There are several topics addressing similar issues, but none of the solutions provided there work for my environment, being: - macOS 11.2.3 (MacBookPro M1/Apple silicon) - GnuPG 2.2.27 (installed via Homebrew) - Zsh shell - GPG key with Auth-only subkey for SSH The *~/.gnupg/gpg-agent.conf* file:

pinentry-program /opt/homebrew/bin/pinentry-tty
enable-ssh-support

The *~/.gnupg/sshcontrol* file:

FADD8723...AE7ED (the keygrip retrieved with gpg -K --with-keygrip)

The *~/.zshrc* file:

unset SSH_AGENT_PID
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

I made sure *ssh-agent* is not running (also rebooted the system to be sure). But no keys are found when running:

ssh-add -L
The agent has no identities

What am i missing? EDIT: I should add that I also configured a few Debian 10 systems like this and it works just fine.

I am using Fedora 40 (KDE) and I have followed the Arch Wiki guide on how to set it up. However, I would like to unlock - or, whatever is happening in the background - my GPG keys upon login. I am trying to set it up in a similar fashion to how ssh-agent works: that it caches the password (?) and it doesn't ask for it when you SSH into a remote machine; it just logs you straight in. The way it works now, is that it caches the password for however long you have set up default-cache-* but if you log out and back in, you'll have to reenter the passphrase.

A few years ago, I read about secrets being passed to commands without displaying and in an automated or scripting manner. Is possible to do this using pass? I figure if it is setup in a way in which upon boot something similar to ssh-agent to keep the GPG encryption key in memory.

Below is my gpg-agent.conf file, the log-file option specifies where to put log however even though gpg-agent works fine the log has never been created. I'm thinking either the option is ignored or I'm missing some additional options? My environment is Debian 12 therefore systemd, is it possible logs are put into some other log file? I want the log file to be written as set in gpg-agent.conf

# Set the time a cache entry is valid to n seconds.
default-cache-ttl 14400 # 4h

# Set the maximum time a cache entry is valid to n seconds.
max-cache-ttl 28800 # 8h

# Use program filename as the PIN entry.
pinentry-program /usr/bin/pinentry-qt

# This option asks the Pinentry to timeout after n seconds with no user input.
pinentry-timeout 120 # 2min

# Append all logging output to file
log-file /var/log/gpg-agent.log

gpg-agent docs and the gpg-agent.conf file is put into ~/.gnupg/gpg-agent.conf I have checked both /var/log/user.log and /var/log/syslog and the agent is not logging there, only messages seen are that the agent was started by systemd Below is troubleshooting output:

gpgconf --check-options gpg-agent

> gpg-agent:Private Keys:/usr/bin/gpg-agent:1:1:

gpgconf --list-options gpg-agent

Monitor:1:0:Options controlling the diagnostic output:0:0:::: verbose:12:0:verbose:0:0:::: debug-level:24:1::1:1::"none:: log-file:8:1:write server mode logs to FILE:32:1:FILE:::"/var/log/gpg-agent.log Configuration:1:0:Options controlling the configuration:0:0:::: disable-scdaemon:8:1:do not use the SCdaemon:0:0:::: enable-ssh-support:0:0:enable ssh support:0:0:::: ssh-fingerprint-digest:24:2:use ALGO to show ssh fingerprints:1:1:ALGO:"md5:: enable-putty-support:0:0::0:0:::: enable-extended-key-format:8:3::0:0:::: faked-system-time:0:3::1:1:::: Security:1:0:Options controlling the security:0:0:::: default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::14400 default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800:: max-cache-ttl:24:2:set maximum PIN cache lifetime to N seconds:3:3:N:7200::28800 max-cache-ttl-ssh:24:2:set maximum SSH key lifetime to N seconds:3:3:N:7200:: ignore-cache-for-signing:8:0:do not use the PIN cache when signing:0:0:::: no-allow-external-cache:8:0:disallow the use of an external password cache:0:0:::: no-allow-mark-trusted:8:1:disallow clients to mark keys as "trusted":0:0:::: Passphrase policy:1:1:Options enforcing a passphrase policy:0:0:::: enforce-passphrase-constraints:8:2:do not allow bypassing the passphrase policy:0:0:::: min-passphrase-len:24:1:set minimal required length for new passphrases to N:3:3:N:8:: min-passphrase-nonalpha:24:2:require at least N non-alpha characters for a new passphrase:3:3:N:1:: check-passphrase-pattern:8:2:check new passphrases against pattern in FILE:32:1:FILE::: check-sym-passphrase-pattern:8:2::32:1:::: max-passphrase-days:24:2:expire the passphrase after N days:3:3:N:0:: enable-passphrase-history:8:2:do not allow the reuse of old passphrases:0:0:::: Pinentry:1:1:Options controlling the PIN-Entry:0:0:::: no-allow-loopback-pinentry:8:2:disallow caller to override the pinentry:0:0:::: grab:8:2:let PIN-Entry grab keyboard and mouse:0:0:::: pinentry-timeout:8:1:set the Pinentry timeout to N seconds:3:3:N:::120 allow-emacs-pinentry:8:1:allow passphrase to be prompted through Emacs:0:0::::

About GPG is mentioned the gpg-agent and I read the following answer: * [gpg does not ask for password](https://unix.stackexchange.com/a/395876/383045) Where is mentioned the --default-cache-ttl and --max-cache-ttl options. So I found this official source: * [man - GPG-AGENT(1)](https://www.gnupg.org/documentation/manuals/gnupg24/gpg-agent.1.html)

--default-cache-ttl n
Set the time a cache entry is valid to n seconds. The default is 600 seconds.
Each time a cache entry is accessed, the entry's timer is reset.
To set an entry's maximum lifetime, use max-cache-ttl
 Note that a cached passphrase may not be evicted immediately from memory if
no client requests a cache operation. This is due to an internal housekeeping
function which is only run every few seconds.

