Milestone is 2.2.20 (but more of a general issue with pinentry-mac).
I had checked "Save to keychain" on one of my keys' passphrase in the past. After I upgraded GnuPG to 2.2.20 today, I was asked by macOS whether I wanted to allow keychain access. I know this to happen after I upgrade GnuPG and if I "Always Allow" it, that works well.
Today, I hit "Deny" and am finding myself stuck: I do not get asked for keychain access anymore and pinentry-mac also does not display the "Save to keychain" checkbox when asking for a passphrase.
I vaguely remember that the last time this occured, I might have "solved" it be installing a newer version of GnuPG, thereby being asked again. Of course, this is no option this time, as my installation is current.
Where is a good place to start looking?
I'd try to simply kill gpg-agent. Open a Terminal and type:
Then retry
I'm sorry, but I tried that and it didn't work. Rebooting the machine doesn't help, either.
To be clear, the passphrase gets cached. All works as usual, I don't constantly get asked to enter my passphrase. But once the gpg-agent is killed or the machine is restarted, that cache is obviously cleared, and I get asked again – and that is what the keychain entry should be for.
As far as I can tell, the Deny comes from macOS. You should check in Keychain or in the macOS preferences for a way to delete the "Deny" entry.
I don't know where to look. I spend quite some time on the source code already, but I don't understand it well enough to find out what the underlying issue is.
As I only denied this single permission request, there is list that I could remove anything from.
Locking my keychain right before triggering pinentry also does not cause a unlock request to the keychain. What makes you think it's even trying to perform operations on the keychain?
The fact that the checkbox is not displayed makes me believe that the request to access the keychain was denied (by Keychain or macOS).
But I'm sorry, but I can't help you much fixing this. I'm not a developer of GnuPG or pinentry, I only build the packages. Pinentry for macOS is built from the GPGTools project on Github. You better ask for help there.
Thanks for helping out, Patrick. Just to be sure (and more like a final resort), are you including the patches neccessary for keychain access in your build as well?
It appears they are neccessary and included in their version, so just making sure you are building in a way that includes them.
I really have no way to check (even if I think that's not the problem, as I don't recall specifically installing their pinentry-mac or pgp-agent alongside your package). I just wanted to make sure, as I am really at a loss for what could be causing this.
Last edit: Lars Ippich 2020-05-27
Yes, I include these patches, otherwise there would be no button for the Keychain in the UI at all.
Hey Patrick, just to keep you in the loop, there is still a chance the two versions are different in some way. I'm on it :-)
As a note to anyone who mind find this later:
This issue is caused by the gnuOSX version of pinentry-mac, which is 1.1.0 and does not yet include some fixes around the macOS keychain that MacGPG2 includes in their version 1.1.0.2.
It will eventually be fixed by updating the version of pinentry-mac that comes with gnuOSX.
Hey Patrick, can I ask you to keep this in mind for one of the next updates? The current GnuPG 2.2.23 still seems to be bundled with the outdated 1.1.0 from what I can see (required for the above issue would be 1.1.0.2 and the current one would be 1.1.0.3 even). Cheers!