Custom GPG pinentry program for macOS that allows using Touch ID for retrieving the key passphrase from the macOS keychain. (MacBook Pro with TouchID only)
Install both using Homebrew:
$ brew install gnupg pinentry-mac
Download pre-build pinentry-touchid
binaries from the GitHub Releases page.
$ VERSION=$(curl -fsSL https://api.github.com/repos/felix-kaestner/pinentry-touchid/releases/latest | jq -r .tag_name)
$ curl -fsSL -o pinentry-touchid "https://github.com/felix-kaestner/pinentry-touchid/releases/download/${VERSION}/pinentry-touchid-${VERSION}-$(uname -s)-$(uname -m)"
$ mv pinentry-touchid /usr/local/bin/pinentry-touchid
Clone the repository:
$ git clone https://github.com/felix-kaestner/pinentry-touchid.git
Build the binary using:
$ ./build.sh
List the keygrip of the GPG Key for which you want to store the passphrase:
$ gpg --list-keys --with-keygrip
/Users/user/.gnupg/pubring.kbx
----------------------------------------
pub rsa4096 2022-04-01 [SC]
< ... >
Keygrip = 78066B99A804208F8DDB3C8F388C56C1C74EA812
uid [ultimate] Felix Kästner <[email protected]>
Create a new entry in the MacOS Keychain for storing your passphrase:
Go to Keychain Access
> Select the login
keychain under Default Keychains > Click on Create new Keychain item. in the upper right (via the pencil icon).
Fill in the prompt with the following information:
- Keychain Item Name:
"GnuPG"
- Account Name: GPG Keygrip
- Password: Your Passphrase
Finally, click on Add
.
Configure the gpg-agent
to use pinentry-touchid
as its pinentry program. Add or replace the following line to your gpg agent configuration in: ~/.gnupg/gpg-agent.conf
:
$ pinentry-program /usr/local/bin/pinentry-touchid
Pinentry-TouchID
is now fully configured!
When used for the first time, MacOS will prompt you to allow access to the keychain. Simply provide access by using your user password and clicking Always Allow
, so you won't be asked on every use.