Git commit asks for OpenPGP secret key every time

Asked 16/6, 2017 at 18:26 Answered 24/10, 2022 at 9:35

I've been a linux user for a long time, and recently I started using a macbook. As part of my setup process i did the usual "get git going", which included making an ssh key. All that went fine. I also had to instal gpg because git would not let me commit unless my commits were signed, fair enough. I generated the key, and gave it a password. It worked, I can commit freely! Well, sort of.

Whenever I try to commit anything, I get the following message, and am forced to input my password "Please enter the passphrase to unlock the OpenPGP secret key:" Now, i've scoured the internet, and found a lot of articles on how to remember your password when you're git pushing, (which i had already configured), and all other kind of unrelated articles. My coworkers don't have this issue, and I can't find a way to keep from having to input the password every time.

Hopefully there's a super simple how to I missed by virtue of not knowing the right keywords.

Thanks ahead of time.

Amboceptor answered 16/6, 2017 at 18:26 Comment(6)

I don't pgp-sign every commit and am not sure if there is a way to hook this into OS X Keychain, but I'll just ask: are you sure you want to pgp-sign every commit? Most people don't because it is a hassle with relatively small benefit. – Cartridge 16/6, 2017 at 18:28

I'm not committed to it, git was just not letting me commit without pgp-sigining. (I don't remember the exact error, this was a few weeks ago) If i can disable pgp signing and still commit freely that'd be fine. – Amboceptor 16/6, 2017 at 18:30

The request to sign commits is controlled by commit.gpgSign (sets the default if no option given) or the -S or --gpg-sign option when running git commit. – Cartridge 16/6, 2017 at 18:42

@Cartridge what do you mean "hassle with relatively small benefit" Signing your commit prevents anyone from pushing malicious code in your name. It's important for security especially if he works with other people on the same repository. You should not discourage people from signing commits – Throckmorton 14/8, 2021 at 20:24

Does this answer your question? Remember GPG password when signing git commits – Throckmorton 14/8, 2021 at 20:32

@MickaelB.: You can sign just specific annotated tags, rather than signing each commit you make. This is how the Git distributions themselves are prepared. – Cartridge 15/8, 2021 at 1:20

I followed this guide and was able to get the UI dialog which asks for saving the password to the keychain. Using it with MacOS Monterey 12.0.1.

Content of ~/.gnupg/gpg-agent.conf:

pinentry-program /opt/homebrew/bin/pinentry-mac
enable-ssh-support

After that, kill all GnuPG processes (Not all of them are actually installed):
```
killall gpg-agent
killall gpg2
killall gpg
killall dirmngr
```
Run the following test:
```
echo "Test" | gpg -as
```

The dialog from Pinentry Mac (as shown above) should be showing up.

For my GPG setup I followed the guide from this gist.

Richellericher answered 8/12, 2021 at 12:45 Comment(1)

I didn't even have pinentry-mac installed. First run: brew install pinentry-mac Then I was able to follow your instructions. Thank you! – Henslowe 4/2, 2022 at 22:13

Now, i've scoured the internet, and found a lot of articles on how to remember your password when you're git pushing, (which i had already configured), and all other kind of unrelated articles.

What do you mean by this? What have you done? I'm not sure if my answer will help because you might've already done it, but you can change the pgp configuration. In my case I had the same thing so all I did was increase the maximum amount of time pgp is allowed to cache my passphrase.

Append to the contents of ~/.gnupg/gpg-agent.conf the following:

default-cache-ttl 604800
max-cache-ttl 604800

604800 ~> 1 week in seconds.

Indictable answered 24/10, 2022 at 9:35 Comment(0)

-1

Your colleagues have likely checked the box to store their GPG key passwords to their Mac OS/ OS X keychain.

When entering your GPG key password, you will see a checkbox asking if you want to store the password in your keychain.

To enable this manually, navigate to the system preferences application and then GPG Suite (or GPGPreferences on older versions) and tick the 'store in OS X keychain' option.

If the above does not work for you, you might have the incorrect password stored in your keychain. To correct this open the 'keychain' application, and search for gnupg - and edit the password to be correct.

If neither of those work then it is possible you are not being presented with the GPG key password dialog, but rather the SSH private key password dialog - which can also be stored in your keychain.

Kist answered 16/6, 2017 at 20:3 Comment(1)

I use GPG from the command line, where can I find the setting to "store in OS X keychain" there? – Soniferous 28/1, 2019 at 17:33

-3

git config --global commit.gpgsign true

Sumbawa answered 11/8, 2021 at 9:48 Comment(2)

This command only does not solve this issue for me. Still looking for a solution. – Stome 8/10, 2021 at 17:50

All this does is tell git to sign all commits automatically with the signing key set through git config user.signingkey XYZ.... This won't stop git asking for the secret key, this would do the contrary, it would especially ask it every time you commit :P – Indictable 26/5, 2023 at 4:5

Recommended topics

Hot tags