing wrong?