Support for ARM/M1 Macs

[jorgelbg]

Tried generating binaries for the M1 Macs via goreleaser, but it fails with:

   ⨯ release failed after 6.02s error=failed to build for darwin_arm64: package command-line-arguments
	imports github.com/lox/go-touchid: build constraints exclude all Go files in /Users/jbetancourt/dev/go/pkg/mod/github.com/lox/go-touchid@v0.0.0-20170712105233-619cc8e578d0

There seems to be a build constraint in https://github.com/lox/go-touchid.

[jorgelbg]

Commit 45ffb97 enabled cross-compilation for M1 macs (Darwin/arm64 architecture). Nevertheless the build has not been tested on an actual M1 mac yet.

[rickosborne]

Doesn't work on my 2020 Air with M1, running 11.5.2. I tried the version from brew, then manually downloaded the v0.0.2 release, replaced the binary, and tried a few basic gpg operations. Example log:

2021-09-07 21:56:22 gpg-agent[53062] listening on socket '/Users/ricko/.gnupg/S.gpg-agent'
2021-09-07 21:56:22 gpg-agent[53062] listening on socket '/Users/ricko/.gnupg/S.gpg-agent.extra'
2021-09-07 21:56:22 gpg-agent[53062] listening on socket '/Users/ricko/.gnupg/S.gpg-agent.browser'
2021-09-07 21:56:22 gpg-agent[53062] listening on socket '/Users/ricko/.gnupg/S.gpg-agent.ssh'
2021-09-07 21:56:22 gpg-agent[53063] gpg-agent (GnuPG) 2.3.1 started
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK Pleased to meet you, process 53061
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- RESET
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- OPTION ttyname=/dev/ttys000
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- OPTION ttytype=xterm-256color
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- GETINFO version
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> D 2.3.1
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- OPTION allow-pinentry-notify
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- OPTION agent-awareness=2.1.0
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- SCD SERIALNO
2021-09-07 21:56:22 gpg-agent[53063] no running /opt/homebrew/Cellar/gnupg/2.3.1_1/libexec/scdaemon daemon - starting it
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 <- OK GNU Privacy Guard's Smartcard server ready
2021-09-07 21:56:22 gpg-agent[53063] first connection to daemon /opt/homebrew/Cellar/gnupg/2.3.1_1/libexec/scdaemon established
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 -> GETINFO socket_name
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 <- D /Users/ricko/.gnupg/S.scdaemon
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 <- OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: additional connections at '/Users/ricko/.gnupg/S.scdaemon'
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 -> OPTION event-signal=31
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 <- OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 -> SERIALNO
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 <- ERR 100696144 Operation not supported by device <SCD>
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> ERR 100696144 Operation not supported by device <SCD>
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- KEYINFO (redacted)
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 -> KEYINFO --list
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_9 <- OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> S KEYINFO (redacted) D - - - P - - -
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- HAVEKEY (redacted) (redacted)
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- RESET
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- SIGKEY (redacted)
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:(redacted)
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- SETHASH 10 (redacted)
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 -> OK
2021-09-07 21:56:22 gpg-agent[53063] DBG: chan_8 <- PKSIGN
2021-09-07 21:56:22 gpg-agent[53063] starting a new PIN Entry
2021-09-07 21:56:22 gpg-agent[53063] DBG: connection to PIN entry established
2021-09-07 21:56:22 gpg-agent[53063] You may want to update to a newer pinentry
2021-09-07 21:56:23 gpg-agent[53063] DBG: error calling pinentry: Operation cancelled <Pinentry>
2021-09-07 21:56:23 gpg-agent[53063] failed to unprotect the secret key: Operation cancelled
2021-09-07 21:56:23 gpg-agent[53063] failed to read the secret key
2021-09-07 21:56:23 gpg-agent[53063] command 'PKSIGN' failed: Operation cancelled <Pinentry>
2021-09-07 21:56:23 gpg-agent[53063] DBG: chan_8 -> ERR 83886179 Operation cancelled <Pinentry>
2021-09-07 21:56:23 gpg-agent[53063] DBG: chan_8 <- [eof]
2021-09-07 21:56:23 gpg-agent[53063] DBG: chan_9 -> RESTART
2021-09-07 21:56:23 gpg-agent[53063] DBG: chan_9 <- OK

Edit: To be clear, the same does work when I reconfigure gpg-agent.conf to use pinentry-mac instead. I'm just doing a really basic command:

echo 1234 | gpg -as 

[jorgelbg]

@rickosborne First of all thank you for providing feedback!

Can you manually run the pinentry-touchid binary with the --check flag?