--max-cache-ttl n
Set the maximum time a cache entry is valid to n seconds.
After this time a cache entry will be expired even if it
has been accessed recently or has been set using gpg-preset-passphrase.
The default is 2 hours (7200 seconds).

Therefore consider the **main question** as follows: * What is the difference and relation between the --default-cache-ttl and --max-cache-ttl options? And as secondary questions the following: * What is exactly the cache entry? * What is the criteria of the gpg-agent to know when consider/apply the --default-cache-ttl and --max-cache-ttl options? Therefore I want clearly understand the points/scenarios/criteria about when and why was considered the 600 seconds (10 minutes) and 7200 seconds (2hrs) according with each option

I'm starting a local gpg-agent on my Mac, with the extra-socket option. Then I connect to a remote site using SSH, forwarding the remote S.gpg-agent socket to the local S.gpg-agent.extra socket. This works: ssh -R /remotehome/.gnupg/S.gpg-agent:/localhome/.gnupg/S.gpg-agent.extra remotesystem When I want to sign something on the remote machine, the pinentry dialog pops up locally and asks for the password, which is the way it should work. However, when I start typing my password, some of the key presses obviously goes into pinentry (they are displayed as *) whereas some key presses ends up in the shell that runs on the same tty as the pinentry process. ┌────────────────────────────────────────────────────────────────┐ │ Note: Request from a remote site. │ │ │ │ Please enter the passphrase to unlock the OpenPGP secret key: │ │ "My name " │ │ 4096-bit RSA key, ID MYKEYIDXXX0000YYY, │ │ created 2015-06-17 (main key ID MYMAINKEYIDXXX0000YYY). │ │ │ │ │ │ Passphrase: t*i*e_____________________________________________ │ │ │ │ │ └────────────────────────────────────────────────────────────────┘ Pressing Return has a chance of either sending the mangled password to gpg, or sending whatever key presses that didn't go into pinentry to the shell:

/bin/ksh: tie: not found

How do I get pinentry to grab _all_ keys from the tty? The local machine is a Mac running GnuPG 2.1.14 (compiled from pkgsrc). The remote site is either a Linux machine with the same version of GnuPG or an OpenBSD machine with GnuPG version 2.1.15 (no difference). The extra-socket option is the only option enabled in my gpg-agent.conf. The environment variable GPG_TTY is correctly set, and running gpg-connect-agent updatestartuptty /bye locally will move the tty on which pinentry starts up, but with the same problem. Doing gpg-connect-agent updatestartuptty /bye on the remote machine results in

$ gpg-connect-agent updatestartuptty /bye
gpg-connect-agent: connection to agent is in restricted mode
ERR 67109115 Forbidden

... which is what I kinda expect should happen. Changing from the curses interface to the tty interface for pinentry makes no difference. These are the only two pinentry interfaces available to me. I do not run X11. --- Update: With the local system running OpenBSD 6.3 (GnuPG 2.2.9) and the remote being some Ubuntu system (GnuPG 2.1.11), it's even worse with _no_ key presses going into pinentry and everything being read by the shell.

I have a really troubling problem. I can't get gpg-agent to remove my SSH key from its keyring and it even persists there after many reboots. $ ssh-add -D SSH_AGENT_FAILURE Failed to remove all identities. Even when I tell it to remove the identity: $ ssh-add -d /path/to/private/key Identity removed: /path/to/private/key I then look $ ssh-add -l 4096 1b:cb:52:a6:e5:13:e6:78:14:12:92:8f:34:8f:92:88 /path/to/private/key and it's still there. Where is this being cached? It seems to be writing to disk for some reason, which is a scary thing for a SSH agent to do. I'm running the following to start gpg-agent: gpg-agent --enable-ssh-support --daemon Everything else works fine, but it's caching this file somewhere and I need to delete it.

I'm facing issue to generate gpg key on my mac(10.15.7 Catalina). It is showing some error that the agent_genkey is looking for some file which is not available. Below is the debug information from that : % gpg --gen-key -vvvvv gpg (GnuPG) 2.3.1; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: using character set 'utf-8' gpg: Note: RFC4880bis features are enabled. gpg: directory '/Users/test/.gnupg' created gpg: keybox '/Users/test/.gnupg/pubring.kbx' created Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: test name Email address: testname@gmail.com You selected this USER-ID: "test name " Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: no running gpg-agent - starting '/usr/local/Cellar/gnupg/2.3.1/bin/gpg-agent' gpg: waiting for the agent to come up ... (5s) gpg: connection to the agent established gpg: pinentry launched (12023 curses 1.1.1 /dev/ttys002 xterm-256color - ? 502/20 0) gpg: agent_genkey failed: No such file or directory Key generation failed: No such file or directory gpg version is 2.3.1 and git version is 2.30.0. % gpg --version gpg (GnuPG) 2.3.1 libgcrypt 1.9.3 I have tried suggestions given in various post : like deleting the home directory (~/.gnupg), stopping the gpg-agent, reinstalling the gpg package (using brew). It had worked around 1 month back. There was some issue with the previous keys . So, I had to delete those all and generate fresh and that is where the problem started. Before reinstalling it, it was timing out in generation of gpg key . I had ran dd commands to help generate randomness. But that did not work either.

I have a line in my gpg.conf file which says use-agent. I understand this refers to gpg-agent which is a daemon. The man page states "gpg-agent is a daemon to manage secret (private) keys independently from any protocol. It is used as a backend for gpg and gpgsm as well as for a couple of other utilities." Can anybody explain what this means in the context of gpg? What is the point of gpg-agent? I have GPG 1.4 at present. 1. How can I tell whether the agent is running? I'm actually not even clear on whether gpg-agent is installed with the basic GPG 1.4 package. 2. How can I start it, if it is not running? 3. How can I stop it, if it is running?

