30

1. Summary

I can't disable enter passphrase each time, how I make commit.

2. Environment

  • Windows 10 Enterprise LTSB 64-bit EN,
  • git 2.16.2.windows.1,
  • gpg-agent (GnuPG) 2.2.4,
  • gpg4win 3.0.3.

3. Steps to reproduce

I install and set Gpg4win → I move to folder with .git subfolder →

  • git add .,
  • git commit -m "Any description".

4. Expected behavior

Succsessful signed commit without entering passphrase.

5. Actual behavior

I get window, where I need enter my passphrase:

Enter password

pinentry-qt

Please enter the passphrase to unlock the OpenPGP secret key:

I need enter my passphrase each time, as I make commit;

    exclude: small-time between commits.

6. Not helped

I find in my USERPROFILE folder — C:\Users\SashaChernykh.gnupg\gpg-agent.conf file. I try add to this file no-tty, batch or no-use-agent lines:

no-tty
batch
no-use-agent

I still get actual behavior, not expected.

7. Do not offer

  1. please, do not offer, that I must enter passphrase every time;
  2. or that I can make unsigned commits;
  3. I can set big values for default-cache-ttl and max-cache-ttl parameters in C:\Users\SashaChernykh\.gnupg\gpg-agent.conf file, but it not disables passphrase entering.
Community
  • 1
  • 1
Саша Черных
  • 2,561
  • 4
  • 25
  • 71

3 Answers3

44

default-cache-ttl max-cache-ttl

This is the correct way to do this. The default timeout there is 10 minutes so if there are more then 10 minutes between your commits you would have to extend the time.

C:\Users\SashaChernykh.gnupg\gpg-agent.conf

This is not the correct path. This would be the path on a GNU/Linux system.

The Home directory for GnuPG on Windows is %APPDATA%\gnupg

e.g.

c:\Users\SashaChernykh\Appdata\Roaming\gnupg\gpg-agent.conf

After changing it you also have to restart the gpg-agent process.

You can do this by using gpgconf on the command line.

gpgconf --reload gpg-agent

The simplest way to change the value with Gpg4win and check that it was really set is by using Kleopatra:

Settings -> Configure Kleopatra -> GnuPG System -> Private Keys

There you can view the settings of and change:

expire cached PINs after N seconds
set maximum PIN cache lifetime to N seconds

To some high value.

If you don't want to have ever enter a passphrase you can simply remove it from your key.

On the command line:

gpg --passwd <yourkeyid or email>

You can leave it empty and will be asked two times to confirm that you want to leave it empty. Afterwards the passphrase of you key is removed and you do not have to enter the passphrase ever again.

You can also select change passphrase from Kleopatra's Details Window (double click on the key).

Andre Heinecke
  • 546
  • 4
  • 4
  • Andre Heinecke, thanks for the answer. // **1.** If I restart my computer, I need to enter my passphrase again, when I will make a commit? // **2.** I can set N seconds. But after N seconds passes, I need again enter passphrase. Is any way, that I don't need enter passphrase forever, not after N seconds passed? Thanks. – Саша Черных Mar 26 '18 at 08:09
  • 1
    On the command line "gpg --passwd " will allow you to change the passphrase. You can leave it empty and will be asked two times to confirm that you want to leave it empty. Afterwards the passphrase of you key is removed and you do not have to enter the passphrase ever again. This sounds like the security model you want and if you trust your local system / filesystem enough that you always want to have your key unlocked this is fine. You can also select change passphrase from Kleopatra's Details Window (double click on the key). – Andre Heinecke Mar 26 '18 at 12:46
  • Ideally it would store the passphrase in the Windows credentials manager which is unlocked when you sign into your Windows account - that is the correct way to deal with this issue, and the way that GNOME and Macs deal with it. Let's hope Microsoft release an official GPG keyring agent soon like they did for SSH – Asfand Qazi Nov 16 '22 at 11:17
  • When I went looking for my `gpg-agent.conf` it didn't exist, so in some other searches I came across this, which is the same thing as this comment, but shows an easy GUI way to do it (Kleopatra), which generates the `gpg-agent.conf` for you as well: https://stackoverflow.com/a/66821816/553663 – J. Scott Elblein Jul 24 '23 at 06:25
1

Nothing to do with Git in particular, you need a gpg-agent running. Git for Windows shell has it packaged. There are some instructions here how to run the agent automatically: https://medium.com/@timmywil/sign-your-commits-on-github-with-gpg-566f07762a43

The tricky bit of running the gpg-agent - after it starts, it needs to set environment variables so that gpg could find its PID and socket.

kan
  • 28,279
  • 7
  • 71
  • 101
  • kan, thanks, I read the article. `Assuming you are using Git for Windows (formerly called Git Bash)` — I'm sorry, I don't use Git for Windows, [**I use Far mode in ConEmu**](https://stackoverflow.com/a/10904494/5951529). Thanks. – Саша Черных Mar 05 '18 at 10:26
  • @СашаЧерных Just figure out how to set environment variables in your case. Values for the variables are printed out (or written to a file if you specify `--write-env-file`) by the agent when it starts. – kan Mar 07 '18 at 08:52
  • @kan, does your solution work in your environment? `The tricky bit of running the gpg-agent - after it starts, it needs to set environment variables so that gpg could find its PID and socket.` — how I can find out, which variable and value I need set? Can you show an example? Thanks. – Саша Черных Mar 13 '18 at 16:17
0

I think you need to remove batch option and no-use-agent from .gnupg\gpg-agent.conf. Add use-agent to .gnupg\gpg.conf.

ChrisF
  • 134,786
  • 31
  • 255
  • 325
phd
  • 82,685
  • 13
  • 120
  • 165
  • phd, nothing changed. my `%USERPROFILE%/.gnupg/gpg.conf` file — `no-tty`; my `%USERPROFILE%/.gnupg/gpg.conf` file — `use-agent`. I restart Windows → I make first commit → I enter my passphrase → `Enter`. I make next commits → I need enter passphrase again. Thanks. – Саша Черных Mar 06 '18 at 16:42