❯ pinentry-touchid --check

This only checks if the pinentry-mac is also present in the system but it should at least verify that the binary is working as expected.

Additionally, can you check if there is any additional info logged in the file /tmp/pinentry-touchid.log? This may provide some hint about what is going wrong.

[rickosborne]

% /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid --check
2021/09/08 07:51:46 Looks good!
% which pinentry-mac
/opt/homebrew/bin/pinentry-mac

But also, from /tmp/pinentry-touchid.log:

2021/09/07 21:26:14 main.go:105: Ready!
2021/09/07 21:26:14 main.go:256: Error calling pinentry-mac: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>
2021/09/07 21:26:14 main.go:260: pinentry-mac didn't return a password

(This repeated a number of times.)

My gpg-agent.conf in case it might be useful:

pinentry-program /opt/homebrew/bin/pinentry-mac
# pinentry-program /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
default-cache-ttl 600
max-cache-ttl 7200
debug-level basic
log-file /Users/ricko/.gnupg/gpg-agent.log

[rickosborne]

Okay, I dug around on this a bit more. I don't know much about Go or its ecosystem, but I was able to figure out how to use goreleaser to get a build in a local dist. (Building from 6662c46 locally.) Completely uninstalling the brew version of pinentry-touchid (just in case) and putting the built version in ~/bin, I can see it's the updated version:

% ~/bin/pinentry-touchid --check

✅ Looks good!

% gpgconf --kill gpg-agent    

% echo 1234 | gpg -as -       

gpg: using "(redacted)" as default secret key for signing
gpg: signing failed: Operation cancelled
-----BEGIN PGP MESSAGE-----

gpg: signing failed: Operation cancelled

Unfortunately, that same failure is present in the pinentry-touchid.log:

2021/09/08 08:23:41 main.go:107: Ready!
2021/09/08 08:23:41 main.go:258: Error calling pinentry-mac: unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>
2021/09/08 08:23:41 main.go:262: pinentry-mac didn't return a password

I wondered if I might have an old version of pinentry-mac, but it seems to be pretty recent:

% which pinentry-mac

/opt/homebrew/bin/pinentry-mac

% /opt/homebrew/bin/pinentry-mac --version

pinentry-mac (pinentry) 1.1.1
Copyright (C) 2016 g10 Code GmbH
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

% brew upgrade pinentry-mac

==> Auto-updated Homebrew!
Updated 1 tap (homebrew/core).
==> Updated Formulae
Updated 6 formulae.

Warning: pinentry-mac 1.1.1.1 already installed

I'll see if I can get a debugging environment up and running to see if I can step through it.

[jorgelbg]

I'm using the same pinentry-mac version too:

❯ pinentry-mac --version
pinentry-mac (pinentry) 1.1.1
...

The error that pinentry-touchid is reporting:

unexpected response: ERR 83918950 Inappropriate ioctl for device <Pinentry>

seems to be coming from the upstream dependency that I use to interact with the fallback pinentry implementation when an entry is not found in the Keychain 🤔 (i.e asking for the actual passphrase).

Can you share the output of gpgconf?

I pushed 8b392a0 that should log the path of the fallback pinentry when running with the --check flag.

[rickosborne]

% gpgconf

gpg:OpenPGP:/opt/homebrew/Cellar/gnupg/2.3.1_1/bin/gpg
gpgsm:S/MIME:/opt/homebrew/Cellar/gnupg/2.3.1_1/bin/gpgsm
keyboxd:Public Keys:/opt/homebrew/Cellar/gnupg/2.3.1_1/libexec/keyboxd
gpg-agent:Private Keys:/opt/homebrew/Cellar/gnupg/2.3.1_1/bin/gpg-agent
scdaemon:Smartcards:/opt/homebrew/Cellar/gnupg/2.3.1_1/libexec/scdaemon
tpm2daemon:TPM:/opt/homebrew/Cellar/gnupg/2.3.1_1/libexec/tpm2daemon
dirmngr:Network:/opt/homebrew/Cellar/gnupg/2.3.1_1/bin/dirmngr
pinentry:Passphrase Entry:/opt/homebrew/opt/pinentry/bin/pinentry

After pulling down that update, and running in GoLand:

GOROOT=/opt/homebrew/Cellar/go/1.17/libexec #gosetup
GOPATH=/Users/ricko/go #gosetup
/opt/homebrew/Cellar/go/1.17/libexec/bin/go build -o /private/var/folders/h5/.../T/GoLand/___main_go___check /Users/ricko/src/pinentry-touchid/main.go #gosetup
/private/var/folders/h5/.../T/GoLand/___main_go___check --check
✅ /opt/homebrew/opt/pinentry/bin/pinentry fallback pinentry found
✅ Looks good!