**Goal: I am trying to kill gpg-agent** (on Debian 12, if that matters) **and keep it dead forever.** --- #### Aside: Why? Because I just finished setting up GPG agent forwarding to my SSH server. Tried a few guides without success until I found [this one](https://benjamintoll.com/2023/06/07/on-gpg-agent-forwarding/) , which suggests:

$ gpg-connect-agent KILLAGENT /bye

on the remote host. With that, GPG agent forwarding finally works... --- ...but if I log in from another client (one that _doesn’t_ forward its gpg-agent socket to the remote host), then **systemd starts gpg-agent all over again**:

# Killing gpg-agent ---------------------------------------------
$ ssh 
$ gpg-connect-agent KILLAGENT /bye
OK closing connection
$ exit
logout
Connection to  closed

# Logging in with GPG socket forwarding: gpg-agent stays dead ---
$ ssh 
$ pgrep gpg-agent
# 👌 no output
$ gpg --list-secret-keys
/home/rlue/.config/gnupg/pubring.kbx
------------------------------------
sec   rsa3072/...     # 🎉 it works!
$ exit
logout
Connection to  closed

# Logging in from another client: gpg-agent is back -------------
$ ssh 
$ pgrep gpg-agent
17077  # 🤬 bad systemd!

### How do you know it’s systemd?

$ pstree --show-parents --show-pids $(pidof gpg-agent)
systemd(1)---systemd(663)---gpg-agent(17077)

### Which is puzzling because... This is all happening after running:

$ systemctl --user mask --now gpg-agent.service gpg-agent.socket gpg-agent-ssh
.socket gpg-agent-extra.socket gpg-agent-browser.socket
$ systemctl --user daemon-reload

I’ve even rebooted (see Uptime in the final section.) For reference, here is the status of all user systemd units:

$ systemctl --user list-unit-files
UNIT FILE                                    STATE     PRESET
app-print\x2dapplet@autostart.service        generated -
at-spi-dbus-bus.service                      static    -
dbus.service                                 static    -
dcim-transfer.photein.service                disabled  enabled
dcim-transfer.xferase.service                disabled  enabled
dconf.service                                static    -
dirmngr.service                              static    -
glib-pacrunner.service                       static    -
gnubiff.service                              enabled   enabled
gpg-agent.service                            masked    enabled
pipewire-pulse.service                       enabled   enabled
pipewire.service                             enabled   enabled
pk-debconf-helper.service                    static    -
shpool.service                               enabled   enabled
ssh-agent.service                            static    -
systemd-exit.service                         static    -
systemd-tmpfiles-clean.service               static    -
systemd-tmpfiles-setup.service               disabled  enabled
wireplumber.service                          enabled   enabled
wireplumber@.service                         disabled  enabled
xdg-desktop-portal-gtk.service               static    -
xdg-desktop-portal-rewrite-launchers.service enabled   enabled
xdg-desktop-portal.service                   static    -
xdg-document-portal.service                  static    -
xdg-permission-store.service                 static    -
xferase.service                              disabled  enabled
app.slice                                    static    -
background.slice                             static    -
session.slice                                static    -
dbus.socket                                  static    -
dirmngr.socket                               enabled   enabled
gpg-agent-browser.socket                     masked    enabled
gpg-agent-extra.socket                       masked    enabled
gpg-agent-ssh.socket                         masked    enabled
gpg-agent.socket                             masked    enabled
pipewire-pulse.socket                        enabled   enabled
pipewire.socket                              enabled   enabled
pk-debconf-helper.socket                     enabled   enabled
shpool.socket                                enabled   enabled
basic.target                                 static    -
bluetooth.target                             static    -
default.target                               static    -
exit.target                                  static    -
graphical-session-pre.target                 static    -
graphical-session.target                     static    -
paths.target                                 static    -
printer.target                               static    -
shutdown.target                              static    -
smartcard.target                             static    -
sockets.target                               static    -
sound.target                                 static    -
timers.target                                static    -
xdg-desktop-autostart.target                 static    -
systemd-tmpfiles-clean.timer                 disabled  enabled

54 unit files listed.

What gives? Any pointers would be deeply, deeply appreciated. ### OS & other details

$ neofetch
       _,met$$$$$gg.          rlue@
    ,g$$$$$$$$$$$$$$$P.       -------------
  ,g$$P"     """Y$$.".        OS: Debian GNU/Linux 12 (bookworm) x86_64
 ,$$P'              `$$$.     Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-5.2)
',$$P       ,ggs.     `$$b:   Kernel: 6.1.0-23-amd64
`d$$'     ,$P"'   .    $$$    Uptime: 38 mins
 $$P      d$'     ,    $$P    Packages: 1549 (dpkg)
 $$:      $$.   -    ,d$$'    Shell: bash 5.2.15
 $$;      Y$b._   _,d$P'      Resolution: 1024x768
 Y$$.    ."Y$$$$P"'         Terminal: /dev/pts/0
 `$$b      "-.__              CPU: Intel Xeon E5-2690 v2 (4) @ 2.999GHz
  `Y$$                        GPU: 00:02.0 Vendor 1234 Device 1111
   `Y$$.                      Memory: 3024MiB / 7940MiB
     `$$b.
       `Y$$b.
          `"Y$b._
              `"""

According to https://wiki.debian.org/systemd systemctl disable servicename should prevent the service from starting upon boot. If I do systemctl --user stop gpg-agent systemctl --user disable gpg-agent then reboot, gpg-agent is still up. How do I disable that service in such sense that it does not start upon boot?

