No touchid prompt

[Gby56]

Hi,

I've been able to configure pinentry-mac to work and store the key's passphrase in the keychain, no issue whatsoever.

But once I switch my ~/.gnupg/gpg-agent.conf to

default-cache-ttl 1
max-cache-ttl 1
#pinentry-program /usr/local/bin/pinentry-mac
pinentry-program /usr/local/bin/pinentry-touchid

It never brings the touchID prompt. I have looked into allowing pinentry-touchid in the access control of the keychain entry as mentionned.

to add /usr/local/bin/pinentry-touchid

But this doesn't work either, my git debug output tells me:

15:17:57.787749 run-command.c:668       trace: run_command: /usr/local/bin/gpg --status-fd=2 -bsau xxxxxx
error: gpg failed to sign the data

And if I retry this command in another terminal, it hangs infinitely.

[GNUPG:] KEY_CONSIDERED xxxxx 2
[GNUPG:] BEGIN_SIGNING H10

Even something as simple as echo "test" | gpg -vvv --clearsign will fail

gpg: using character set 'utf-8'
gpg: Note: RFC4880bis features are enabled.
gpg: Note: signature key A0D8xxxx expired Dim  1 nov 19:31:02 2020 CET
gpg: using pgp trust model
gpg: key <mykey>: accepted as trusted key
gpg: writing to stdout
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
gpg: signing failed: Operation cancelled
gpg: [stdin]: clear-sign failed: Operation cancelled

[jorgelbg]

Can you verify if invoking /usr/local/bin/pinentry-mac directly in a terminal shows something like:

~
❯❯❯ /usr/local/bin/pinentry-touchid
OK Hi from pinentry-touchid!

Could you also attach the output from gpgconf and the logs from /tmp/pinentry-touchid.log?

You can also enable the debug mode of gpg itself by adding these couple of lines to your ~/.gnupg/gpg-agent.conf:

debug-level basic
log-file /Users/<USERNAME>/.gnupg/gpg-agent.log

Keep in mind that you need to restart the gpg-agent afterwards: gpg-connect-agent reloadagent /bye. Did you install gpg via homebrew?

[Gby56]

 ✘ gabrielmarquet@LT-xxx  ~/Desktop/   main ✚  /usr/local/bin/pinentry-touchid
OK Hi from pinentry-touchid!

 ✘ gabrielmarquet@LT-C02DK98DMD6M  ~/Desktop/   main ✚  gpgconf
gpg:OpenPGP:/usr/local/Cellar/gnupg/2.3.3_1/bin/gpg
gpgsm:S/MIME:/usr/local/Cellar/gnupg/2.3.3_1/bin/gpgsm
keyboxd:Public Keys:/usr/local/Cellar/gnupg/2.3.3_1/libexec/keyboxd
gpg-agent:Private Keys:/usr/local/Cellar/gnupg/2.3.3_1/bin/gpg-agent
scdaemon:Smartcards:/usr/local/Cellar/gnupg/2.3.3_1/libexec/scdaemon
dirmngr:Network:/usr/local/Cellar/gnupg/2.3.3_1/bin/dirmngr
pinentry:Passphrase Entry:/usr/local/opt/pinentry/bin/pinentry
16:01:39.400744 git.c:455               trace: built-in: git config --get oh-my-zsh.hide-dirty
16:01:39.493943 git.c:455               trace: built-in: git rev-parse --show-toplevel
16:01:39.508964 git.c:455               trace: built-in: git rev-parse --quiet --verify HEAD

/tmp/pinentry-touchid.log

2021/11/16 16:03:55 main.go:105: Ready!
2021/11/16 16:03:55 main.go:256: Error calling pinentry-mac: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>
2021/11/16 16:03:55 main.go:260: pinentry-mac didn't return a password
2021/11/16 16:03:56 main.go:105: Ready!
2021/11/16 16:03:56 main.go:256: Error calling pinentry-mac: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>
2021/11/16 16:03:56 main.go:260: pinentry-mac didn't return a password

/usr/local/bin/gpg -> ../Cellar/gnupg/2.3.3_1/bin/gpg

Seems like homebrew, I'm running Monterey 12.0.1 (21A559), thanks a lot for taking a look into this :)

[Gby56]

