macOS support for GPG

[arcticicestudio]

Epic: GH-131

Change default sockets file paths

There is a problem where the gpg-agent is not able to create the socket files within the ~/.gnupg folder that is symlinked to the gocryptfs container to securely (encrypted) store the GPG keys:

gpg: can’t connect to the agent: IPC connect call failed

This might be caused by either the macOS filesystem (APFS) that doesn't support the creation of sockets (it works fine on other Arch Linux hosts like igloo) or by restrictions due to read/write permissions that are not passed through.

One solution/workaround it to change the default absolute file paths of the socket files:

1. Create a S.gpg-agent and S.gpg-agent.ssh file manually in the $GNUPGPHOME folder (defaults to ~/.gnupg).
2. Add the extra-socket and browser-socket options in the gpg-agent.conf file with the desired paths.

NOTE: The created S.gpg-agent and S.gpg-agent.ssh files allow to use values of environment variables via string interpolation, e.g. ${HOME}.

S.gpg-agent

%Assuan%
socket=${HOME}/path/to/S.gpg-agent

S.gpg-agent.ssh

%Assuan%
socket=${HOME}/path/to/S.gpg-agent.ssh

gpg-agent.conf

# ...
# Disable the usage of the default/standard sockets.
no-use-standard-socket

# Set the cutom paths of the socket files.
extra-socket /path/to/S.gpg-agent.extra
browser-socket /path/to/S.gpg-agent.browser
# ...

NOTE: It is important to make sure that the target folder exists and the permissions are set to 700!

chmod 700 ~/path/to/target/folder

See the references for more details.

Set pinentry tool

Set the pinentry-programm option in the gpg-agent.conf file to use pinentry-mac. Note that this requires the Homebrew formula pinentry-mac to be installed!

pinentry-program /usr/local/bin/pinentry-mac

References

• gpg: can’t connect to the agent: IPC connect call failed
• GNUPG bugtracker: “gpg-agent 2.1 socket and nfs /home“
• How to configure GnuPG's S.gpg-agent socket location?