The pass program is a command line utility to store passwords plus free form extra data in small files encrypted with gpg. It provides a grep sub-command in particular to find passwords by the extra data. But this grep sub-command is painfully slow on my machine. I have nearly 200 passwords stored and internally each file is decrypted with gpg like so (without the time in front, of course):

% time gpg -d --quiet --yes --compress-algo=none --no-encrypt-to stackoverflow.gpg
  the password output
user=0,000 sys=0,006 wall=0,382 (1,61)

Wall time is nearly 0.4 seconds which adds up to around 1 minute to grep through all files. The gpg-agent is running and I have this version: > gpg (GnuPG) 2.2.27 Two suspicions why this is slow: 1. Startup of gpg and communication with gpg-agent is slow, supported by the fact that user+sys times are small in comparison. 2. gpg-agent is slow, supported by the fact that after a pass grep run its cumulative CPU time is increased by 60 seconds, nicely matching the total time of the complete run. Together, both point to gpg-agent, though I have no idea why the agent should be so slow. With ps I see it running as

/bin/gpg-agent --sh --daemon

Can someone shed some light on whether ~ 0.3 CPU seconds is reasonable for the agent per file or whether there is a way to improve this? EDIT: **Further Findings** Attaching strace to the agent, I find this:

20200 14:57:03.701648 getrusage(RUSAGE_SELF, {ru_utime={tv_sec=133, tv_usec=890780}, ru_stime={tv_sec=0, tv_usec=99975}, ...}) = 0
20200 14:57:03.701666 clock_gettime(CLOCK_PROCESS_CPUTIME_ID, {tv_sec=133, tv_nsec=990762100}) = 0
20200 14:57:04.063523 getpid()          = 18035

where we have 360ms between clock_gettime and the getpid call. And with ltrace:

20472 15:04:55.035574 strlen("my-password-here")                                                      = 10
20472 15:04:55.035641 gcry_kdf_derive(0x7d884b82c008, 10, 19, 2)                                = 0
20472 15:04:55.394727 gcry_cipher_setkey(0x7d884b82cbc0, 0x7d884b82c030, 16, 0x7d884b83c000)    = 0

So gcry_kdf_derive takes 360ms. Whatever it does, can I get it to cache its result for a few seconds with some config setting. (... goes fetching the source code).

I am trying to pre-cache a GPG password into gpg-agent on a headless Ubuntu 20.04 server, I would like to achieve this without a user having to log on to the system. The aim of this pre-caching is to get msmtp to read an email password (using passwordeval) which has been encrypted using GPG, without any interaction from a user. I understand this provides limited security (the GPG password is stored on the server) but it does prevent the email password being stored on disk in plain-text and means it cannot be accidentally committed into my code repo in plain-text either. I have written a script which preloads the password and this works well if I login to the server. However, if I do not login, the gpg-agent is not started by systemd and so the password is not pre-cached. **cache-gpg-agent.sh** #!/bin/bash export GNUPGHOME=/root/.gnupg # Load our GPG password set -o allexport source /root/.credentials/gpg/.env set +o allexport GPG_TTY=$(tty) export GPG_TTY # Configure gpg-agent echo allow-preset-passphrase > $GNUPGHOME/gpg-agent.conf echo default-cache-ttl 34560000 >> $GNUPGHOME/gpg-agent.conf echo max-cache-ttl 34560000 >> $GNUPGHOME/gpg-agent.conf # Import GPG key gpg --batch --import /root/.credentials/my-key.asc # Loop Keygrips and set password gpg --fingerprint --with-keygrip my-email@test.com | awk '/Keygrip/ { print $3 }' | xargs -I {} /bin/sh -c 'echo "$GPG_KEY_PASSWORD" | /usr/lib/gnupg/gpg-preset-passphrase --preset {}' unset GPG_KEY_PASSWORD I then set up a systemd service to run this script on system boot. **cache-gpg-agent.service** [Unit] Description=Cache GPG Agent After=network.target [Service] Type=simple ExecStart=/home/myuser/scripts/cache-gpg-agent.sh [Install] WantedBy=multi-user.target" This didn't seem to work, when I logged in to the system I couldn't see a gpg-agent daemon instance. I tried adding the following to the script to initiate the gpg-agent: eval $(gpg-agent --homedir /root/.gnupg --daemon) but this also didn't work (I think the systemd instance of gpg-agent which runs on demand via /usr/lib/systemd/user/gpg-agent.service) replaces this instance I try to create. I then tried adding a loop to my script to wait for an instance of gpg-agent to start: while ! pgrep -f "gpg-agent --homedir /root/.gnupg --daemon" > /dev/null; do echo "Waiting for gpg-agent to start" >> /tmp/cache-gpg-agent.log sleep 1 done This showed me that none of the GPG commands in my script were initiating the gpg-agent daemon. As soon as I logged into the system and issued any gpg command, gpg-agent is loaded, my wait condition is satisfied and the password is pre-cached. So I have the pieces I need but I cannot get gpg-agent to start **before** a user logs into the system which is the desired goal. The key seems to be something to do with the gpg-agent services installed in /usr/lib/systemd/user/ which are run on-demand by any gpg commands, but these are run in the user context and I need them to run in the system context I think. I've tried creating duplicates of the user services and added them to the services context but this was unsuccessful too - I'm a bit of a noob when it comes to systemd 😬. Does anyone know if this can be achieved, I'm failing to understand why my script doesn't work, even when I load gpg-agent --daemon directly in my script - it seems any connectivity with gpg-agent can only occur once a user is logged in - is this a limitation I cannot work around? # Update Thanks to information provided by [u1686_grawity](https://unix.stackexchange.com/a/777987/613259) I managed to get this to work using the following steps: I enabled service lingering for my root user as suggested: loginctl enable-linger root I also relocated my service file to the recommended location and updated the **After** and **WantedBy** attributes: **/root/.config/systemd/user/cache-gpg-agent.service** [Unit] Description=Cache GPG Agent After=sockets.target [Service] Type=simple ExecStart=/home/myuser/scripts/cache-gpg-agent.sh [Install] WantedBy=basic.target Finally, I updated the permissions, enabled the new service and rebooted. chmod 600 /root/.config/systemd/user/cache-gpg-agent.service systemctl --user enable cache-gpg-agent This has allowed any background scripts on my system to decrypt GPG encrypted files without me having to log in to the system at boot, which is what I was trying to achieve.

