How to prevent gpg-agent from timing out during passphrase collection?

Question

I'm calling out to gpg2 in a CLI script for symmetrical encryption of a local file. It appears to have gpg-agent prompt for a passphrase via some CLI, text based UI. As long as I'm around to enter the passphrase everything works fine. If I'm not, however, it eventually fails out with this message:

gpg-agent[15338]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: error creating passphrase: Operation cancelled
gpg: symmetric encryption of `XXXX.tar' failed: Operation cancelled

Is there any way to turn off this timeout entirely?

I would want the passphrase prompt to remain on the screen indefinitely until I enter something.

a7f4 · Answer 1 · 2021-06-09T08:59:58.213

2

The solution has been found here: https://dev.gnupg.org/T3240

The delay is caused by the pinentry querying the GNOME keyring. Add no-allow-external-cache to your gpg-agent.conf, or remove gnome-keyring, and kill currently running gpg-agent: gpgconf --kill gpg-agent

edited Jun 09 '21 at 08:59

answered Oct 29 '19 at 10:36

a7f4

21
4

Yeah, just need forced kill gpg-agent and re-try again! – xgqfrms Dec 04 '20 at 01:52

score 1 · Answer 2 · answered Jan 29 '17 at 13:32

1

In gpg-agent.conf (see gpg-agent(1)), try the following options:

pinentry-timeout 0
pinentry-program /usr/bin/pinentry-curses --timeout 0

(You might find pinentry-tty somewhat nicer to use though.)

answered Jan 29 '17 at 13:32

u1686_grawity

426,297
64
894
966

`gpg-agent[22779]: /Users/xxx/.gnupg/gpg-agent.conf:1: invalid option` – rcampbell Jan 30 '17 at 01:35
I had GnuPG 2.0.x installed and `gpg-agent` did not support these options. I've upgraded to 2.1.x which does support these options. – rcampbell Jan 30 '17 at 20:23

score 1 · Answer 3 · answered Jul 15 '20 at 09:35

Q: "How to prevent gpg-agent from timing out during passphrase collection?"

A: A specific case is usage of gpg in an ssh session. The configuration below enables gpg-agent also within an ssh session. In particular, no-grab allows cut&paste, no-allow-external-cache disables any keyrings and pinentry-curses asks for the password in the terminal instead of default pinentry asking in the remote (in the case of ssh) desktop window. The time to live ttl (5,6) is set to 24 hours. This way, it’s not necessary to re-enter the password when, for example, a cron, which invokes a script with gpg-agent, is run daily.

shell> cat ~/.gnupg/gpg-agent.conf
no-grab 
no-allow-external-cache 
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 86400
max-cache-ttl 86400

i know it's weird but thank you for giving some clues for me to fix another bug with `pinentry` where `gpg-agent` keeps yelling `command 'PKSIGN' failed: Operation cancelled `. Thanks a lot. For those who have similar issue, try to add that `pinentry-curses` to your config file. — Long, Jun 11 '22 at 16:46

score 0 · Answer 4 · answered Jan 25 '18 at 05:33

0

What worked for me (gpg 2.1.11) was just to set the pinentry-timeout option to a big value (like 24 hours), by adding the following to my ~/.gnupg/gpg-agent.conf file:

# time until pinentry closes in seconds
pinentry-timeout 86400

answered Jan 25 '18 at 05:33

Justin Ludwig

434
3
7

How to prevent gpg-agent from timing out during passphrase collection?

4 Answers4