Remember GPG password when signing git commits

Question

Would it be possible for the GPG password to be saved, so that I am not prompted for the passphrase everytime I make a git commit?

Just for completeness, this was also asked on SU https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session — James Geddes, Apr 27 '21 at 12:32

score 84 · Accepted Answer · edited Mar 11 '17 at 07:20

84

You can set a timeout period for gpg-agent in ~/.gnupg/gpg-agent.conf with this line:

default-cache-ttl 3600

That would tell gpg-agent to store the passphrase for one hour. You wouldn't want it to be indefinite, but not constantly typing it is of benefit too.

edited Mar 11 '17 at 07:20

Ahmed Ashour

5,179
10
35
56

answered May 22 '16 at 00:56

Ben

3,981
2
25
34

5

More info » https://www.gnupg.org/documentation/manuals/gnupg-devel/Agent-Options.html – gdibble Oct 21 '16 at 01:11
I do not have a ~/.gnupg/gpg-agent.conf file, just a ~/.gnupg/gpg.conf. What should I do? – Clément Fiorio Oct 25 '16 at 13:23
2

Make a text file with that line in it, though if you're still using GPG 1.4 it won't use gpg-agent. Most people use 2.0 or 2.1 these days except on systems that need 1.4 for some reason (usually headless systems like routers). – Ben Nov 23 '16 at 12:43
do you need to restart the `gpg-agent` for this to take effect (particularly, when you had to create the conf file)? – gMale Mar 31 '19 at 14:22
4

You shouldn't need to, but you can if you want to and it certainly won't hurt. The best way to do that is run `gpgconf --kill gpg-agent` and the agent will restart (for that user) with the next gpg process or command invoked, regardless of whether or not it requires the passphrase or pinentry. – Ben Mar 31 '19 at 14:48
4

This either doesn't work anymore in gpg@2.2.20 or it doesn't accept large values like `1209600` (2 weeks). – Paul Razvan Berg Jun 01 '20 at 11:42
[I posted a question about this](https://stackoverflow.com/questions/64788805/cache-gpg-passphrase-for-git-signing-on-mac), in case the issue is specific to v2 of GnuPG or my environment (macOS). – Paul Razvan Berg Nov 11 '20 at 14:58
I would suggest that two weeks would be a bit long anyway; what happens if your laptop gets stolen? I have set mine to cache for 12 hours max. – James Geddes Apr 27 '21 at 12:30
3

@PaulRazvanBerg 1 week (604800) seems to work on gpg@2.2.29, if that's helpful for anyone. – Brad Turek Aug 24 '21 at 21:21

score 16 · Answer 2 · answered Nov 23 '21 at 14:58

If you are on Mac, I would suggest that you use pinentry-mac. Then you can save the password to the macOS keychain.

Install with brew install pinentry-mac, and then add this line pinentry-program /opt/homebrew/bin/pinentry-mac to ~/.gnupg/gpg-agent.conf (remove/comment out any other pinentry-program line in that file)

Remember GPG password when signing git commits

2 Answers2

Linked