In short (Edit 1): How to make gpg -qd --pinentry-mode loopback out.gpg cache the passphrase for a period of time in the cli. It used to cache but now it doesn't. Edit 2: I have tried this thing in both Kubuntu 24.04 Live iso image and a very old live iso image from 2017 called GParted live. In Gparted live iso, --pinentry-mode loopback caches the passphrase but not in Kubuntu live iso. Edit 3: I have tested in Kubuntu 22.04, 23.10 and 24.04 using https://distrosea.com and gpg --pinentry-mode loopback symmetric decryption does indeed not cache the passphrase except 22.04. And now the boring details: In Kubuntu 22.04, I used to use these commands to create an encrypted file from stdin and to decrypt it: gpg --pinentry-mode loopback --output out.gpg --symmetric - to encrypt gpg --pinentry-mode loopback -qd out.gpg to decrypt. While in a terminal session, the decryption command used to ask for the passphrase once for a certain time and I don't remember I did anything to get this behavior. Now I have upgraded to Kubuntu 24.04 (by fully erasing the disk). But now, the decryption command above always asks for the passphrase in the same terminal session. If I remove --pinentry-mode loopback, then the pinentry-qt dialog kicks and finally the decryption command stops asking for the passphrase for subsequent decryption commands with --pinentry-mode loopback. So pinentry-qt correctly caches the passphrase but any subsequent--pinentry-mode loopback command requires a passphrase input with pinentry-qt in order not ask for the passphrase again. I installed pinentry-tty and set the config in ~/.gnupg/gpg-agent.conf to: pinentry-program /usr/bin/pinentry-tty and reloading the agent by: gpg-connect-agent reloadagent /bye. This actually solves my problem by decrypting without using --pinentry-mode loopback. But what I want is the old (no config) behavior so I can get rid of updating all my scripts.

gpg --list-secret-keys --keyid-format=long shows: sec rsa2048/588EFF3348F037FB 2013-04-25 [SCEA] ... uid [ultimate] ... But if I try to sign a file with that key, I get: skipped "588EFF3348F037FB": Unusable secret key What is the problem here?

I need to change the gpg key originally used for **pass** on my system to a newly generated key. However, when I follow the advice I found on this thread: https://unix.stackexchange.com/questions/226944/pass-and-gpg-no-public-key , things don't seem to work out as they should. The command used and its output while trying to replace the original gpg key with an alternate gpg key was:

$ pass init -p .password-store GPG-id
mkdir: created directory '/home/naphelge/.password-store/.password-store'
Password store initialized for GPG-id (.password-store)
[master 8d65cea] Set GPG id to GPG-id (.password-store).
 1 file changed, 1 insertion(+), 1 deletion(-)

So the command seems to just be making a new dir, **.password-store** in the original dir **.password-store** and creating a new **.gpg-id** file with my new key's GPG-id in it, and not proceeding to re-encrypt all of the gpg files in **.password-store** with the new gpg-key. The same advice is provided in this thread regarding a similar goal as well: https://askubuntu.com/questions/929307/how-to-change-the-gpg-key-of-the-pass-password-store I noticed that in the original **.gpg-id** file in the **~/.password-store** dir that it is the original gpg-key's fingerprint (without spaces between the (10) 4 digit blocks) that is saved. So I did try the same command above, pass init -p .password-store FINGERPRINT-id, using the new key's fingerprint (without spaces), as well trying just specifying the email address associated with the key, pass init -p .password-store naphelge@email.com, to try and initiate the re-encryption of the gpg files in **.password-store** with the new gpg-key, but always with the same result. So I am not sure, looking at other posts and the pass man page what else to try to get this to work. Any suggestions or advice appreciated. Thks.

I have 2 video cards and installed the nvidia driver:

❯ lspci -nnk | grep -iA3 -E "(vga|NVIDIA).*(controller|GeForce)"
00:02.0 VGA compatible controller : Intel Corporation HD Graphics 620 [8086:5916] (rev 02)
        DeviceName:  Onboard IGD
        Subsystem: Hewlett-Packard Company HD Graphics 620 [103c:82c1]
        Kernel driver in use: i915
--
01:00.0 3D controller : NVIDIA Corporation GM108M [GeForce 940MX] [10de:134d] (rev a2)
        Subsystem: Hewlett-Packard Company GM108M [GeForce 940MX] [103c:82c1]
        Kernel driver in use: nvidia
        Kernel modules: nouveau, nvidia_drm, nvidia

and modules loaded:

❯ lsmod | grep -iE '(iris|965|915|nouveau|nvidia)'
nvidia_drm             94208  4
nvidia_modeset       1556480  2 nvidia_drm
nvidia_uvm           3481600  2
nvidia              62734336  87 nvidia_uvm,nvidia_modeset
i915                 4108288  39
i2c_algo_bit           20480  1 i915
drm_buddy              20480  1 i915
ttm                   110592  1 i915
intel_gtt              28672  1 i915
drm_display_helper    229376  1 i915
video                  77824  2 i915,nvidia_modeset
cec                    86016  2 drm_display_helper,i915

having:

❯ sudo lshw -c video | grep 'configuration'
       configuration: depth=32 driver=i915 latency=0 resolution=3840,2160
       configuration: driver=nvidia latency=0

**For some reason, OpenGL (EGL) crushes and OpenGL (GLX) provides**:

❯ glxinfo | grep "OpenGL renderer"   
libGL error: glx: failed to create dri3 screen
libGL error: failed to load driver: nouveau
OpenGL renderer string: Mesa Intel(R) HD Graphics 620 (KBL GT2)

Qt5 (e.g. kwalletd5) fails:

❯ kwalletd5 
kf.wallet.kwalletd: Lacking a socket, pipe: 0 env: 0
libGL error: glx: failed to create dri3 screen
libGL error: failed to load driver: nouveau

I do not understand whi libGL is looking for nouveau when nouveau is not installed. I understand the nouveau is for legacy NVIDIA and this NVIDIA card (i.e. GM108M [GeForce 940MX] with NV118) should use nvidia driver. eglinfo creates a crashdump, that makes be guess that the driver was not properly compiled for this kernel ... ?!? (wondering ...)

