Skip to content

feat: Add GnuPG 2.4+ compatibility and fix keychain permission issues #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Add GnuPG 2.4+ compatibility and fix keychain permission issues #43

wants to merge 3 commits into from

Conversation

lujstn
Copy link

@lujstn lujstn commented Jun 12, 2025

This commit implements critical fixes to make pinentry-touchid compatible with modern GnuPG versions (2.4+) and resolves keychain access permission issues.

Key Changes

1. GETINFO Command Support

  • Implemented GETINFO handler for commands required by GnuPG 2.4+
  • Added support for: flavor, version, pid, and ttyinfo queries
  • Resolves "You may want to update to a newer pinentry" errors

2. Keychain Permission Handling

  • Added ensureKeychainAccess() function to properly handle macOS permission dialogs
  • Fixed flow to check keychain permissions before Touch ID authentication
  • Ensures pinentry-touchid can access entries created by pinentry-mac

3. Name Parsing Fix

  • Fixed regex parsing to correctly extract user names from GPG descriptions
  • Strips GPG key comments (e.g., "GPG Key generated...") from names
  • Ensures keychain entry labels match between pinentry-mac and pinentry-touchid

4. Duplicate Entry Handling

  • Changed duplicate keychain entry errors from fatal to non-fatal
  • Allows the authentication flow to continue when entries already exist
  • Improves robustness when switching between pinentry programs

Technical Details

The main issue was that GnuPG 2.4+ requires pinentry programs to respond to GETINFO queries during initialization. Without these handlers, gpg-agent would abort the connection immediately after the handshake.

Additionally, when keychain entries are created by pinentry-mac, macOS requires explicit permission for pinentry-touchid to access them. The new flow ensures these permissions are granted before attempting Touch ID authentication.

Testing

  • Added comprehensive unit tests for GETINFO commands
  • Verified compatibility with GnuPG 2.4.8 on macOS
  • Tested keychain permission flow with existing entries
  • All existing tests continue to pass

Fixes #9, #17, #42

@lujstn
feat: Add GnuPG 2.4+ compatibility and fix keychain permission issues
7a95eeb 
This commit implements critical fixes to make pinentry-touchid compatible with modern GnuPG versions (2.4+) and resolves keychain access permission issues.

## Key Changes

### 1. GETINFO Command Support
- Implemented GETINFO handler for commands required by GnuPG 2.4+
- Added support for: flavor, version, pid, and ttyinfo queries
- Resolves "You may want to update to a newer pinentry" errors

### 2. Keychain Permission Handling
- Added ensureKeychainAccess() function to properly handle macOS permission dialogs
- Fixed flow to check keychain permissions before Touch ID authentication
- Ensures pinentry-touchid can access entries created by pinentry-mac

### 3. Name Parsing Fix
- Fixed regex parsing to correctly extract user names from GPG descriptions
- Strips GPG key comments (e.g., "GPG Key generated...") from names
- Ensures keychain entry labels match between pinentry-mac and pinentry-touchid

### 4. Duplicate Entry Handling
- Changed duplicate keychain entry errors from fatal to non-fatal
- Allows the authentication flow to continue when entries already exist
- Improves robustness when switching between pinentry programs

## Technical Details

The main issue was that GnuPG 2.4+ requires pinentry programs to respond to GETINFO queries during initialization. Without these handlers, gpg-agent would abort the connection immediately after the handshake.

Additionally, when keychain entries are created by pinentry-mac, macOS requires explicit permission for pinentry-touchid to access them. The new flow ensures these permissions are granted before attempting Touch ID authentication.

## Testing

- Added comprehensive unit tests for GETINFO commands
- Verified compatibility with GnuPG 2.4.8 on macOS
- Tested keychain permission flow with existing entries
- All existing tests continue to pass

Fixes jorgelbg#9, jorgelbg#17, jorgelbg#42
lujstn added 2 commits June 12, 2025 03:32
@lujstn
chore: Update module path and add Homebrew tap installation
205ae9e 
- Changed module path from jorgelbg to lujstn
- Updated .goreleaser.yml to point to lujstn/homebrew-tap
- Added Homebrew installation instructions to README
- Updated imports to use new module path
@lujstn
chore: Update .goreleaser.yml to v2 format
ece560e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

gpg throws "You may want to update to a newer pinentry" error during signing git commit (fresh install)

1 participant

@lujstn