Missing keys after migrating to GnuPG 2.2

GPG Suite 2017.1 and later include GnuPG 2.2. This KB covers issues that were reported in regards to the migration to GnuPG 2.2.

Since the update I'm asked for my secret key's passphrase, but I can't remember what it was

The good news is, your passphrase is still stored in macOS Keychain. To access it:

  1. Open macOS Keychain Access (enter Keychain Access in Spotlight)
  2. Enter "GnuPG" in the search field
  3. Double-click on the resulting entry

Unfortunately GnuPG 2.2 changed the format of how passphrase are stored in macOS Keychain. As a consequence you will have to re-enter your passphrase once for signing a message/file and once for decrypting a message/file. After that, you will not be asked for your passphrase again if you choose to store your passphrase in macOS keychain.

Missing secret key(s) and / or public keys

GnuPG 2.2 has introduced a new file format for storing your GnuPG keyring. On first use after updating to GPG Suite 2017.1, your old keyring will be converted to the new format. In some cases the migration unfortunately doesn't complete.

Re-import missing secret keys by opening Terminal.app and pasting the following command:

gpg --import < ~/.gnupg/secring.gpg

If the missing secret key is stored on a smart card / USB token, please see the next section. Should the secret key still be missing after this command and it's not stored on a smart card / USB token, please create a new discussion. Before converting your keys we have created a backup, they are not lost.

Re-import missing public keys by opening Terminal.app and pasting the following command:

gpg --import < ~/.gnupg/pubring.gpg

Missing a secret key (smart card / USB token edition)

Unfortunately GnuPG 2.2 doesn't migrate your smart card key stubs, when migrating from GnuPG 2.0. In order to re-create them, run the following command for each smart card:

gpg --card-status

YubiKey no longer working

Some users have reported that their YubiKeys are no longer working after updating to GPG Suite 2017.1, which is related to the new GnuPG 2.2.
In order to be able to use your YubiKey with GnuPG 2.2 again, please follow these steps:

  1. Download and install the YubiKey NEO Manager
  2. Plugin your YubiKey
  3. Start the YubiKey NEO Manager application
  4. Click on the "Change connection mode" button
  5. Deselect the "CCID" option if it's checked.
  6. Press OK and remove the YubiKey
  7. Plug the YubiKey back in
  8. Click on the "Change connection mode" button again
  9. Check the "CCID" option
  10. Press OK and remove the YubiKey
  11. Plug the YubiKey back in
  12. Close YubiKey NEO Manager

To verify that these steps worked, run gpg --card-status in Terminal and check if your key pair shows up.
You should now be able to use your YubiKey again just like before.

If you are still seeing issues after following these steps, there's something else which could help:

  1. Edit or create a file called scdaemon.conf in ~/.gnupg
  2. Add the following line:

    shared-access

  3. Save the file and kill scdaemon:
    killall scdaemon

  4. Run gpg --card-status again

If neither of these steps work, please open a support request