❯ coredumpctl info eglinfo
           PID: 3006 (eglinfo)
           UID: 1026 (alex)
           GID: 1000 (alex)
        Signal: 6 (ABRT)
     Timestamp: Sun 2023-10-08 10:50:39 EDT (1h 3min ago)
  Command Line: /usr/bin/eglinfo
    Executable: /usr/bin/eglinfo
 Control Group: /user.slice/user-1026.slice/user@1026.service/app.slice/app-org.kde.kinfocenter-1e5614d213e84a2fac7e745b95873f3b.scope
          Unit: user@1026.service
     User Unit: app-org.kde.kinfocenter-1e5614d213e84a2fac7e745b95873f3b.scope
         Slice: user-1026.slice
     Owner UID: 1026 (alex)
       Boot ID: 0e078812604c40b896a2926936fed0ed
    Machine ID: 5e088a0fd5f24ea3ba800ad0886bc587
      Hostname: azx360
       Storage: /var/lib/systemd/coredump/core.eglinfo.1026.0e078812604c40b896a2926936fed0ed.3006.1696776639000000.zst (present)
  Size on Disk: 2.0M
       Message: Process 3006 (eglinfo) of user 1026 dumped core.
                
                Stack trace of thread 3006:
                #0  0x00007f8f4878483c n/a (libc.so.6 + 0x8e83c)
                #1  0x00007f8f48734668 raise (libc.so.6 + 0x3e668)
                #2  0x00007f8f4871c4b8 abort (libc.so.6 + 0x264b8)
                #3  0x00007f8f4871d390 n/a (libc.so.6 + 0x27390)
                #4  0x00007f8f4878e7b7 n/a (libc.so.6 + 0x987b7)
                #5  0x00007f8f4878f30e n/a (libc.so.6 + 0x9930e)
                #6  0x00007f8f4878f480 n/a (libc.so.6 + 0x99480)
                #7  0x00007f8f48791a38 n/a (libc.so.6 + 0x9ba38)
                #8  0x00007f8f48793dc1 __libc_calloc (libc.so.6 + 0x9ddc1)
                #9  0x00007f8f46733bb1 n/a (libnvidia-eglcore.so.535.113.01 + 0x1533bb1)
                #10 0x00007f8f46741a91 n/a (libnvidia-eglcore.so.535.113.01 + 0x1541a91)
                #11 0x00007f8f46741b12 n/a (libnvidia-eglcore.so.535.113.01 + 0x1541b12)
                #12 0x00007f8f46741ce0 n/a (libnvidia-eglcore.so.535.113.01 + 0x1541ce0)
                #13 0x00007f8f48242f72 n/a (libEGL_nvidia.so.0 + 0x42f72)
                #14 0x00007f8f482485a4 n/a (libEGL_nvidia.so.0 + 0x485a4)
                #15 0x000055846b68f824 n/a (eglinfo + 0x8824)
                #16 0x000055846b6932f5 n/a (eglinfo + 0xc2f5)
                #17 0x000055846b68b2b6 n/a (eglinfo + 0x42b6)
                #18 0x00007f8f4871dcd0 n/a (libc.so.6 + 0x27cd0)
                #19 0x00007f8f4871dd8a __libc_start_main (libc.so.6 + 0x27d8a)
                #20 0x000055846b68b6e5 n/a (eglinfo + 0x46e5)
                ELF object binary architecture: AMD x86-64

more, looking to understand from inxi:

❯ inxi -Gx
Graphics:
  Device-1: Intel HD Graphics 620 vendor: Hewlett-Packard driver: i915
    v: kernel arch: Gen-9.5 bus-ID: 00:02.0
  Device-2: NVIDIA GM108M [GeForce 940MX] vendor: Hewlett-Packard
    driver: nvidia v: 535.113.01 arch: Maxwell bus-ID: 01:00.0
  Device-3: Suyin HP TrueVision FHD RGB-IR driver: uvcvideo type: USB
    bus-ID: 1-5:2
  Display: x11 server: X.Org v: 21.1.8 driver: X: loaded: intel,nvidia
    unloaded: modesetting dri: i965 gpu: i915 resolution: 3840x2160
  API: EGL Message: No EGL data available.
  API: OpenGL v: 4.6 vendor: intel mesa v: 23.2.1-arch1.2 glx-v: 1.4
    direct-render: yes renderer: Mesa Intel HD Graphics 620 (KBL GT2)
  API: Vulkan v: 1.3.264 drivers: nvidia surfaces: xcb,xlib devices: 1

here are the packages installed for video driver:

❯ pacman -Q | grep -iE '(nvidia|mesa|intel|cuda|vulkan|vdpau)'  
intel-gmmlib 22.3.11-1
intel-gpu-tools 1.27-2
intel-media-driver 23.3.3-1
intel-media-sdk 23.2.2-2
libvdpau 1.5-2
mesa 1:23.2.1-2
mesa-utils 9.0.0-3
nvidia 535.113.01-4
nvidia-settings 535.113.01-1
nvidia-utils 535.113.01-2
vulkan-headers 1:1.3.264-2
vulkan-icd-loader 1.3.263-1
vulkan-tools 1.3.263-1
xf86-video-intel 1:2.99.917+923+gb74b67f0-1

