Storing keys in Mac Keychain Access

optiondog's Avatar


27 Nov, 2016 08:20 PM

I was getting frequent Mac Pinentry messages asking me to enter my passphrase. I tried storing my passphrase in GPG Prefs following the instructions. I set it for 86,400 seconds which is equal to 24 hours. It wouldn't let me set for 48 hours. (The default is only 600 seconds which doesn't even seem worth it) Even though I set for 24 hours, the pin entry message appeared less than 24 hours later. This time, in the dialog box, I checked the box to store my passphrase. So far I have not gotten anymore messages. But I'm just wondering, for future reference ,why the first method didn't let me set it for a longer period of time and why it didn't even work for the duration that I set it for.

  1. Support Staff 1 Posted by Steve on 01 Dec, 2016 06:18 PM

    Steve's Avatar

    Hey optiondog,

    did you type '86,400' for the amount of seconds your password should be cached? If so, could you retry your experiment with '86400' instead. I fear you may have set the caching time to 86 seconds.

    Please see this KB-article on how to manage passwords for your keys.

    You now used another method and stored your password in the macOS keychain. Above KB article has the details.

    All the best,

  2. 2 Posted by optiondog on 01 Dec, 2016 11:16 PM

    optiondog's Avatar

    Thank you for your all your help.  
    I'm pretty sure I didn't enter a comma.  I initially tried 172,800 and it told me that I can't set it for that long so that means I didn't use a comma on that attempt.  Otherwise it would have allowed it.  And I when I changed it to 86,400 I don't think I suddenly decided to add a comma.  I just opened the prefs and there's no comma so even if I had typed a comma it apparently deleted it on it's own. It's stored now because I checked it in the dialog box when the pin entry message came up again.  
    BTW, I opened my Mac Keychain Access and it only shows one of my public keys stored.  I have created several keys and the one that shows as being stored is one that I don't even use.  I'm still not getting anymore pin entry messages (which is fine) but it seems like should be getting messages wanting me to store my other keys too.  Any idea why I'm not getting any?
    Still wondering how to locate my secret key too.  Are they supposed to be in the private-keys-v1.d folder?  That folder is empty.  There is a document called securing.gpg.  Is that it? Maybe you answered this in another recent message.  I'll check to see.

  3. Support Staff 3 Posted by Steve on 03 Dec, 2016 08:09 PM

    Steve's Avatar

    The current max. is 86999 seconds. We probably should limit the field to 5 digits and then allow 99999 as maximum.

    We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll stay in the loop and get notified as soon as we have news. Feel free to open a new discussions should you run into further problems or need assistance.

    Regarding macOS keychain storage: while you may have created more than one key, that doesn't necessarily mean, those already have their passwords stored in macOS keychain.

    Whenever the key is required to sign or decrypt you will be asked for your password (in case it is not stored in macOS keychain). So to trigger the dialog just sign some sample text in TextEdit with the respective key and pinentry should show.

    Secret keys are indeed stored in the securing.gpg file.

  4. 4 Posted by optiondog on 04 Dec, 2016 08:45 PM

    optiondog's Avatar

    I have several public keys but I only have one passphrase. So now that I have stored that passphrase by checking that box in that last pin entry message dialog box I got, shouldn't Mac Keychain Access show my other keys too since they're all associated with the same passphrase?
    After I checked the box to store my passphrase, I stopped receiving the messages so that would imply that by storing it this way I can store it for more that 86999 seconds.  
    It also implies that all my public keys are being stored, otherwise I would still be getting pin entry messages.  Those messages kept appearing without me having to sign any text with my key.
    Many thanks

  5. Support Staff 5 Posted by Steve on 12 Dec, 2016 10:41 AM

    Steve's Avatar

    No, that's not how things work. Passwords are not associated with all keys if they are the same. Thoughts about that:

    • you should never reuse passwords in more than one occasion (unless you have really good reason to do so) since it lowers security a lot and if you get compromised the entire security process collapses

    macOS keychain access can store your password but does so only in regards to a specific key. So to answer your question: you will have to store any password you want stored separately, even if it is an identical password (which again, is a policy, we would not recommend).

    The pinentry dialog is not related to usage of your public key. Those dialogs where probably triggered by either sending a signed mail or looking at encrypted mails for which in order to decrypt them access to your secret key was requested.

    All the best,

  6. 6 Posted by optiondog on 12 Dec, 2016 07:37 PM

    optiondog's Avatar

    The pin entry dialogs were appearing without me doing any of that.  In fact, on many occasions I would simply wake up my computer from sleep mode and the dialog would be there on my screen.  
    I never realized I was supposed to use different passwords.  When you say I should never reuse the password in more than one occasion, do you actually mean I should use a different password every time I encrypt or decrypt a message even if I'm using the same public key?  Or just use a different password for each different public key I use?  Either way I suppose I'll have to learn how to create different passwords.  Perhaps you have a link to some instructions on that?

  7. Support Staff 7 Posted by Steve on 15 Dec, 2016 11:52 AM

    Steve's Avatar

    Was open when you put your machine to sleep? Try the same but make sure you select an empty folder or inbox before putting your computer to sleep. Then pinentry should not show up.

    What I meant by not using the same password was the (sadly) common practice to use one password for all your logins (and keys). That's not a good idea. If you get compromised due to whatever reasons, you got a real problem. So it is recommended to not re-use the same password. If you set a password for a certain OpenPGP key, that password remains the same of course. Unless you decide to change it every 6 months. Which again isn't such a bad idea, as long as you have a good way to keep track of your passwords.

    Password managers are one solution to the problem. They generate strong passwords. But again, it should be a software which you can trust. I would not use a web based password manager.

    If you prefere paper, you may want to look into creating diceware passwords

  8. Steve closed this discussion on 20 Apr, 2017 03:00 PM.

  9. Support Staff 8 Posted by Steve on 24 May, 2017 03:45 PM

    Steve's Avatar

    Hi optiondog,

    the issue with the caching time filed has been fixed. If you want to test the fix, please download our latest nightly GPG Suite. That page also has sig and SHA1 to verify the download.

    Should the problem persist, please re-open this discussion and let us know. For more questions that are not related to this specific problem, you are welcome to create a new discussion any time.

    Best, steve

    Disclaimer: This is a development version which has not been thoroughly tested yet, so bugs or crashes are to be expected. Thanks for helping us test this fix.

  10. Steve closed this discussion on 24 May, 2017 03:45 PM.

  11. optiondog re-opened this discussion on 11 Jan, 2018 11:20 PM

  12. 9 Posted by optiondog on 11 Jan, 2018 11:20 PM

    optiondog's Avatar

    I currently have OS X 10.11.6 on my iMac.  I have GPG Keychain 1.2.1 (1147).  Will your current version work with my operating system?
    I believe your current version is GPG Suite 2017.2 with Keychain 1.4.1.  Your update information says GPG Mail 3.ob2 (10.13 only).  Does that mean it only works with OS X 10.13?  
    But I read somewhere that when I install GPG Suite I can do a custom install and select which tools I want.  For example I can choose to only install GPG Keychain.  Is this true?  I think I might have done that when I originally installed it because currently all I have is GPG Keychain.  I don’t have GPG Mail and I have never needed it.  Another article online said that on a Mac it only installs GPG Keychain anyway.  So is this true or can I custom install and just get GPG Keychain?
    If your current version of GPG Keychain doesn’t work with Mac OS X 10.11.6, do you still have an earlier version that will work with it?
    When your update messages appear on my screen asking me if I want to update now, if I click it will it actually install it or will it just upload it to my Download folder?  I started to do it one day in the hopes that it would just download it but a progress bar appeared which made me think it might be installing it so I cancelled it.  Does it work the same way if I download it from your website?
    I tried to make a donation once using PayPal but either something went wrong or maybe something happened that confused me.  I can’t even remember exactly what happened as it was some time ago.  Anyway, if your current updates aren’t charging yet, then how can I make a donation using PayPal? 
    Thank you so much,

  13. Support Staff 10 Posted by Steve on 13 Jan, 2018 02:33 PM

    Steve's Avatar

    Hi Howard,

    the current release is GPG Suite 2017.3 and it supports macOS 10.9 and newer. Everything works fine on macOS 10.11.

    You can indeed customize the installation and deselect components if you want during install. To do that, download GPG Suite, mount the installer and keep looking for the "Customize" button.

    When you see an update message, that will download the new software and install it without you have to mount anything. So if you just want to download the new version and install it at a later point in time, I'd suggest to download GPG Suite from the homepage.

    GPG Suite is currently still free. Donations can be made here:

    Have a great weekend and let me know if you have further questions.


  14. Steve closed this discussion on 26 Mar, 2018 06:50 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac