pinentry-mac not displaying save to keychain checkbox

MYOnZIRE's Avatar

MYOnZIRE

27 May, 2020 07:19 AM

Which of our tools is giving you problems? pinentry-mac (pinentry) 1.1.0 on macOS 10.15.4 (19E287)

Describe your problem. Add as much detail as possible. I had previously stored a passphrase in keychain and yesterday updated gpg to the current version. After that I received a request from macOS to allow pinentry-mac to access that passphrase in keychain, which is usual behaviour after I update gpg components. In this request, I was presented with the options Always Allow, Allow and Deny. I choose Deny.

pinentry-mac has not requested access to keychain ever since (which I could understand since it might mean making a request every time a passphrase is requested from the user unless they hit "Always Allow"). I also am not presented with a "Save to keychain" checkbox, though, which means I can never save my passphrase in keychain again.

This is not the first time I noticed this behaviour after an update, but I really do not want to wait until the next update for it to request permission again. I tried the bugfix to the known bug in Mojave, but that did not help.

com.apple.securityd […] 29.340233[…] pinentry-mac    Adding securityd connection to pool, total now 1
com.apple.securityd […] 29.343756[…]    pinentry-mac    UNIX error exception: 17
com.apple.securityd […] 29.348900[…]    pinentry-mac    UNIX error exception: 17
com.apple.securityd […] 29.351145[…]    pinentry-mac    UNIX error exception: 17
com.apple.securityd […] 29.353224[…]    pinentry-mac    UNIX error exception: 17
com.apple.securityd […] 29.355787[…]    pinentry-mac    UNIX error exception: 17
com.apple.securityd […] 29.358195[…]    pinentry-mac    UNIX error exception: 17

Describe steps leading to the problem. When asked to permit keychain access, choose Deny.

What did you expect instead Displaying the "Save to keychain" checkbox every time and asking for access to keychain again after I check it.

  1. 1 Posted by MYOnZIRE on 27 May, 2020 07:25 AM

    MYOnZIRE's Avatar

    I would like to add that caching my passphrase works as expected, I just cannot store it. Storing the passphrase in the macOS keychain is not disabled via defaults:

    defaults read org.gpgtools.common DisableKeychain
    
    will report
    The domain/default pair of (org.gpgtools.common, DisableKeychain) does not exist
    

    In fact, the entire domain is empty. The GPG Suite is not installed. This is an isolated problem.

    I would also like to point out that while this is not related to any signing operation, there also is no ignore-cache-for-signing in ~/.gnupg/gpg-agent.conf.

  2. Support Staff 2 Posted by Steve on 28 May, 2020 05:19 PM

    Steve's Avatar

    Hi MYOnZIRE,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    This sounds like a bug in macOS which we thought was fixed on macOS 10.15 Catalina. Can you please logout and log back in and see if you are then able to store the password in macOS keychain again.

    Do let us know if that helps.

    Best,
    Steve

  3. Support Staff 3 Posted by Steve on 28 May, 2020 05:34 PM

    Steve's Avatar

    If the issue persists, can you please create a screenshot of the error message you are seeing.

    Could you open macOS Keychain Access and search for "GnuPG". Do you see any matches for that query?

    Could you please download and install our latest hotfix GPG Suite and see if that solves your problem.

    All the best,
    Steve

    Disclaimer: Hotfixes are GPG Suite builds containing our latest source code, so bugs and crashes may occur.

  4. 4 Posted by MYOnZIRE on 29 May, 2020 01:24 PM

    MYOnZIRE's Avatar

    Hey Steve – thanks for your reply. A few things, if you allow me to:

    1. It does sound like a regression in macOS, yes. Logging out and back in does not help. Locking and unlocking keychain does not help. Just locking the keychain does not help. Restarting the machine does not help.

    2. There is no error message. The pinentry-mac dialog does not display the checkbox and the label "Save to keychain" that it is supposed to display.

    3. There is no match in the keychain currently, which yes, I do find odd – but even if there currently is no passphrase stored in the keychain (anymore), it should still be possible to add one, so the checkbox should display to allow me to do so.

    4. I am using Patrick's build of pinentry-mac, which is built from your sources. Maybe Roman can help out here since he seems to have contributed to the necessary patches that Patrick has included in his builds as well.

    5. Installing your entire nightly build on top of my system will cause a lot of headaches for everyone. These are not the troubleshooting steps you're looking for.

    6. I don't think it's such a great idea for me to start picking apart your hotfix installer for binaries and libraries, either. Maybe we could instead start with some problem-specific debugging.

    I'm sure you know how you did pin down the issue last time. Why don't we start there?

    Thank you for your help, stay safe!

  5. Support Staff 5 Posted by Luke Le on 29 May, 2020 03:54 PM

    Luke Le's Avatar

    Hi,

    thanks for the detailed info.
    Are you able to build pinentry-mac from source? If so, you I could send you some patched source code to figure out why the checkbox is not showing.

    Just to understand, are you seeing the pinentry dialog come up when you try to decrypt something after a reboot or are you no longer seeing that dialog either?

    If you search for "GnuPG" in macOS Keychain Access please make sure that all objects is selected in the lower left pane.

    Clicking on deny does in fact cause pinentry-mac to not show the checkbox, the decision shouldn't be saved by macOS though and you should be asked again at the latest after a reboot.

    There's one other possibility that your gnupg doesn't pass the cache id along to pinentry, but that should not be the case.

  6. 6 Posted by MYOnZIRE on 29 May, 2020 04:13 PM

    MYOnZIRE's Avatar

    Hey Luke – no worries, we're kind of in this together, I guess. I'm happy to attempt a build if you think that may lead to a solution, sure!

    I am seeing the pinentry dialog coming up every time I expect it to. It works fine, the gpg-agent is caching my passphrase as well. I attached a screenshot.

    The macOS Keychain does not contain any element with "GnuPG" at the moment.

  7. Support Staff 7 Posted by Luke Le on 29 May, 2020 04:22 PM

    Luke Le's Avatar

    I just had a quick test with Patrick's version, and it appears to be related to his version of pinentry-mac.

    Attached you will find the version from GPG Suite. For a test, simply put it in /usr/local/libexec/ and add to ~/.gnupg/gpg-agent.conf:

    pinentry-program /usr/local/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
    

    After that, kill all GnuPG processes:

    killall gpg-agent
    killall gpg2
    killall gpg
    killall dirmngr
    

    And run the following test:

    echo "Test" | gpg -as
    

    You should see the pinentry dialog and the save in keychain checkbox.

    Looking forward to reading your results.

  8. 8 Posted by MYOnZIRE on 29 May, 2020 06:27 PM

    MYOnZIRE's Avatar

    Hey Luke – thanks for checking, I appreciate you taking the extra step here!

    I had tried already using that version before my previous post, but I'm missing the library in /usr/local/MacGPG2/lib/libassuan.0.dylib and I figured it would be a lot easier for you to provide it than for me to find it inside your installer's payload. Would you be so kind?

  9. Support Staff 9 Posted by Luke Le on 29 May, 2020 06:33 PM

    Luke Le's Avatar

    Ah right. A Single library might not suffice, but what you can do is to link patrick‘s gnupg:

    mkdir -p /usr/local/MacGPG2
    ln -s /usr/local/gnupg-2.2/lib /usr/local/MacGPG/lib
    

    Not sure if the path to patrick‘s gnupg is correct, so verify that first.

    After that pinentry-mac should find the required libs.

  10. 10 Posted by MYOnZIRE on 29 May, 2020 07:14 PM

    MYOnZIRE's Avatar

    Good point. Unfortunately it's not as easy:

    ~ /usr/local/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac 
    dyld: Library not loaded: /usr/local/MacGPG2/lib/libassuan.0.dylib
      Referenced from: /usr/local/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
      Reason: no suitable image found.  Did find:
        /usr/local/MacGPG2/lib/libassuan.0.dylib: code signature in (/usr/local/MacGPG2/lib/libassuan.0.dylib) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
        /usr/local/MacGPG2/lib/libassuan.0.dylib: stat() failed with errno=1
    

    Can you think of another quick and easy way to test your executable?

  11. 11 Posted by MYOnZIRE on 29 May, 2020 07:26 PM

    MYOnZIRE's Avatar

    …e.g. is it easier for you to compile a version without library validation enabled or is there a way for me to install all of your software using some custom prefix maybe?

    (Before you think about it … ad-hoc signing does not suffice and removing the signature altogether will not work either.)

  12. Support Staff 12 Posted by Steve on 29 May, 2020 10:34 PM

    Steve's Avatar

    A very simple test worth trying would be to uninstall Patricks gnupg, then run the GPG Suite installer and install MacGPG from there and see how pinentry then behaves. It would be interesting to learn if that gives the expected behavior.

  13. 13 Posted by MYOnZIRE on 29 May, 2020 11:45 PM

    MYOnZIRE's Avatar

    That sounds like a simple thing to do, but you are conveniently not including the step of getting things back into the previous state, including both restoring the current configuration and performing a truly clean uninstall of MacGPG.

    I do agree that this test would help us a great deal, though, so I will go ahead and clone my installation for you. I will keep you posted.

  14. 14 Posted by Patrick on 30 May, 2020 09:38 AM

    Patrick's Avatar

    I must admit that my version of pinentry is a few months old, I don't regularly update it. Given this, I should probably update pinentry for the next gpgOSX version.

  15. 15 Posted by MYOnZIRE on 30 May, 2020 01:42 PM

    MYOnZIRE's Avatar

    I can confirm that using MacGPG it works well.

    1) On a cloned machine, I removed Patrick's gnupg and installed MacGPG (just the core functionality). Works fine.
    2) I then copied the MacGPG2 folder from the cloned machine folder to /usr/local on my actual machine and the pinentry-mac.app from the nightly build to /usr/local/libexec (and adjusted gpg-agent.conf accordingly). Works fine.

    Looks to me like it would be worth it to build the current version of pinentry-mac into gpgOSX, which is 1.1.0.2 and seems to fix a lot of things around keychain. Thank you so much for your quick help, folks – that's very much appreciated!

  16. Support Staff 16 Posted by Steve on 08 Jun, 2020 09:20 PM

    Steve's Avatar

    Glad this is solved for you. I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best,
    Steve

  17. Steve closed this discussion on 08 Jun, 2020 09:20 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac