Can't get it to work on macOS Monterey 12.0.1

[congoelmex]

Hi Jorge,

Did you already manage to get pinentry-touchid to work with macOS 12.0.1? Or is it maybe already working for you?

I installed it following your guide here on github via homebrew.

For me it isn't and just throws:

sign_and_send_pubkey: signing failed for RSA "cardno:000x 0000xxxx" from agent: agent refused operation

pinentry-mac is working fine.

Here's my .zshrc:

unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi

alias pinentry='pinentry-mac'

#export GPG_TTY=$(tty)
#gpg-connect-agent updatestartuptty /bye >/dev/null

I used pinentry-mac without the last two lines and it doesn't seem to make a difference if they are there anyway, so I commented them out again.

Here is my .gnupg/gpg-agent.conf:

enable-ssh-support
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200
#pinentry-program /usr/local/bin/pinentry-mac
pinentry-program /usr/local/opt/pinentry-touchid/bin/pinentry-touchid

and finally my gpg.conf:

auto-key-retrieve
no-emit-version
default-key 907BB9A8BA3B629D6F7EFA8A04D3A0AB20551091
#keyserver
cert-digest-algo SHA256
no-comments
personal-cipher-preferences AES AES256 AES192 CAST5
personal-digest-preferences SHA256 SHA512 SHA384 SHA224
ignore-time-conflict
allow-freeform-uid
use-agent

As I said - this setup is working fine with pinentry-mac (latest version, installed via homebrew) for about two years now.

Any ideas? Or simply a "12.0.1 is just not supported right now" ? ;)

Thanks on advanced and also for your work (which, hopefully, I'll be able to use someday) ;)

[Gby56]

Hi @congoelmex, I opened an issue for a slightly different issue, but like yourself, I can get pinentry-mac to work, not the touchID.
I do see the keychain entry and I tried allowing pinentry-touchid but it still won't prompt me anything...

[jorgelbg]

Hi @congoelmex, Thanks for opening this issue.
Unfortunately I haven't tested pinentry-touchid in macOS Monterey just yet. @Gby56 are you also running in macOS Monterey? I will post here as soon as I have some more info.

[loganm]

+1

I am also struggling to get this working on Monterey. Subscribing myself to any updates here.

[brandonryan]

I have the same issue. Fresh install with hombrew.
/tmp/pinentry-touchid.log:

2021/11/24 01:49:42 main.go:105: Ready!
2021/11/24 01:49:42 main.go:256: Error calling pinentry-mac: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>
2021/11/24 01:49:42 main.go:260: pinentry-mac didn't return a password

This might be related:
gopasspw/gopass#1879

I do have export GPG_TTY=$(tty) in my zshrc

[tommyip]

Just as a data point, this does work for me on Monterey 12.1 (M1 Pro).

[notpushkin]

For those who can't live without it (e. g. have a Password Store setup that have worked so neat with Touch ID) – here's a quick and dirty (I mean, really dirty) pinentry implementation in Swift by yours truly.

https://codeberg.org/notpushkin/pinentry-tem
https://github.com/notpushkin/pinentry-tem (mirror)

I hope that it helps you folks until pinentry-touchid is fixed, or I get my shit together and learn enough of a Swift to make it better.

[dnmgns]

This workaround resolved the issue for me: #3 (comment)

[jorgelbg]

From this error:

2021/11/24 01:49:42 main.go:256: Error calling pinentry-mac: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>

it seems that pinentry-touchid is falling back to pinentry/pinentry-curses instead of pinentry-mac. Can you check by running:

❯ pinentry-touchid -check

and also there is a new -fix flag that should automatically fix the symlink for you:

❯ pinentry-touchid -fix
✅ /usr/local/opt/pinentry/bin/pinentry is now pointing to pinentry-mac

[congoelmex]

Hi @jorgelbg ,
Thanks for the hint, but now there is another issue:

Your documentation states, that I have to save the passphrase in the MacOS Keychain. The Problem is, that I'm not offered the option to do so.
I use a Nitrokey for authenticating againt my SSH servers, so the gpg-key is saved on the Nitrokey itself.
When I try to access the SSH server, I'm prompted to enter the Passphrase but no checkbox to save something in the keychain is shown.