Process finished with the exit code 0

[rickosborne]

FWIW, it seems like my pinentry-mac config works okay. When I switch over to use it in gpg-agent.conf and ask to encrypt anything, I do get prompted:

If I then use the correct passphrase, the encryption succeeds.

Having said all of that, I don't use gpg for anything other than signing git commits ... so I am not 100% sure the configuration is rock solid.

[rickosborne]

Okay, I figured it out. (I am dumb.) I'm going to document my investigation and thought process, in the hopes that it gets picked up by search engines and helps future folks. I'll also open a minor PR against your README which I think will help.

Basically: I hadn't configured pinentry-mac to actually use the Keychain. (Because, frankly, the README for pinentry doesn't actually say you can do that.) I'd thought it odd that searching through the Keychain for anything referencing "gpg", "gnu", or "pinentry" yielded nothing. So I truly didn't have the Keychain item which pinentry-touchid was looking for. (But that also means it's not getting created by pinentry-touchid, which might be a regression?)

But after poking through the source, I found the default you have your README, plus the extra one:

% defaults write org.gpgtools.common DisableKeychain -bool no 
% defaults write org.gpgtools.common UseKeychain -bool yes
% gpgconf --kill gpg-agent                                   

Doing that with pinentry-mac, I then got the "Save in keychain" checkbox on its prompt:

(Note the extra checkbox, versus my screenshot in my previous message.)

I can then also see an entry in my Keychain:

I then switched the config over to use pinentry-touchid via gpg-agent.conf:

# pinentry-program /opt/homebrew/bin/pinentry-mac
# pinentry-program /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
pinentry-program /Users/ricko/bin/pinentry-touchid

(Obv, people reading this in the future will likely just have the Homebrew path, not ~/bin like me.)

Kill the agent once again:

% gpgconf --kill gpg-agent 

Retry some encryption:

% echo 1234 | gpg -as -

You should get prompted by pinentry-touchid this time:

The first time you do this you will get a follow-up prompt to always allow access:

Entering your laptop password (not your GPG passphrase) and using "Always Allow" will do exactly that, and you should never see another prompt.

I can also verify that the Homebrew-installed version (v0.0.2) does work just fine once you've done all this. (I removed my locally-built executable from ~/bin, reinstalled via brew, reconfigured the gpg-agent.conf, killed the agent, and tried everything above again, and it worked out of the box. Because the executable changed, I did get propted again to "Always Allow", but that's to be expected.)

% brew info pinentry-touchid

jorgelbg/tap/pinentry-touchid: stable 0.0.2
Custom GPG pinentry program for macOS that allows using Touch ID for fetching the password from
the macOS keychain.
https://github.com/jorgelbg/pinentry-touchid
/opt/homebrew/Cellar/pinentry-touchid/0.0.2 (5 files, 2.3MB) *
  Built from source on 2021-09-08 at 10:38:17

Hope that helps others!

[jorgelbg]

Glad to know that it is now working and on an M1 Mac 🎉 🥳!

So the main issue was that pinentry-mac was not using the Keychain at all. TBH I would've expected that pinentry-touchid would have just requested the password once and create the keychain entry directly. I will try to reproduce it locally by disabling the Keychain and following your steps. I'm just trying to figure out if there is any check that can be done directly from pinentry-touchid and provide some sort of useful error message.

I'll also open a minor PR against your README which I think will help

Sure! feel free to open the PR for the README!

[rickosborne]

Yeah, I think there may also be something on my end. I still haven't gotten IntelliJ-GPG integration working. I note that their docs include the assertion that:

echo GETPIN | pinentry

Should just work. Unfortunately for me, that's not the case:

% echo GETPIN | pinentry
echo GETPIN | pinentry
OK Pleased to meet you
S ERROR curses.isatty 83918950 
ERR 83918950 Inappropriate ioctl for device <Pinentry>

Familiar error, right?

The pinentry I'm using is also from Homebrew, but I figure I must have missed a config step somewhere. I hadn't noticed until I tried using pinentry-touchid because git commit-signing does actually work just fine, and prompt as necessary ... when I use git commit from a terminal.

But anyway, it definitely seems like a local problem, and not one caused by pinentry-touchid.

[jorgelbg]

From your output of gpgconf:

pinentry:Passphrase Entry:/opt/homebrew/opt/pinentry/bin/pinentry

Where does /opt/homebrew/opt/pinentry/bin/pinentry is linked? In my system pinentry (eventually) points to pinentry-curses which indeed requires a TTY.

