GUI for GPG within Windows WSL for passwords, pins, etc.
Optional persistence of passwords into Windows Credential Manager
(c) 2018 Dale Phurrough
Licensed under the Mozilla Public License 2.0
winver.exe
cat /etc/lsb-release
gpg2 --version
pinentry-wsl-ps1.sh
script and set its permissions to be readable and executable, e.g.chmod ug=rx pinentry-wsl-ps1.sh
pinentry-program /mnt/c/repos/pinentry-wsl-ps1/pinentry-wsl-ps1.sh
gpg-agent --pinentry-program /mnt/c/repos/pinentry-wsl-ps1/pinentry-wsl-ps1.sh
PERSISTENCE
to one of the values:
""
no persistence"Session"
persists the password only for the current Windows login session"LocalMachine"
persists the password for the current Windows login on the local Windows computer"Enterprise"
persists the password for the current Windows login and requests Windows Credential Manager to synchronize it across Windows computers for that same Windows loginmax-cache-ttl
) so you may not see the notification with every usage.
NOTIFY
to the value "0"
NOTIFY
to the value "1"
gpg2 --version
and gpg-agent --version
. If you don't have version 2.1.11 or newer for both versions, you may have unknown problems.gpg2 --clearsign myfile.zip
. Your entire console window should clear and present you an isolated password entry field in a crudely drawn box. Type in your key's password and it should return to your normal console with no error. You should now have the newly signed myfile.zip.asc
file.ssh-agent
. Try ssh-add ...
to add your SSH key for your favorite host. Then remove and stash in a protected location this ssh key file from your ~/.ssh
directory to ensure ssh isn't using that file instead of the agent. Now try to ssh to this host. It should automatically retrieve the private host key from gpg-agent..profile
. Please be aware that .profile
is not always run for all *nix shell scenarios and .bashrc
may be better for your setup. The details on this are written in the BASH man page in the INVOCATION section.gpg
by default. To instruct GIT to use gpg2
, you can easily configure it with git config --global gpg.program gpg2
~/.gnupg/gpg-agent.conf
file and insert the following lines. Your user must have permission to write to this file path. Restart gpg-agent after you save this configuration.
debug 1024
debug-pinentry
log-file /home/username/agent.log
DEBUGLOG
to a file path, e.g. "$HOME/pintrace.log"
. Your user must have permission to write to this file path. Restart gpg-agent after you save this configuration.Below are some examples from my configuration files. If you have a working GPG2 and gpg-agent setup, the only config change likely needed is the pinentry-program
line from setup step 2.
if [ -z "$(pgrep gpg-agent)" ]; then
gpgconf --launch gpg-agent
# I use the above method because the following method
# doesn't set GPG_AGENT_INFO or GPG_TTY and has a bug
# setting SSH_AUTH_SOCK if you use socket redirection:
# eval $(gpg-agent --homedir $HOME/.gnupg --daemon)
fi
if [ -z "$(pgrep dirmngr)" ]; then
dirmngr --homedir $HOME/.gnupg --daemon >/dev/null 2>&1
# I use the above method to consistently set vars in .bashrc
# rather than the following:
# eval $(dirmngr --homedir $HOME/.gnupg --daemon)
fi
export GPGKEY=12345678 # set prefered gpg signing key
PIDFOUND=$(pgrep gpg-agent)
if [ -n "$PIDFOUND" ]; then
export GPG_AGENT_INFO="$HOME/.gnupg/S.gpg-agent:$PIDFOUND:1"
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK="$HOME/.gnupg/S.gpg-agent.ssh"
unset SSH_AGENT_PID
fi
PIDFOUND=$(pgrep dirmngr)
if [ -n "$PIDFOUND" ]; then
export DIRMNGR_INFO="$HOME/.gnupg/S.dirmngr:$PIDFOUND:1"
fi
unset PIDFOUND
enable-ssh-support
disable-scdaemon
pinentry-program /mnt/c/repos/pinentry-wsl-ps1/pinentry-wsl-ps1.sh