If I try it (for testing purposes) with an gpg-key that is in my gpg-keyring on the harddrive (as opposed to being saved on the Nitrokey), the "Save in keychain" option in the pinentry-mac dialogue is displayed.

Any thoughts on that? ;)

[jorgelbg]

@congoelmex even if you don't see the option to save in the Keychain in the pinentry-mac UI, pinentry-touchid should still create an item in the keychain automatically, as long as no duplicated entry is found. If a duplicated item is found it should be logged in:

$TMPDIR/pinentry-touchid.log

and you could use the commands from #11 (comment) to find those duplicated entries (if any).

[congoelmex]

Hi @jorgelbg and thank you for your answer. It still doesn't work.
Maybe it helps, if I share some details:

pinentry-mac version: 1.1.1 (installed bei GPGSuite from gpgtools.org)
pinentry-touchid version: latest version from your git repository

I start with this gpg-agent.conf:
enable-ssh-support
default-cache-ttl 600
max-cache-ttl 7200
#pinentry-program /usr/local/opt/pinentry-touchid/bin/pinentry-touchid
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
debug-level basic
log-file /Users/congoelmex.gnupg/gpg-agent.log

There is no entry regarding GnuPG in my macOS-keychain.
The Nitrokey Pro 2 is connected and if I enter

echo 1234 | gpg -as -

I'm presented the pinentry-mac window, where I enter the passphrase to unlock (notice the missing save option):

After that, I check my macOS - keychain: No entry about GnuPG whatsoever...

Now I change gpg-agent.conf to use pinentry-touchid:

enable-ssh-support
default-cache-ttl 600
max-cache-ttl 7200
pinentry-program /usr/local/opt/pinentry-touchid/bin/pinentry-touchid
#pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
debug-level basic
log-file /Users/congoelmex/.gnupg/gpg-agent.log

After killing the gpg-agent with
gpgconf --kill gpg-agent"gpgconf
I try the gpg encryption again for testing:

echo 1234 | gpg -as -

Now, the pinentry-touchid pops up:

If I enter the passphrase twice, the test message gets encrypted...but I'm not offered to use TouchID...at no point...

And no keychain entry for GnuPG or the like is created..

Just for completeness, here are the results from the commands you suggested:

security dump-keychain | grep GnuPG
outputs nothing, because grep can't find what is not there.. ;)

security find-generic-password -s 'GnuPG'
outputs:
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.

Here, the contents of $TMPDIR/pinentry-touchid.log:
2022/08/31 18:31:05 main.go:118: Ready!
nothing else...

Of course I set
defaults write org.gpgtools.common DisableKeychain -bool no
and
defaults write org.gpgtools.common UseKeychain -bool yes

I don't really think that it would be helpful to post the contents of "gpg-agent.log" (and I don't want to spam this thread too much), but if you think it could help, I'll gladly post ist (maybe twice - one time with pinentry-mac and one time with pinentry-touchid)...

To be frank, I'm at a loss here and just can't get pinentry-touchid to work with my Nitrokey... :(

EDIT: re-formatted the code-snippets.
EDIT2: Added Info concerning default "write org.gpgtools.common"

[congoelmex]

should these entries:

2022-08-31 19:41:53 gpg-agent[7351] starting a new PIN Entry
2022-08-31 19:41:53 gpg-agent[7351] DBG: connection to PIN entry established
2022-08-31 19:41:53 gpg-agent[7351] You may want to update to a newer pinentry

from the gpg-agent.log worry me somehow?
Even if I try to install the homebrew version of the agent it still shows version 1.1.1

[samuelhwilliams]

@congoelmex i am getting exactly the same symptoms as you on Ventura 13.2.1 :( Did you manage to get touchid working?

[bviolier]

I was having same issue on Ventura 13.2.1 and 13.3.

It still shows You may want to update to a newer pinentry, but now I am in a state where it keeps asking my for my PIN and then confirm the PIN. So it "works", but instead of using touch-id I now have to provide the PIN twice.

Note: using yubikey

[eamon0989]

Same issue here, I need to provide the PIN twice and no touch id.