❯ pinentry --help
pinentry-curses (pinentry) 1.2.0

For the record this also fails for me:

❯ echo GETPIN | pinentry
OK Pleased to meet you
S ERROR curses.isatty 83918950
ERR 83918950 Inappropriate ioctl for device <Pinentry>

but gpgconf (in my case) contains:

pinentry:Passphrase Entry:/usr/local/bin/pinentry-mac

[rickosborne]

Dangit. I continue to be the dumbest smart person ever.

It didn't even occur to me to just update that link. I keep looking for a config option. Sigh.

Yep. That did it. I pointed that link at pinentry-touchid and both command-line and IJ now work like a champ. Sweet! And thank you so much for the help!

[jorgelbg]

Happy that it worked 🎉!

I ran the test locally by disabling the use of keychain (by pinentry-mac) and removed my entry from the keychain and it worked as expected. The keychain entry got created even if pinentry-mac does not use the Keychain at all. Internally we only use pinentry-mac to get the password from the user (essentially I wanted to avoid rewriting pinentry-mac and having to do some UI work 😅).

Maybe we should rework a bit #6 and provide a troubleshooting section? As in, if you face this error then best to check the symlink or maybe tweak some config additional config setting? What do you think @rickosborne?

[shepherdjerred]

@rickosborne your comment helped me set this up. thanks so much for the detailed instructions!

@jorgelbg, if you set up GitHub sponsors I'd love to send you a couple of dollars a month to thank you for this software :)

[jorgelbg]

@shepherdjerred Glad that you got it running 🥳!

Can you share the output of gpgconf? I suspect that when GPG is installed via homebrew the output of gpgconf is pointing to pinentry which (at least in my case) points to pinentry-curses and it never really uses pinentry-mac.

---

@jorgelbg, if you set up GitHub sponsors I'd love to send you a couple of dollars a month to thank you for this software :)

@shepherdjerred Thank you! You are too kind! I never really though about it 😅. Thanks for encouraging me into getting the sponsors profile approved.

[shepherdjerred]

> gpgconf
gpg:OpenPGP:/opt/homebrew/Cellar/gnupg/2.3.2/bin/gpg
gpgsm:S/MIME:/opt/homebrew/Cellar/gnupg/2.3.2/bin/gpgsm
keyboxd:Public Keys:/opt/homebrew/Cellar/gnupg/2.3.2/libexec/keyboxd
gpg-agent:Private Keys:/opt/homebrew/Cellar/gnupg/2.3.2/bin/gpg-agent
scdaemon:Smartcards:/opt/homebrew/Cellar/gnupg/2.3.2/libexec/scdaemon
dirmngr:Network:/opt/homebrew/Cellar/gnupg/2.3.2/bin/dirmngr
pinentry:Passphrase Entry:/opt/homebrew/opt/pinentry/bin/pinentry

Here are my dotfiles

[jorgelbg]

yep:

pinentry:Passphrase Entry:/opt/homebrew/opt/pinentry/bin/pinentry

Which should also mean that /opt/homebrew/opt/pinentry/bin/pinentry is/was pointing to pinentry-ncurses. Similar default setup from @rickosborne: #3 (comment).

I added some more logic to the --check flag in bffcc2c. If the binary that we get is a symlink (seems to be default when using GPG installed via homebrew) we check to which binary the symlink resolves to and we check if that binary is pinentry-mac if it is not, we fail the check.

I also added some additional details based on https://www.jetbrains.com/help/idea/set-up-GPG-commit-signing.html for verifying that the pinentry symlink is pointing to pinentry-mac (commit 1f05b9a).

[shepherdjerred]

I think you're correct!

/opt/homebrew/opt/pinentry/bin/pinentry --help
pinentry-curses (pinentry) 1.2.0
Copyright (C) 2016 g10 Code GmbH
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Usage: pinentry-curses [options] (-h for help)
Ask securely for a secret and print it to stdout.
Options:
 -d, --debug                Turn on debugging output
 -D, --display DISPLAY      Set the X display
 -T, --ttyname FILE         Set the tty terminal node name
 -N, --ttytype NAME         Set the tty terminal type
 -C, --lc-ctype STRING      Set the tty LC_CTYPE value
 -M, --lc-messages STRING   Set the tty LC_MESSAGES value
 -o, --timeout SECS         Timeout waiting for input after this many seconds
 -g, --no-global-grab       Grab keyboard only while window is focused
 -W, --parent-wid           Parent window ID (for positioning)
 -c, --colors STRING        Set custom colors for ncurses
 -a, --ttyalert STRING      Set the alert mode (none, beep or flash)

Please report bugs to <https://bugs.gnupg.org>.