Any guideline is much appreciated to fix OpenGL is much appreciated! Update: after some troubleshooting, I identified that the problem was not directly related to nvidia, although was triggered when installing Nvidia driver I identified that pinentry, used by gpg-agent had a problem getting the X or plasmashell device, probably to pop-up the dialog for the passphrase. A log about the issue:

[USER@MACHINE ~]$ Unsupported return type 65 QPixmap in method "grab"
Unsupported return type 65 QPixmap in method "grab"
Unsupported return type 65 QPixmap in method "grab"
Unsupported return type 65 QPixmap in method "grab"

[USER@MACHINE ~]$ journalctl -xe
Oct 13 17:00:17 MACHINE systemd-timesyncd: Contacted time server [REDACTED]:123 ([REDACTED].arch.pool.ntp.org).
Oct 13 17:04:55 MACHINE plasmashell: Could not find the Plasmoid for Plasma::FrameSvgItem(0x562417c320e0) QQmlContext(0x562413f2ad10) QUrl("file:///usr/share/pla>
Oct 13 17:04:55 MACHINE plasmashell: Could not find the Plasmoid for Plasma::FrameSvgItem(0x562417c320e0) QQmlContext(0x562413f2ad10) QUrl("file:///usr/share/pla>
Oct 13 17:09:04 MACHINE systemd-timesyncd: Timed out waiting for reply from [REDACTED]:123 ([REDACTED].arch.pool.ntp.org).
Oct 13 17:09:07 MACHINE plasmashell: trying to show an empty dialog
Oct 13 17:09:07 MACHINE plasmashell: file:///usr/share/plasma/plasmoids/org.kde.plasma.taskmanager/contents/ui/Task.qml:286: Unable to assign [undefined] to QStr>
Oct 13 17:09:07 MACHINE plasmashell: file:///usr/share/plasma/plasmoids/org.kde.plasma.taskmanager/contents/ui/Task.qml:286: Unable to assign [undefined] to QStr>
Oct 13 17:09:07 MACHINE systemd: Started System Settings - System Settings.
-- Subject: A start job for unit UNIT has finished successfully
-- Defined-By: systemd
-- Support: [REDACTED]
-- 
-- A start job for unit UNIT has finished successfully.
-- 
-- The job identifier is 590.
Oct 13 17:09:08 MACHINE systemsettings: file:///usr/lib/qt/qml/org/kde/kirigami.2/ScrollablePage.qml:200:9: QML MouseArea: Binding loop detected for property ">
Oct 13 17:09:08 MACHINE systemsettings: file:///usr/lib/qt/qml/org/kde/kirigami.2/ScrollablePage.qml:200:9: QML MouseArea: Binding loop detected for property ">
Oct 13 17:09:08 MACHINE systemsettings: QQmlEngine::setContextForObject(): Object already has a QQmlContext
Oct 13 17:09:14 MACHINE systemd-timesyncd: Timed out waiting for reply from [REDACTED]:123 ([REDACTED].arch.pool.ntp.org).
Oct 13 17:09:14 MACHINE systemd-timesyncd: Contacted time server [REDACTED]:123 ([REDACTED].arch.pool.ntp.org).
Oct 13 17:09:20 MACHINE kwalletd5: kf.wallet.backend: Setting useNewHash to true
Oct 13 17:09:20 MACHINE kwalletd5: kf.wallet.backend: Wallet new enough, using new hash
Oct 13 17:09:20 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:24 MACHINE kwin_x11: kwin_core: XCB error: 152 (BadDamage), sequence: 12493, resource id: 8467472, major code: 143 (DAMAGE), minor code: 3 (Subtract)
Oct 13 17:09:28 MACHINE kwalletd5: kf.wallet.backend: Setting useNewHash to true
Oct 13 17:09:28 MACHINE kwalletd5: kf.wallet.backend: Wallet new enough, using new hash
Oct 13 17:09:28 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:31 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:32 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:32 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:32 MACHINE kwin_x11: kwin_core: XCB error: 152 (BadDamage), sequence: 15002, resource id: 8467610, major code: 143 (DAMAGE), minor code: 3 (Subtract)
Oct 13 17:09:33 MACHINE kwin_x11: kwin_core: XCB error: 152 (BadDamage), sequence: 15530, resource id: 8467635, major code: 143 (DAMAGE), minor code: 3 (Subtract)
Oct 13 17:09:33 MACHINE kwalletd5: kf.wallet.backend: Error decrypting message:  No secret key , code  17 , source  GPGME
Oct 13 17:09:33 MACHINE kwin_x11: kwin_core: XCB error: 152 (BadDamage), sequence: 16073, resource id: 8467650, major code: 143 (DAMAGE), minor code:

Update: * I upgraded HP driver from F.10 to F.42 * Re-installed X, nvidia, gnupg, pinentry. * Everytime I start the X with nvidia driver, it fails. So I am falling back on Intel. The following is a diff between a working xorg.conf and the one that fails with nvidia:

$ diff xorg.conf xorg.conf.2023-10-23-a-failure.bak 
38a39
>     Driver         "nvidia"
40,43c41
     BusID          "PCI:1:0:0"
48a47
>     Option "AllowEmptyInitialConfiguration"
53a53,63
> EndSection
> 
> Section "Device"
>     Identifier "intel"
>     Driver "modesetting"
>     BusID "PCI:0:2.0" # e.g. PCI:0:2:0
> EndSection
> 
> Section "Screen"
>     Identifier "intel"
>     Device "intel"

