Custom GPG pinentry program for macOS that allows using Touch ID for fetching the password from the macOS keychain.
Macbook Pro devices without Touch ID are currently not supported. These devices > lack a Touch ID sensor and while the alternative offered by Apple is to use (if available) an Apple Watch, this feature it is not yet implemented.
See it in action
How does it work
This program interacts with the
gpg-agent for providing a password, using the following rules:
If the password entry for the given key cannot be found in the Keychain we fallback to the
pinentry-macprogram to get the password. We recommend preventing
pinentry-macfrom storing the password: uncheck the Save in keychain checkbox in the dialog.
If a password entry is found the user will be shown the Touch ID dialog and upon successful authentication the password stored from the keychain will be returned to the gpg-agent.
If a password entry is found but is not "owned" by the
pinentry-touchidprogram after the successful authentication with Touch ID, a normal password will be shown. This is an extra step enforced by the macOS keychain. In this dialog click Always allow after entering the password. This will allow
pinentry-touchidto access the password entry without the need to type the additional password, but still, the access to the password will be guarded by Touch ID.
As part of our release process we keep an updated Homebrew Formula. To install pinentry-touchid using homebrew execute the following commands:
❯ brew tap jorgelbg/tap ❯ brew install pinentry-touchid
Homebrew will print the next steps, which will look similar to:
==> Caveats ✅ Add the following line to your ~/.gnupg/gpg-agent.conf file: pinentry-program /usr/local/opt/pinentry-touchid/bin/pinentry-touchid 🔄 Then reload your gpg-agent: gpg-connect-agent reloadagent /bye 🔑 Run the following command to disable "Save in Keychain" in pinentry-mac: defaults write org.gpgtools.common DisableKeychain -bool yes ⛔️ If you are upgrading from a previous version, you will be asked to give access again to the keychain entry. Click "Always Allow" after the Touch ID verification to prevent this dialog from showing. ==> Summary 🍺 /usr/local/Cellar/pinentry-touchid/0.0.2: 4 files, 2.2MB, built in 10 seconds
pinentry-touchidbinary from our Releases page
pinentry-touchidas its pinentry program. Add or replace the following line to your gpg agent configuration in:
You can replace
/usr/local/bin/pinentry-touchid with the path where the binary was stored.
We recommend disabling the option to store the password in the macOS Keychain for the default pinentry-mac program with the following option:
$ defaults write org.gpgtools.common DisableKeychain -bool yes
This will allow
pinentry-touchid to create and automatically take ownership of the entry in the Keychain. If an entry already exists in the Keychain you need to always allow
pinentry-touchid to access the existing entry.
This project does not store the password/pin in the Secure Enclave of your device, instead uses the normal Keychain entry from pinentry-mac if available, or creates a new one.
pinentry-touchid in the following combinations of devices and macOS versions:
- MacBook Pro (15-inch, 2018), macOS Catalina - 10.15.7
- MacBook Pro (15-inch, 2018), macOS Big Sur - 11.4, 11.5.0, 11.5.1
- MacBook Pro (16-inch, Late 2019), macOS Big Sur - 11.4, 11.5.1
- The project icon is taken from Touch ID icon by Icons8.