Here's a quick extract from the pgp debug log, sorry I forgot to add that

gpg-agent[14104]: DBG: chan_7 -> OK Pleased to meet you, process 16420
gpg-agent[14104]: DBG: chan_7 <- RESET
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- OPTION ttytype=xterm-256color
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- GETINFO version
gpg-agent[14104]: DBG: chan_7 -> D 2.3.3
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- OPTION allow-pinentry-notify
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- OPTION agent-awareness=2.1.0
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- HAVEKEY --list=1000
gpg-agent[14104]: new connection to /usr/local/Cellar/gnupg/2.3.3_1/libexec/scdaemon daemon established (reusing)
gpg-agent[14104]: DBG: chan_9 -> KEYINFO --list
gpg-agent[14104]: DBG: chan_9 <- OK
gpg-agent[14104]: DBG: chan_7 -> [ 44 20 2c f8 da 14 ed 0e af 1b 66 df 64 a5 19 28 ...(26 byte(s) skipped) ]
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- RESET
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- SIGKEY B6Cxxx
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Gabriel+Marquet+(Work+key+for+Github)+<email>%22%0A255-bit+EDDSA+key,+ID+3Exxxx,%0Acreated+2021-11-16.%0A
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- SETHASH 10 5CB17xxxx
gpg-agent[14104]: DBG: chan_7 -> OK
gpg-agent[14104]: DBG: chan_7 <- PKSIGN
gpg-agent[14104]: starting a new PIN Entry
gpg-agent[14104]: DBG: connection to PIN entry established
gpg-agent[14104]: You may want to update to a newer pinentry
gpg-agent[14104]: DBG: error calling pinentry: Operation cancelled <Pinentry>
gpg-agent[14104]: failed to unprotect the secret key: Operation cancelled
gpg-agent[14104]: failed to read the secret key
gpg-agent[14104]: command 'PKSIGN' failed: Operation cancelled <Pinentry>
gpg-agent[14104]: DBG: chan_7 -> ERR 83886179 Operation cancelled <Pinentry>
gpg-agent[14104]: DBG: chan_7 <- [eof]
gpg-agent[14104]: DBG: chan_9 -> RESTART
gpg-agent[14104]: DBG: chan_9 <- OK

[Gby56]

FYI I just saw a similar comment here https://golangrepo.com/repo/jorgelbg-pinentry-touchid-go-security the You may want to update to a newer pinentry is interesting 🤔

[Gby56]

When executing pinentry --help I get

pinentry-curses (pinentry) 1.2.0
Copyright (C) 2016 g10 Code GmbH

[jorgelbg]

thanks a lot for taking a look into this :)

Any time! Glad that you are willing to give it a try!

From the gpgconf output I see that the path returned for the pinentry:Passphrase Entry key is pointing to /usr/local/opt/pinentry/bin/pinentry. On my system that symlink points to pinentry-ncurses:

❯ ll /usr/local/opt/pinentry/bin/pinentry                       
lrwxr-xr-x 15 jbetancourt 25 Aug 14:25  /usr/local/opt/pinentry/bin/pinentry -> pinentry-curses

Can you try to force that symlink to pinentry-mac and try again? This is what I executed on my system:

❯ ln -fs /usr/local/bin/pinentry-mac /usr/local/opt/pinentry/bin/pinentry

[Gby56]

 gabrielmarquet@LT-C02DK98DMD6M  ~/.ssh  ln -fs /usr/local/bin/pinentry-mac /usr/local/opt/pinentry/bin/pinentry
 gabrielmarquet@LT-C02DK98DMD6M  ~/.ssh  ls -lia /usr/local/opt/pinentry/bin/pinentry
34364762 lrwxr-xr-x  1 gabrielmarquet  admin  27 Nov 16 18:08 /usr/local/opt/pinentry/bin/pinentry -> /usr/local/bin/pinentry-mac

 ✘ gabrielmarquet@LT-C02DK98DMD6M  ~/.ssh  cat ~/.gnupg/gpg-agent.conf
enable-ssh-support
use-standard-socket
#default-cache-ttl 1
#max-cache-ttl 1
debug-level basic
log-file /Users/gabrielmarquet/.gnupg/gpg-agent.log
#pinentry-program /usr/local/bin/pinentry-mac
pinentry-program /usr/local/bin/pinentry-touchid
#pinentry-program /usr/local/opt/pinentry-touchid/bin/pinentry-touchid

2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK Pleased to meet you, process 32699
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- RESET
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- OPTION ttyname=/dev/ttys002
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- OPTION ttytype=xterm-256color
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- OPTION lc-ctype=UTF-8
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- GETINFO version
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> D 2.3.3
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- OPTION allow-pinentry-notify
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- OPTION agent-awareness=2.1.0
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- HAVEKEY --list=1000
2021-11-16 18:09:11 gpg-agent[32544] new connection to /usr/local/Cellar/gnupg/2.3.3_1/libexec/scdaemon daemon established (reusing)
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_10 -> KEYINFO --list
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_10 <- OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> [ 44 2xxxx ...(26 byte(s) skipped) ]
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- RESET
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- SIGKEY B6Cxxx
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Gabriel+Marquet+(Work+key+for+Github)+<gmaxxx>%22%0A255-bit+EDDSA+key,+ID+3E2x,%0Acreated+2021-11-16.%0A
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- SETHASH 10 8CDFxxx
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 -> OK
2021-11-16 18:09:11 gpg-agent[32544] DBG: chan_8 <- PKSIGN
2021-11-16 18:09:11 gpg-agent[32544] starting a new PIN Entry
2021-11-16 18:09:11 gpg-agent[32544] DBG: connection to PIN entry established
2021-11-16 18:09:11 gpg-agent[32544] You may want to update to a newer pinentry
2021-11-16 18:09:12 gpg-agent[32544] DBG: error calling pinentry: Operation cancelled <Pinentry>
2021-11-16 18:09:12 gpg-agent[32544] failed to unprotect the secret key: Operation cancelled
2021-11-16 18:09:12 gpg-agent[32544] failed to read the secret key
2021-11-16 18:09:12 gpg-agent[32544] command 'PKSIGN' failed: Operation cancelled <Pinentry>
2021-11-16 18:09:12 gpg-agent[32544] DBG: chan_8 -> ERR 83886179 Operation cancelled <Pinentry>
2021-11-16 18:09:12 gpg-agent[32544] DBG: chan_8 <- [eof]
2021-11-16 18:09:12 gpg-agent[32544] DBG: chan_10 -> RESTART
2021-11-16 18:09:12 gpg-agent[32544] DBG: chan_10 <- OK

2021/11/16 17:12:42 main.go:260: pinentry-mac didn't return a password
2021/11/16 18:07:03 main.go:105: Ready!
2021/11/16 18:07:03 main.go:285: Duplicated entry in the keychain
2021/11/16 18:07:21 main.go:105: Ready!
2021/11/16 18:07:21 main.go:285: Duplicated entry in the keychain
2021/11/16 18:09:11 main.go:105: Ready!
2021/11/16 18:09:12 main.go:285: Duplicated entry in the keychain

I think we've got something interesting, duplicated entry in the keychain ?

[Gby56]

Oh nice !! it started working as soon as I cleared out my keychain after re-storing the passphrase once :D ! Thank you so much ! this was the damn symlink

[davidxia]

seems like this issue can be closed?

[JanWittler]

Oh nice !! it started working as soon as I cleared out my keychain after re-storing the passphrase once :D ! Thank you so much ! this was the damn symlink

@Gby56 Can you elaborate on how you cleared your keychain? I have exactly the same issue of the "Duplicated entry in the keychain" error. I already adjusted the symlink, after that cleared out my keychain by deleting the one entry with location "GnuPG", added it back into the keychain using pinentry-mac, but when changing to pinentry-touchid it still says gives me the duplication error. Would be grateful for any advice.

macOS 12.5

Logs and Configs

(Sorry, it's partially German) **GPG Conf** ``` gpg:OpenPGP:/opt/homebrew/Cellar/gnupg/2.3.6/bin/gpg gpgsm:S/MIME:/opt/homebrew/Cellar/gnupg/2.3.6/bin/gpgsm keyboxd:Öffentliche Schlüssel:/opt/homebrew/Cellar/gnupg/2.3.6/libexec/keyboxd gpg-agent:Geheime Schlüssel:/opt/homebrew/Cellar/gnupg/2.3.6/bin/gpg-agent scdaemon:Smartcard:/opt/homebrew/Cellar/gnupg/2.3.6/libexec/scdaemon dirmngr:Netz:/opt/homebrew/Cellar/gnupg/2.3.6/bin/dirmngr pinentry:Passwort Eingabe:/opt/homebrew/opt/pinentry/bin/pinentry ``` **GPG** ``` 2022-08-03 17:20:51 gpg-agent[3972] Es wird auf Socket `/Users/wittler/.gnupg/S.gpg-agent' gehört 2022-08-03 17:20:51 gpg-agent[3972] Es wird auf Socket `/Users/wittler/.gnupg/S.gpg-agent.extra' gehört 2022-08-03 17:20:51 gpg-agent[3972] Es wird auf Socket `/Users/wittler/.gnupg/S.gpg-agent.browser' gehört 2022-08-03 17:20:51 gpg-agent[3972] Es wird auf Socket `/Users/wittler/.gnupg/S.gpg-agent.ssh' gehört 2022-08-03 17:20:51 gpg-agent[3973] gpg-agent (GnuPG) 2.3.6 started 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK Pleased to meet you, process 3971 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- RESET 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- OPTION ttyname=/dev/ttys000 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- OPTION ttytype=xterm-256color 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- OPTION lc-ctype=de_DE.UTF-8 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- OPTION lc-messages=de_DE.UTF-8 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- GETINFO version 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> D 2.3.6 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- OPTION allow-pinentry-notify 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- OPTION agent-awareness=2.1.0 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- SCD SERIALNO 2022-08-03 17:20:51 gpg-agent[3973] no running /opt/homebrew/Cellar/gnupg/2.3.6/libexec/scdaemon daemon - starting it 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 <- OK GNU Privacy Guard's Smartcard server ready 2022-08-03 17:20:51 gpg-agent[3973] first connection to daemon /opt/homebrew/Cellar/gnupg/2.3.6/libexec/scdaemon established 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 -> GETINFO socket_name 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 <- D /Users/wittler/.gnupg/S.scdaemon 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 <- OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: additional connections at '/Users/wittler/.gnupg/S.scdaemon' 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 -> OPTION event-signal=31 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 <- OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 -> SERIALNO 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 <- ERR 100696144 Operation not supported by device 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> ERR 100696144 Operation not supported by device 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- HAVEKEY --list=1000 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 -> KEYINFO --list 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 <- OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> [ 44 2xxxx ...(28 byte(s) skipped) ] 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- KEYINFO 338xxx 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 -> KEYINFO --list 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 <- OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> S KEYINFO 338xxx D - - - P - - - 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- RESET 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- SIGKEY 338xxx 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- SETKEYDESC xxx 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- SETHASH 8 489xxxx 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> OK 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- PKSIGN 2022-08-03 17:20:51 gpg-agent[3973] starting a new PIN Entry 2022-08-03 17:20:51 gpg-agent[3973] DBG: connection to PIN entry established 2022-08-03 17:20:51 gpg-agent[3973] You may want to update to a newer pinentry 2022-08-03 17:20:51 gpg-agent[3973] DBG: error calling pinentry: Operation cancelled 2022-08-03 17:20:51 gpg-agent[3973] failed to unprotect the secret key: Operation cancelled 2022-08-03 17:20:51 gpg-agent[3973] failed to read the secret key 2022-08-03 17:20:51 gpg-agent[3973] command 'PKSIGN' failed: Operation cancelled 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 -> ERR 83886179 Operation cancelled 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_8 <- [eof] 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 -> RESTART 2022-08-03 17:20:51 gpg-agent[3973] DBG: chan_9 <- OK ``` **Pinentry-Touchid** ``` 2022/08/03 17:20:51 main.go:105: Ready! 2022/08/03 17:20:51 main.go:285: Duplicated entry in the keychain ```

[Gby56]

Hi ! Sorry it's been a while since I've had the issue... I'll try to dig back into it but as far as I can tell, you did the appropriate steps I think

[jorgelbg]

@JanWittler Can you check the output of this command:

$ security dump-keychain | grep GnuPG

This should list dump and return any items that is matching GnuPG. You can also use:

$ security find-generic-password -s 'GnuPG'

but this command only returns the first matching item.

[JanWittler]

Wow, thank you already very much for the surprising fast answers.

_ % security dump-keychain | grep GnuPG
    "svce"<blob>="GnuPG"
_ % security find-generic-password -s 'GnuPG'
keychain: "/Users/xxx"
version: 512
class: "genp"
attributes:
    0x00000007 <blob>="Jan Wittler <xxx@xxx> (68xxx)"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="338xxx"
    "cdat"<timedate>=0x323xxx  "202xxx"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>=<NULL>
    "gena"<blob>=<NULL>
    "icmt"<blob>=<NULL>
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x323xxx  "202xxx"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="GnuPG"
    "type"<uint32>=<NULL>

[jorgelbg]

@JanWittler can you remove/clear the keychain from any matching key and then giving it another try?

If possible can you make a backup of the item from the keychain? It would be interesting to find out why pinentry-touchid is failing to recognize that there is already an item in the keychain. I'm just not sure on how to look into the issue since I am not able to reproduce it myself and there is sensitive information in the keychain item 😅.

[oliverdding]

I found the solution!

Uncheck the box of 'Save in keychains' after deleting the GnuPG item in Keychains and re-trigger gpg firestly.

[davidalejandroaguilar]

Fixed it by making sure to run this successfully:

pinentry-touchid -fix
pinentry-touchid -check

Then running:

defaults write org.gpgtools.common DisableKeychain -bool no

Then changing my conf to this:

~/.gnupg/gpg.conf

use-agent
# Comment this line (this was was what messing everything up):
# pinentry-mode loopback

/Users/david/.gnupg/gpg-agent.conf

allow-loopback-pinentry
# Comment this line:
# pinentry-program /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid

Then running:

gpgconf --kill gpg-agent
echo 1234 | gpg -as - 

That should put it into they Keychain, so that:

security find-generic-password -s 'GnuPG'

Finally prints something.

Then run:

defaults write org.gpgtools.common DisableKeychain -bool yes

And change your /Users/david/.gnupg/gpg-agent.conf to:

allow-loopback-pinentry
pinentry-program /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid

Then:

gpgconf --kill gpg-agent