[shepherdjerred]

Hm, it seems that I've ran into a new error:

git commit -m "test"
error: gpg failed to sign the data
fatal: failed to write commit object

echo 1234 | gpg -as -
gpg: signing failed: No pinentry
-----BEGIN PGP MESSAGE-----

gpg: signing failed: No pinentry

I updated from macOS Big Sur 11.5 to 11.6 last night. Maybe that's why?

[jorgelbg]

Strange, I just upgraded my work laptop to 11.6 (build 20G165) and it is still working fine. Can you check if everything is configured properly in ~/.gnupg/gpg-agent.conf. The No pinentry message seems to be pointing out that the gpg-agent is failing to locate/execute the pinentry program altogether 🤔.

[shepherdjerred]

> cat ~/.gnupg/gpg-agent.conf
default-cache-ttl 600
max-cache-ttl 7200
# pinentry-program /opt/homebrew/bin/pinentry
# pinentry-program /opt/homebrew/bin/pinentry-mac
pinentry-program /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
> gpgconf --kill gpg-agent
> /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
OK Hi from pinentry-touchid!
^C⏎
> echo 1234 | gpg -as -
gpg: signing failed: No pinentry
-----BEGIN PGP MESSAGE-----

gpg: signing failed: No pinentry

Gpg works fine when I have pinentry-program set to pinentry-mac...

[jorgelbg]

Can you check /tmp/pinentry-touchid.log to see if anything is being logged there? Also, if gpg-agent is reporting any additional errors (you may need to enable logging for the gpg-agent):

(you can add this to your gpg-agent.conf file)

debug-level basic
log-file /tmp/gpg-agent.log

So you are running pinentry-touchid in an M1 device right? I upgraded to 11.6 but my machine is a 16" Intel one.

[jorgelbg]

@shepherdjerred did you solve the issue? I couldn't reproduce it on my end and I'm wondering if it is related to a change only affecting M1 machines 🤔.

[shepherdjerred]

Hi! Sorry, I've been focused on work haha. I'll try your suggestions and get back to you.

[shepherdjerred]

Yep! I'm on an M1 MacBook running macOS Big Sur 11.6.

> cat ~/.gnupg/gpg-agent.conf
debug-level basic
log-file /tmp/gpg-agent.log
default-cache-ttl 600
max-cache-ttl 7200
# pinentry-program /opt/homebrew/bin/pinentry
# pinentry-program /opt/homebrew/bin/pinentry-mac
pinentry-program /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid

> gpgconf --kill gpg-agent

> git commit -m "tst"
error: gpg failed to sign the data
fatal: failed to write commit object

> cat /tmp/pinentry-touchid.log
2021/09/22 09:22:14 main.go:105: Ready!

> cat /tmp/gpg-agent.log
2021-09-22 09:21:51 gpg-agent[23271] listening on socket '/Users/jerred/.gnupg/S.gpg-agent'
2021-09-22 09:21:51 gpg-agent[23271] listening on socket '/Users/jerred/.gnupg/S.gpg-agent.extra'
2021-09-22 09:21:51 gpg-agent[23271] listening on socket '/Users/jerred/.gnupg/S.gpg-agent.browser'
2021-09-22 09:21:51 gpg-agent[23271] listening on socket '/Users/jerred/.gnupg/S.gpg-agent.ssh'
2021-09-22 09:21:51 gpg-agent[23272] gpg-agent (GnuPG) 2.3.2 started
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK Pleased to meet you, process 23270
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- RESET
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- OPTION ttytype=xterm-256color
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- OPTION display=/private/tmp/com.apple.launchd.RynZ351dQf/org.xquartz:0
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- GETINFO version
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> D 2.3.2
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- OPTION allow-pinentry-notify
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- OPTION agent-awareness=2.1.0
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- HAVEKEY --list=1000
2021-09-22 09:21:51 gpg-agent[23272] no running /opt/homebrew/Cellar/gnupg/2.3.2/libexec/scdaemon daemon - starting it
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 <- OK GNU Privacy Guard's Smartcard server ready
2021-09-22 09:21:51 gpg-agent[23272] first connection to daemon /opt/homebrew/Cellar/gnupg/2.3.2/libexec/scdaemon established
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 -> GETINFO socket_name
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 <- D /Users/jerred/.gnupg/S.scdaemon
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 <- OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: additional connections at '/Users/jerred/.gnupg/S.scdaemon'
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 -> OPTION event-signal=31
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 <- OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 -> KEYINFO --list
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 <- OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> [ 44 20 9a 57 7b f4 75 97 03 65 e0 e2 e9 e1 4c 2d ...(26 byte(s) skipped) ]
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- KEYINFO 9A577BF475970365E0E2E9E14C2DB65115B26DCE
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 -> KEYINFO --list
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 <- OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> S KEYINFO 9A577BF475970365E0E2E9E14C2DB65115B26DCE D - - - P - - -
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- RESET
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- SIGKEY 9A577BF475970365E0E2E9E14C2DB65115B26DCE
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Jerred+Shepherd+<shepherdjerred@gmail.com>%22%0A4096-bit+RSA+key,+ID+AE916DBD9E0A6A73,%0Acreated+2018-04-25.%0A
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- SETHASH 8 C7C1E065AEBBDB5BE8777DD158214E87992F4A8D5817BCD5FA96629B2D291C41
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> OK
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- PKSIGN
2021-09-22 09:21:51 gpg-agent[23272] starting a new PIN Entry
2021-09-22 09:21:51 gpg-agent[23272] can't connect to the PIN entry module '/opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid': End of file
2021-09-22 09:21:51 gpg-agent[23272] DBG: error calling pinentry: No pinentry <GPG Agent>
2021-09-22 09:21:51 gpg-agent[23272] failed to unprotect the secret key: No pinentry
2021-09-22 09:21:51 gpg-agent[23272] failed to read the secret key
2021-09-22 09:21:51 gpg-agent[23272] command 'PKSIGN' failed: No pinentry
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 -> ERR 67108949 No pinentry <GPG Agent>
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_8 <- [eof]
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 -> RESTART
2021-09-22 09:21:51 gpg-agent[23272] DBG: chan_10 <- OK

