gpg: signing failed: No passphrase given

[nemscep]

Description

I managed to configure pinentry-mac to work nicely, but when I try to switch to pinentry-touchid I am unable to find a proper way of solving this problem. After I follow the steps provided after installation, I keep getting the following error message:

gpg: signing failed: No passphrase given
gpg: [stdin]: clear-sign failed: No passphrase given

Simplest test to reproduce:

echo "test" | gpg -vvv --clearsign

I have generated keys which have passphrases of course, but now I am unsure how to provide these passphrases to the pinentry.

System information

macOS

• Architecture: ARM/M1 Pro (late 2021)
• Version: 12.4 Monterey

GPG

• gpg (GnuPG) 2.3.6
• Homebrew all the way!

Configuration

gpg:OpenPGP:/opt/homebrew/Cellar/gnupg/2.3.6/bin/gpg
gpgsm:S/MIME:/opt/homebrew/Cellar/gnupg/2.3.6/bin/gpgsm
keyboxd:Public Keys:/opt/homebrew/Cellar/gnupg/2.3.6/libexec/keyboxd
gpg-agent:Private Keys:/opt/homebrew/Cellar/gnupg/2.3.6/bin/gpg-agent
scdaemon:Smartcards:/opt/homebrew/Cellar/gnupg/2.3.6/libexec/scdaemon
dirmngr:Network:/opt/homebrew/Cellar/gnupg/2.3.6/bin/dirmngr
pinentry:Passphrase Entry:/opt/homebrew/opt/pinentry/bin/pinentry

Logs

2022-07-01 16:50:14 gpg-agent[16600] enabled debug flags: ipc
2022-07-01 16:50:14 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:14 gpg-agent[16600] DBG: chan_7 <- [eof]
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK Pleased to meet you, process 16934
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- RESET
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- OPTION ttyname=/dev/ttys000
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- OPTION ttytype=xterm-256color
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- OPTION lc-ctype=UTF-8
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- GETINFO version
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> D 2.3.6
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- OPTION allow-pinentry-notify
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- OPTION agent-awareness=2.1.0
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- SCD SERIALNO
2022-07-01 16:50:19 gpg-agent[16600] new connection to /opt/homebrew/Cellar/gnupg/2.3.6/libexec/scdaemon daemon established (reusing)
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_8 -> SERIALNO
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_8 <- ERR 100696144 Operation not supported by device <SCD>
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- HAVEKEY --list=1000
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_8 -> KEYINFO --list
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_8 <- OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> [ 44 20 52 af 5d 47 8d 4d a5 13 0e da d2 c4 ee a5 ...(26 byte(s) skipped) ]
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- KEYINFO XXXXXX
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_8 -> KEYINFO --list
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_8 <- OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> S KEYINFO XXXXXX D - - - P - - -
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- RESET
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- SIGKEY XXXXXX
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22nemscep_at_github+(key+to+rule+them+all)+<nemscepanovic@gmail.com>%22%0A4096-bit+RSA+key,+ID+XXXXXX,%0Acreated+2022-07-01.%0A
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- SETHASH 8 XXXXXXX
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:50:19 gpg-agent[16600] DBG: chan_7 <- PKSIGN
2022-07-01 16:50:19 gpg-agent[16600] starting a new PIN Entry
2022-07-01 16:50:19 gpg-agent[16600] DBG: connection to PIN entry established
2022-07-01 16:50:19 gpg-agent[16600] You may want to update to a newer pinentry
2022-07-01 16:50:20 gpg-agent[16600] DBG: error calling pinentry: No passphrase given <GPG Agent>
2022-07-01 16:50:20 gpg-agent[16600] failed to unprotect the secret key: No passphrase given
2022-07-01 16:50:20 gpg-agent[16600] failed to read the secret key
2022-07-01 16:50:20 gpg-agent[16600] command 'PKSIGN' failed: No passphrase given
2022-07-01 16:50:20 gpg-agent[16600] DBG: chan_7 -> ERR 67109041 No passphrase given <GPG Agent>
2022-07-01 16:50:20 gpg-agent[16600] DBG: chan_7 <- [eof]
2022-07-01 16:50:20 gpg-agent[16600] DBG: chan_8 -> RESTART
2022-07-01 16:50:20 gpg-agent[16600] DBG: chan_8 <- OK
2022-07-01 16:52:03 gpg-agent[16600] DBG: chan_7 -> OK Pleased to meet you, process 17044
2022-07-01 16:52:03 gpg-agent[16600] DBG: chan_7 <- RESET
2022-07-01 16:52:03 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:52:03 gpg-agent[16600] DBG: chan_7 <- OPTION ttyname=not a tty
2022-07-01 16:52:03 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:52:03 gpg-agent[16600] DBG: chan_7 <- NOP
2022-07-01 16:52:03 gpg-agent[16600] DBG: chan_7 -> OK
2022-07-01 16:52:03 gpg-agent[16600] DBG: chan_7 <- [eof]

[jorgelbg]

Hi @nemscep I get the feeling that maybe pinentry-touchid is not falling back to pinentry-mac. Can you check the output of:

$ /usr/local/bin/pinentry-touchid -check

and also include the log content of $TMPDIR/pinentry-touchid.log ?

[AndrewTriesToCode]

I'm seeing this behavior too.

➜  ~ echo "1234" | gpg -as -
gpg: signing failed: No passphrase given
-----BEGIN PGP MESSAGE-----

gpg: signing failed: No passphrase given
➜  ~ pinentry-touchid -check                                 
✅ /opt/homebrew/Cellar/pinentry-mac/1.1.1.1/bin/pinentry-mac will be used as a fallback PIN program

Also fails if I select "use password". Log just shows:

➜  ~ cat $TMPDIR/pinentry-touchid.log
2023/02/07 23:26:18 main.go:118: Ready!

[coneybeare]

Same config and results as ☝️

[rweir]

I'm also seeing this on MacOS Ventura on an M2. It's not a new key, and the only log messages I ever get are "main.go:118: Ready!" (aside from one "main.go:348: Failed to authenticate" when I clicked the "use password" button once).

Is there some way to enable more debugging? It's not even clear the problem is in pinentry-touchid to me.

Some other random observations:

• in the MacOS keychain app, the passphrase lists both pinentry-touchid and pinentry-mac as applications allowed to access it
• I actually seem to have two passphrases stored in MacOS keychain (both with both pinentry- applications listed)

OK...while looking at my gpg-agent.conf I noticed I had put two lines in there while futzing around with easypg:

allow-emacs-pinentry
allow-loopback-pinentry

after commenting out both then running gpgconf --kill gpg-agent, then attempting to echo 1234 | gpg -as - things actually work - pinentry-touchid pops up a thing, I touch the sensor, signature works without error. No idea if this is some bizarre quirk of my system or a bug in something but maybe it helps y'all.