I had some trouble after upgrading GPGTools to version 2020.2 on macOS Big Sur, where it would ignore my Yubikey smart card and I couldn’t unlock my stuff.
Every time I tried to use gpg (Yubikey inserted), I would get this error:
gpg: decryption failed: No secret key
This sent me into a wild rage, and after spending far too much time trying to debug with no results, I switched tactics; remove GPGTools and install gpg myself. While it’s still early days, and I am by no means a gpg expert (who is?), everything seems to be working fine.
Here’s how I did it.
Uninstall GPGTools
I downloaded the uninstaller from the GPGTools website; that’s right, it is not included in the standard GPGTools installation. Another reason to ditch it.
https://gpgtools.tenderapp.com/kb/faq/uninstall-gpg-suite
Install GPG
I used homebrew to install the required packages.
brew install gpg pinentry-mac # pinentry-mac is needed for smart cards.
I also added the two packages to my Brewfile.
diff --git a/Brewfile b/Brewfile
index 683e138..9b0d988 100644
--- a/Brewfile
+++ b/Brewfile
@@ -13,6 +13,7 @@ brew "fzy"
brew "git"
brew "git-delta"
brew "git-standup"
+brew "gpg"
brew "hugo"
brew "imagemagick"
brew "isync"
@@ -27,6 +28,7 @@ brew "pandoc"
brew "par"
brew "pass"
brew "pianobar"
+brew "pinentry-mac"
brew "rename"
brew "ripgrep"
brew "rust"
Configure GPG
The gpg installation added a .gnupg/
configuration directory to my
home folder. After some research, I added a few lines to gpg.conf
and
gpg-agent.conf
.
# ~/.gnupg/gpg.conf
ask-cert-level
use-agent
auto-key-retrieve
no-emit-version
default-key D81A4957BAF06BCA6E060EE5461C015E032EF9CB # use your key
# ~/.gnupg/gpg-agent.conf
pinentry-program /usr/local/bin/pinentry-mac
default-cache-ttl 600
max-cache-ttl 7200
debug-level basic
log-file $HOME/.gnupg/gpg-agent.log # helpful for debugging
I was making progress, but when I tried to use gpg I would get this error:
gpg: OpenPGP card not available: No SmartCard daemon
This one took some time to figure out. I checked
my homebrew installation, and scdaemon existed at
/usr/local/Cellar/gnupg/2.2.25/libexec/scdaemon
.
I eventually figured out I needed a scdaemon configuration file, and I needed to pass in the name of my smart card there.
macOS comes with a command line tool for testing smart cards (PC/SC), which I used to get the machine name of my smart card.
I inserted my Yubikey and ran pcsctest
, which gave me this output:
MUSCLE PC/SC Lite Test Program
Testing SCardEstablishContext : Command successful.
Testing SCardGetStatusChange
Please insert a working reader : Command successful.
Testing SCardListReaders : Command successful.
Reader 01: Yubico YubiKey OTP+FIDO+CCID
Enter the reader number :
The “Reader” line is what we’re interested in. I copied the name of my
smart card, killed pcsctest
with a Ctrl-c, and pasted to a
file called scdaemon.conf
.
# ~/.gnupg/scdaemon.conf
reader-port "Yubico YubiKey OTP+FIDO+CCID"
Finishing up
I had to restart gpg agent before my change would take effect.
killall gpg-agent
gpg-agent --daemon --homedir $HOME/.gnupg
And that’s it, things are working for me again, and I got to replace a large dependency (GPGTools) with a slightly smaller one (GPG).
Other resources
Some links I found helpful in my journey to figuring this out.