Why does GPG ask for passhrase when ~/.gnupg/gpg-agent.conf exists?

security gnupg

Solution 1:

gpg-agent does not have any "persistent" password storage of its own. It always forgets passwords after a reboot and has to call pinentry for the first time.

However, all the standard graphical pinentries have their own integration with libsecret persistent password storage – which means they'll store the passphrase in GNOME Keyring. Whenever gpg-agent runs the full-screen "pinentry-gnome3" after reboot, the pinentry app just directly returns the passphrase from GNOME Keyring without needing to actually prompt for anything.

Meanwhile, the text-mode pinentry apps (pinentry-curses, pinentry-tty) do not have libsecret integration, as they're meant to be used in environments where something like GNOME Keyring wouldn't survive.

To have this again, you will need to switch to either pinentry-gtk-2 or pinentry-qt.

Side note: I suspect that GnuPG's choice to invoke the full-screen prompter provided by GNOME Shell was very deliberate, as even before GNOME 3, the simple gtk-2 pinentry already had an option to globally grab all input events regardless of focus; this was meant to prevent users accidentally typing their password into the wrong window. (I think this was just relatively recently changed to be off by default.)

Related

Wanting to change primary monitor on boot
At startup, OS tries to log into nonexistent (?) user account
pen cursor in OneNote can be hard to see when using tablet peripheral
Using ffmpeg filter to change skin tone
What's the file size limit for Word?
how to block subdomains using host file in windows
Pasting 'required text' into terminal emulator results in '^[[200~required text~'
Compressing music files to fit a given size [closed]
PostgreSQL on Windows: psql expects me to log in with my Windows account
Can I have two different characters with different stats on GTA Online?
Can I transfer my online character from the PC to PS3?
Can I Access The Moon To Do The Next Step Of The Lie?