Torsten Curdt’s weblog

gpg-agent on OSX

When I had to sign my last pile of GnuPG keys I’ve investigated a bit how to ease this process a bit. I was looking for something like the ssh-agent / SSHKeyChain for OSX. Well, there is the gpg-agent but it was a bit tricky to get it working on OSX properly. First I’ve created a logon hook pointing to a “/etc/logon” file.

  sudo defaults write com.apple.loginwindow LoginHook /etc/logon

The file itself contains commands that supposed to get executed when a user logs in. The plan is to start the gpg-agent from there. One caveat though – the logon hook gets executed as root so the gpg-agent needs to get executed as the real user. The following file works for me just fine:

 su -l $1 -c "/sw/bin/gpg-agent --daemon --use-standard-socket" > \\

(I would be grateful if someone could explain why it does not work with “sudo” but only with “su”.) In order to have “gpg” use the agent an environment variable has to be set. Open or create a “~/.MacOSX/environment.plist” and define the GPG_AGENT_INFO in there.

 GPG_AGENT_INFO = /Users/tcurdt/.gnupg/S.gpg-agent:4559:1

So my file looks like this

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
<plist version="1.0">

So when you now use “gpg” it will once call out to the “pinentry” program defined in


and then cache your passphrase.

 pinentry-program /sw/bin/pinentry
 default-cache-ttl 1800

So far pinentry only supports the gtk, qt or curses interface. In order to have a proper MacOSX integration I wrote a Carbon one. It works fine from the commandline. Unfortunately as it stands it still fails to load from the gpg-agent. (see the recent post about my execvp and Carbon problem)

    blog comments powered by Disqus