**Update:** * Was able to trace the problem to eglinfo -B that produces a core dump as:

$ eglinfo -B    
GBM platform:
EGL API version: 1.5
EGL vendor string: NVIDIA
EGL version string: 1.5
EGL client APIs: OpenGL_ES OpenGL
OpenGL core profile vendor: NVIDIA Corporation
OpenGL core profile renderer: NVIDIA GeForce 940MX/PCIe/SSE2
OpenGL core profile version: 4.6.0 NVIDIA 535.113.01
OpenGL core profile shading language version: 4.60 NVIDIA
OpenGL compatibility profile vendor: NVIDIA Corporation
OpenGL compatibility profile renderer: NVIDIA GeForce 940MX/PCIe/SSE2
OpenGL compatibility profile version: 4.6.0 NVIDIA 535.113.01
OpenGL compatibility profile shading language version: 4.60 NVIDIA
malloc(): invalid next size (unsorted)

coredumpctl info 
(...)
  Signal: 6 (ABRT)
(...)
  Command Line: eglinfo -B
  Executable: /usr/bin/eglinfo
(...)
  Size on Disk: 2.1M
  Message: Process 3735 (eglinfo) of user 1026 dumped core.

                #0  0x00007fc48d23083c n/a (libc.so.6 + 0x8e83c)
                #1  0x00007fc48d1e0668 raise (libc.so.6 + 0x3e668)
                #2  0x00007fc48d1c84b8 abort (libc.so.6 + 0x264b8)
                #3  0x00007fc48d1c9390 n/a (libc.so.6 + 0x27390)
                #4  0x00007fc48d23a7b7 n/a (libc.so.6 + 0x987b7)
                #5  0x00007fc48d23db04 n/a (libc.so.6 + 0x9bb04)
                #6  0x00007fc48d23fdc1 __libc_calloc (libc.so.6 + 0x9ddc1)
                #7  0x00007fc48b133bb1 n/a (libnvidia-eglcore.so.535.113.01 + 0x1533bb1)
                #8  0x00007fc48b141ccc n/a (libnvidia-eglcore.so.535.113.01 + 0x1541ccc)
                #9  0x00007fc48cc42f72 n/a (libEGL_nvidia.so.0 + 0x42f72)
                #10 0x00007fc48cc485a4 n/a (libEGL_nvidia.so.0 + 0x485a4)
                #11 0x0000555f5f076c7d n/a (eglinfo + 0x6c7d)
                #12 0x0000555f5f07c279 n/a (eglinfo + 0xc279)
                #13 0x0000555f5f0742b6 n/a (eglinfo + 0x42b6)
                #14 0x00007fc48d1c9cd0 n/a (libc.so.6 + 0x27cd0)
                #15 0x00007fc48d1c9d8a __libc_start_main (libc.so.6 + 0x27d8a)
                #16 0x0000555f5f0746e5 n/a (eglinfo + 0x46e5)
                ELF object binary architecture: AMD x86-64

> **Note:** *I'm adding all these in case other will troubleshoot similarly, and my journey helps*

I'm running Ubuntu (via Regolith) and my gpg key is unlocked when I log in. I'm running multiple decrypt operations in parallel and I noticed, that if I get above 7, gpg-agent will "forget" that the key is already unlocked and I get prompted for a pinentry.

❯ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.10.1

I made a minimal working example to demonstrate this in python. Create a test file to decrypt with: echo "something" | gpg --encrypt -o test.gpg. Running gpg --decrypt test.gpg in the shell does not prompt for the passphrase. Using the below script, if the WORKERNUM is set below 8 (on my machine, but setting it to 1 I guess should work for any machine) the script is happily decrypting without asking for a passphrase. But if I crank it up to 8 or above I start getting requests for putting in my password, although it seems like not from every process, only some of them. The execution of the processes also obviously start to hang (I'm assuming they are waiting on gpg-agent).

import subprocess
import multiprocessing as mp
import time



the_queue = mp.Queue()
WORKERNUM = 7

def worker_main(queue):
    while True:
        msg = queue.get(True)
        print(time.time(), msg)
        out = subprocess.run(["gpg", "--decrypt", "test.gpg"], capture_output=True)
        print(msg, time.time(), out.stdout)


the_pool = mp.Pool(WORKERNUM, worker_main, (the_queue,))

counter = 0
while True:
    counter += 1
    the_queue.put(counter)
    print(the_queue.qsize())
    while the_queue.qsize() > 10:
        time.sleep(0.1)

I tried passing --batch to the decrypt command, but that didn't change anything. I've been looking through the man pages for gpg and gpg-agent to see if anything is mentioned that could pertain to this, but I couldn't really find anything. I have two questions: a) why does this happen and b) is there something I can configure so that instead of having to figure out the max size of the processing pool to avoid this, gpg handles this and I don't get a pinentry

How do I change the passphrase of an SSH key that is stored in the gpg-agent?

I have searched the whole universe this error but i could not find any helpful tips. I have created a key using keybase and added my public key to github gpg my gpg --list-secret-keys --keyid-format LONG is this -------------------------------- sec rsa4096/7E8*******60B47B 2021-03-06 [SC] [expires: 2037-03-02] 51FBCD0E******************014D4860B47B uid [ultimate] Fatih uid [ultimate] Fatih ssb rsa4096/15BBF8A123C4AC1B 2021-03-06 [E] [expires: 2037-03-02] my .gitconfig is this [user] signingkey = 7E8*******60B47B email = 73314940+kgnfth@users.noreply.github.com name = kgnfth [commit] gpgsign = true [gpg] program = gpg i added export GPG_TTY=$(tty) to my .zshrc file Everytime i run git commit -m "first commit", i get this error error: gpg failed to sign the data fatal: failed to write commit object I dont see anything wrong with the signing key i also tried changing gpg to gpg2 but the same error appears i am out of idea i need your help Thank you.