Prevent git from asking for the GnuPG password during signing a commit
Git never gets hold of the GnuPG passphrase. You must rely on GnuPG's capabilities of caching passphrases, which happens through gpg-agent
which are easily set up by editing ~/.gnupg/gpg-agent.conf
(hidden somewhere in your AppData
folder in Windows).
Set default-cache-ttl
to the number of seconds the passphrase is cached after each invocation of GnuPG. maximum-cache-ttl
sets the time after the passphrase was initially entered at which the cache is wiped. Make sure ignore-cache-for-signing
is not set -- otherwise GnuPG will ignore the cache for signing operations.
If you want to sign commits without any user interaction, you can prefill the cache through gpg-preset-passphrase
, often hidden somewhere in a location like /usr/lib/gnupg2/gpg-preset-passphrase
; or by running an arbitrary decryption or signing operation. You might also configure git to use an option like --passphrase [your passphrase]
to be passed to gpg
, but read up on the restrictions and security implications of this approach (it involves your passphrase being stored in plaintext somewhere).
Full list of options is here.
After updating to Ubuntu 18.04 all my previous solutions no longer worked, because gnome-keyring
no longer implements a GPG agent, and I couldn't get gpg-agent
to cache any passphrase.
Here's the solution that finally worked for me:
Create a script gpg-without-tty
:
#!/bin/bashecho $(secret-tool lookup gpgpassphrase $GPGKEY) | /usr/bin/gpg --batch \ --no-tty --pinentry-mode loopback --passphrase-fd 0 "$@"
Set your passphrase for $GPGKEY in gnome-keyring:
secret-tool store --label='Passphrase for GPG Key' gpgpassphrase $GPGKEY
Tell git to use the gpg-without-tty
script:
git config --global gpg.program /path/to/gpg-without-tty
You might also have to add the allow-loopback-pinentry
setting to ~/.gnupg/gpg-agent.conf
.
Update: While this worked locally it turns out that it somehow messed up the signatures: it signed the commits with the full 40-character fingerprint. GitHub didn't recognize these signatures as being valid. And when I looked at older commits that I had signed before updating to 18.04 (git log --show-signature
) they no longer showed up as valid. I ended up removing the gpg.program
setting in the git config. Turns out the problems I encountered were probably related to having that setting in the first place (which I used in the past to work around a different problem).
So, in short, running git config --global --unset gpg.program
was the answer to my problems after the update.
To store your GPG key passphrase so you don't have to enter it every time you sign a commit, use the following tools:
- For Mac users, the GPG Suite allows you to store your GPG key passphrase in the Mac OS Keychain.
- For Windows users, the Gpg4win integrates with other Windows tools.
You can also manually configure gpg-agent to save your GPG key passphrase, but this doesn't integrate with Mac OS Keychain like ssh-agent and requires more setup.