Skip to content

Latest commit

 

History

History
79 lines (52 loc) · 2.55 KB

README.md

File metadata and controls

79 lines (52 loc) · 2.55 KB

Pinentry-TouchID

Custom GPG pinentry program for macOS that allows using Touch ID for retrieving the key passphrase from the macOS keychain. (MacBook Pro with TouchID only)

Installation

Prerequisites

Install both using Homebrew:

$ brew install gnupg pinentry-mac

Pre-build Binaries

Download pre-build pinentry-touchid binaries from the GitHub Releases page.

$ VERSION=$(curl -fsSL https://api.github.com/repos/felix-kaestner/pinentry-touchid/releases/latest | jq -r .tag_name)
$ curl -fsSL -o pinentry-touchid "https://github.com/felix-kaestner/pinentry-touchid/releases/download/${VERSION}/pinentry-touchid-${VERSION}-$(uname -s)-$(uname -m)"
$ mv pinentry-touchid /usr/local/bin/pinentry-touchid

Manual

Clone the repository:

$ git clone https://github.com/felix-kaestner/pinentry-touchid.git

Build the binary using:

$ ./build.sh

Quickstart

List the keygrip of the GPG Key for which you want to store the passphrase:

$ gpg --list-keys --with-keygrip

/Users/user/.gnupg/pubring.kbx
----------------------------------------
pub   rsa4096 2022-04-01 [SC]
      < ... >
      Keygrip = 78066B99A804208F8DDB3C8F388C56C1C74EA812
uid           [ultimate] Felix Kästner <mail@felix-kaestner.com>

Create a new entry in the MacOS Keychain for storing your passphrase:

Go to Keychain Access > Select the login keychain under Default Keychains > Click on Create new Keychain item. in the upper right (via the pencil icon). Fill in the prompt with the following information:

  • Keychain Item Name: "GnuPG"
  • Account Name: GPG Keygrip
  • Password: Your Passphrase

Finally, click on Add.

Configure the gpg-agent to use pinentry-touchid as its pinentry program. Add or replace the following line to your gpg agent configuration in: ~/.gnupg/gpg-agent.conf:

$ pinentry-program /usr/local/bin/pinentry-touchid

Pinentry-TouchID is now fully configured!

When used for the first time, MacOS will prompt you to allow access to the keychain. Simply provide access by using your user password and clicking Always Allow, so you won't be asked on every use.