36

I'm a developer, and I commonly sign my Git commits with my GPG key. I've been able to get GPG Agent working properly on OSX so that it only asks me for my password once per day, but I'm having problems getting the same thing working on Ubuntu 16.04.

Here's what I'm doing:

  • I've got my GPG keys setup / etc.
  • I'm in a Git directory.
  • I add some files to Git.

  • I then go to commit them (git commit), and get a GPG password request that looks like this:

    $ git ci

You need a passphrase to unlock the secret key for
user: "Randall Degges <[email protected]>"
4096-bit RSA key, ID 8F700DA2, created 2016-04-05

[master 1740961] blah
 1 file changed, 1 insertion(+)

The problem is: every single time I do a commit, I'm re-prompted for my GPG password again.

What I'd like to do is configure GPG Agent to cache my password for 1 full day, so it only needs to be entered once.

I've read through tons of documentation and blog posts, and here's what I've tried so far...

First, I modified my ~/.zshrc file (I use zsh) to set the following:

# GPG Agent
export GPG_TTY=$(tty)
export GPGKEY=8F700DA2

Now, from what I read, this alone should do the trick after restarting gpg-agent, but it does not.

So, the next thing I did was I defined a ~/.gnupg/gpg-agent.conf file as explained in the man gpg-agent page:

# Set the default cache time to 1 day.
default-cache-ttl       86400
default-cache-ttl-ssh   86400

# Set the max cache time to 30 days.
max-cache-ttl           2592000
max-cache-ttl-ssh       2592000

This also has no effect.

I've also tried various blog methods, etc., but nothing seems to work. Can someone give me some pointers to things I might be missing?

Improve this question

2 Answers 2

Reset to default
35

In addition to setting up the cache times in gpg-agent.conf, you also have to make sure GnuPG is actually interfacing the gpg-agent. GnuPG 2 and upwards generally does, but the GnuPG 1 branch does not. By default git is using the gpg binary, which (at the time of writing this answer) still is GnuPG 1, while GnuPG 2 is installed as gpg2 on most systems.

In the end, you have two possibilities:

  • set up git to use gpg2 by changing the git configuration:

    git config --global gpg.program gpg2
  • set up gpg(GnuPG 1) to use gpg-agent by adding use-agent to gpg.conf
Improve this answer
3
  • 4
    In Ubuntu 20.04 gpg --version = gpg (GnuPG) 2.2.19. Commented Apr 25, 2020 at 18:51
  • very useful information that I'm not able to find this anywhere. Good question by the poster too. Commented Aug 19, 2020 at 16:22
  • I have done these steps and added options as per OP and even did a systemctl restart --user gpg-agent.socket as my gpg-agent is run off socket at user level. Not exactly my use case like OP but I feel very similar and gpg/gpg-agent still keeps asking for a passphrase when I want to encrypt a file using: gpg -c -o FILE.gpg FILE. gpg version is gpg (GnuPG) 2.4.4 Commented Jan 24 at 12:05
1

In addition to the above answer, you can also just change the default gpg in your system to gpg2 rather than gpg1.

If git config --global gpg.program gpg2 works for you, but you don't want to leave that in your git config (in my case because I use the same config on macOS) then you can just swap the default gpg out.

I followed the guide here, which was just:

$ sudo mv /usr/bin/gpg /usr/bin/gpg1
$ sudo update-alternatives --verbose --install /usr/bin/gpg gnupg /usr/bin/gpg2 50

This makes gpg1 the old gpg binary, and symlinks /usr/bin/gpg -> /usr/bin/gpg2 (with name gnupg and priority 50).

Changing the default gpg could in theory break some packages on your system, but Debian Stretch (the current stable version of Debian) sets gpg2 as the default gpg in a similar way, so you shouldn't have too many problems.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.