[jorgelbg]

I think that this path is correct right /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid? If you execute it you can see the OK Hi from pinentry-touchid! message?

I find it strange that from the logs that pinentry-touchid did log something but after gpg-agent had already failed to communicate. So pinentry-touchid was ready at 09:22:14 but gpg-agent had already failed at 09:21:51 🤔.

Can you check if the version of pinentry-touchid that you have installed is the native ARM one? ~15s to start pinentry-touchid seems a bit too much (even with rosetta emulation) but gpg-agent seems to be failing immediately to execute it. Wondering why this triggered only with the new version tho 🤔.

[shepherdjerred]

/opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
OK Hi from pinentry-touchid!
^C⏎
~
❯ file /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
/opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid: Mach-O 64-bit executable arm64

[jorgelbg]

@shepherdjerred by any chance did you change the /usr/local/bin/pinentry symlink? Is the output of gpgconf still the same as you posted here: #3 (comment)? Especially the pinentry:Passphrase Entry: line? I still don't get why it takes >10s for pinentry-touchid to report as ready (from the logs) but gpg-agent gives up almost instantly when trying to invoke /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid.

[jaismith]

having a similar issue as @shepherdjerred, also M1, on Big Sur 11.6. only difference I'm seeing is that pinentry-touchid doesn't seem to be actually called by gpg when trying to load the key, though I still get the same 'end of file' error in the logs. pinentry-mac does work on my system, and does prompt to save to the keychain (this was originally not allowing me to save to keychain, and I resolved it by switching from homebrew to the GPG Suite version).

$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
# pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
debug-level basic
log-file /tmp/gpg-agent.log
default-cache-ttl 600
max-cache-ttl 7200
default-cache-ttl-ssh 600
max-cache-ttl-ssh 7200

$ gpgconf --kill gpg-agent

$ echo 1234 | gpg -as -
gpg: using "30C05A67C1D52EC3AD083F4D5FE6F54B7094D4D9" as default secret key for signing
gpg: signing failed: No pinentry
-----BEGIN PGP MESSAGE-----

gpg: signing failed: No pinentry

$ cat /tmp/pinentry-touchid.log
cat: /tmp/pinentry-touchid.log: No such file or directory

$ cat /tmp/gpg-agent.log
2021-10-24 14:08:35 gpg-agent[7032] listening on socket '/Users/jaismith/.gnupg/S.gpg-agent'
2021-10-24 14:08:35 gpg-agent[7032] listening on socket '/Users/jaismith/.gnupg/S.gpg-agent.extra'
2021-10-24 14:08:35 gpg-agent[7032] listening on socket '/Users/jaismith/.gnupg/S.gpg-agent.browser'
2021-10-24 14:08:35 gpg-agent[7032] listening on socket '/Users/jaismith/.gnupg/S.gpg-agent.ssh'
2021-10-24 14:08:35 gpg-agent[7033] gpg-agent (GnuPG/MacGPG2) 2.2.27 started
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK Pleased to meet you, process 7030
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- RESET
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- OPTION ttyname=/dev/ttys000
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- OPTION ttytype=xterm-256color
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- OPTION display=/private/tmp/com.apple.launchd.8YWWSQxgft/org.xquartz:0
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- GETINFO version
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> D 2.2.27
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- OPTION allow-pinentry-notify
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- OPTION agent-awareness=2.1.0
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- SCD SERIALNO
2021-10-24 14:08:35 gpg-agent[7033] no running SCdaemon - starting it
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 <- OK GNU Privacy Guard's Smartcard server ready
2021-10-24 14:08:35 gpg-agent[7033] DBG: first connection to SCdaemon established
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 -> GETINFO socket_name
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 <- D /Users/jaismith/.gnupg/S.scdaemon
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 <- OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: additional connections at '/Users/jaismith/.gnupg/S.scdaemon'
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 -> OPTION event-signal=31
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 <- OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 -> SERIALNO
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 <- ERR 100696144 Operation not supported by device <SCD>
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> ERR 100696144 Operation not supported by device <SCD>
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- HAVEKEY B449EBAA93111DE49C685D18222E7AA694BA5F15
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- HAVEKEY B449EBAA93111DE49C685D18222E7AA694BA5F15 DCB718637115E2645C753321DA4E786A8699B102
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- RESET
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- SIGKEY B449EBAA93111DE49C685D18222E7AA694BA5F15
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Jai+K.+Smith+<jksmithnyc@gmail.com>%22%0A256-bit+EDDSA+key,+ID+5FE6F54B7094D4D9,%0Acreated+2021-10-23.%0A
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- SETHASH 8 0F5CEFA3F56F9F6766FB408DE6AEC2E3B3F0AE334A0F9F96DF2A82DC8069C058
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> OK
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- PKSIGN
2021-10-24 14:08:35 gpg-agent[7033] starting a new PIN Entry
2021-10-24 14:08:35 gpg-agent[7033] can't connect to the PIN entry module '/opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid': End of file
2021-10-24 14:08:35 gpg-agent[7033] DBG: error calling pinentry: No pinentry <GPG Agent>
2021-10-24 14:08:35 gpg-agent[7033] failed to unprotect the secret key: No pinentry
2021-10-24 14:08:35 gpg-agent[7033] failed to read the secret key
2021-10-24 14:08:35 gpg-agent[7033] command 'PKSIGN' failed: No pinentry
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 -> ERR 67108949 No pinentry <GPG Agent>
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_8 <- [eof]
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 -> RESTART
2021-10-24 14:08:35 gpg-agent[7033] DBG: chan_9 <- OK

$ file /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
/opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid: Mach-O 64-bit executable arm64

$ /opt/homebrew/opt/pinentry-touchid/bin/pinentry-touchid
OK Hi from pinentry-touchid!
^C

$ cat /tmp/pinentry-touchid.log
2021/10/24 14:09:08 main.go:105: Ready!

$ brew info pinentry-touchid
jorgelbg/tap/pinentry-touchid: stable 0.0.2
Custom GPG pinentry program for macOS that allows using Touch ID for fetching the password from
the macOS keychain.
https://github.com/jorgelbg/pinentry-touchid
/opt/homebrew/Cellar/pinentry-touchid/0.0.2 (5 files, 2.3MB) *
  Built from source on 2021-10-23 at 17:03:03
From: https://github.com/jorgelbg/homebrew-tap/blob/HEAD/pinentry-touchid.rb

$ gpgconf
gpg:OpenPGP:/usr/local/MacGPG2/bin/gpg
gpg-agent:Private Keys:/usr/local/MacGPG2/bin/gpg-agent
scdaemon:Smartcards:/usr/local/MacGPG2/libexec/scdaemon
gpgsm:S/MIME:/usr/local/MacGPG2/bin/gpgsm
dirmngr:Network:/usr/local/MacGPG2/bin/dirmngr
pinentry:Passphrase Entry:/usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac

[jaismith]

@jorgelbg any updates on this?

[fredwangwang]

I run into the same issue, even on the intel based macbook. (MBP 16 2019, Big Sur 11.6)

Found out the problem, at least in my case, is the additional --display flag passed to the pinentry-touchid from gpg. It seems due to XQuartz been installed on the system.

I put up a quick fix here: #18

[jaismith]

This appears to have resolved itself on Monterey, I have it up and running on my M1 MBP running Monterey 12.1 and the latest gnupg from brew.

[shepherdjerred]

Found out the problem, at least in my case, is the additional --display flag passed to the pinentry-touchid from gpg. It seems due to XQuartz been installed on the system.

Perfect! Your PR fixed it for me.

[davidxia]

seems like this issue can be closed?

[jorgelbg]

Closing this issue now that it is confirmed to be working.

[treeshateorcs]

i'm facing this problem atm, here's my log

2023-09-10 05:39:34 gpg-agent[15552] listening on socket '/Users/tho/.gnupg/S.gpg-agent'
2023-09-10 05:39:34 gpg-agent[15552] listening on socket '/Users/tho/.gnupg/S.gpg-agent.extra'
2023-09-10 05:39:34 gpg-agent[15552] listening on socket '/Users/tho/.gnupg/S.gpg-agent.browser'
2023-09-10 05:39:34 gpg-agent[15552] listening on socket '/Users/tho/.gnupg/S.gpg-agent.ssh'
2023-09-10 05:39:34 gpg-agent[15553] gpg-agent (GnuPG) 2.4.3 started
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK Pleased to meet you, process 15550
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- RESET
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- OPTION ttyname=/dev/ttys000
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- OPTION ttytype=xterm-256color
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- GETINFO version
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> D 2.4.3
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- OPTION allow-pinentry-notify
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- OPTION agent-awareness=2.1.0
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- KEYINFO F68D5F8A0BC5E7FDF9A4DFA63962D7B19B408506
2023-09-10 05:39:34 gpg-agent[15553] no running /opt/homebrew/Cellar/gnupg/2.4.3/libexec/scdaemon daemon - starting it
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 <- OK GNU Privacy Guard's Smartcard server ready
2023-09-10 05:39:34 gpg-agent[15553] first connection to daemon /opt/homebrew/Cellar/gnupg/2.4.3/libexec/scdaemon established
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 -> GETINFO socket_name
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 <- D /Users/tho/.gnupg/S.scdaemon
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 <- OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: additional connections at '/Users/tho/.gnupg/S.scdaemon'
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 -> OPTION event-signal=31
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 <- OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 -> KEYINFO --list
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 <- OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> S KEYINFO F68D5F8A0BC5E7FDF9A4DFA63962D7B19B408506 D - - - P - - -
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- HAVEKEY --list=1000
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 -> KEYINFO --list
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_9 <- OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> [ 44 20 09 22 89 4d 1d 94 ad e5 5f 22 03 da 78 f8 ...(398 byte(s) skipped) ]
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- RESET
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- SETKEY 0BDD05A740B9C28C5D896D2490449ABC0CEE8474
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22tho+<trees@hateorcs.com>%22%0A4096-bit+RSA+key,+ID+9FD5CC61F5B50569,%0Acreated+2020-12-06+(main+key+ID+09DEC517DD4EB0EA).%0A
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> OK
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- PKDECRYPT
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> S INQUIRE_MAXLEN 4096
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 -> INQUIRE CIPHERTEXT
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- [ 44 20 28 37 3a 65 6e 63 2d 76 61 6c 28 33 3a 72 ...(538 byte(s) skipped) ]
2023-09-10 05:39:34 gpg-agent[15553] DBG: chan_8 <- END
2023-09-10 05:39:34 gpg-agent[15553] starting a new PIN Entry
2023-09-10 05:39:34 gpg-agent[15553] DBG: connection to PIN entry established
2023-09-10 05:39:34 gpg-agent[15553] You may want to update to a newer pinentry
2023-09-10 05:39:56 gpg-agent[15553] DBG: error calling pinentry: Operation cancelled <Pinentry>
2023-09-10 05:39:56 gpg-agent[15553] failed to unprotect the secret key: Operation cancelled
2023-09-10 05:39:56 gpg-agent[15553] failed to read the secret key
2023-09-10 05:39:56 gpg-agent[15553] command 'PKDECRYPT' failed: Operation cancelled <Pinentry>
2023-09-10 05:39:56 gpg-agent[15553] DBG: chan_8 -> ERR 83886179 Operation cancelled <Pinentry>
2023-09-10 05:39:56 gpg-agent[15553] DBG: chan_8 <- SCD SERIALNO
2023-09-10 05:39:56 gpg-agent[15553] DBG: chan_9 -> SERIALNO
2023-09-10 05:39:56 gpg-agent[15553] DBG: chan_9 <- ERR 100696144 Operation not supported by device <SCD>
2023-09-10 05:39:56 gpg-agent[15553] DBG: chan_8 -> ERR 100696144 Operation not supported by device <SCD>
2023-09-10 05:39:56 gpg-agent[15553] DBG: chan_8 <- [eof]
2023-09-10 05:39:56 gpg-agent[15553] DBG: chan_9 -> RESTART
2023-09-10 05:39:56 gpg-agent[15553] DBG: chan_9 <- OK

i'm running venture, fully up to date