15

I'm calling out to gpg2 in a CLI script for symmetrical encryption of a local file. It appears to have gpg-agent prompt for a passphrase via some CLI, text based UI. As long as I'm around to enter the passphrase everything works fine. If I'm not, however, it eventually fails out with this message:

gpg-agent[15338]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: error creating passphrase: Operation cancelled
gpg: symmetric encryption of `XXXX.tar' failed: Operation cancelled

Is there any way to turn off this timeout entirely?

I would want the passphrase prompt to remain on the screen indefinitely until I enter something.

rcampbell
  • 633

4 Answers4

4

In gpg-agent.conf (see gpg-agent(1)), try the following options:

pinentry-timeout 0
pinentry-program /usr/bin/pinentry-curses --timeout 0

(You might find pinentry-tty somewhat nicer to use though.)

grawity
  • 501,077
4

The solution has been found here: https://dev.gnupg.org/T3240

The delay is caused by the pinentry querying the GNOME keyring. Add no-allow-external-cache to your gpg-agent.conf, or remove gnome-keyring, and kill currently running gpg-agent: gpgconf --kill gpg-agent

a7f4
  • 41
2

Q: "How to prevent gpg-agent from timing out during passphrase collection?"

A: A specific case is a usage of gpg in an ssh session. The configuration below enables gpg-agent also within an ssh session. In particular

  • no-grab allows cut&paste
  • no-allow-external-cache disables any keyrings
  • pinentry-curses asks for the password in the terminal instead of default pinentry asking in the remote (in the case of ssh) desktop window.
  • The time to live ttl (5,6) is set to 24 hours. This way, it’s not necessary to re-enter the password when, for example, a cron, which invokes a script with gpg-agent, is run daily.
shell> cat ~/.gnupg/gpg-agent.conf
no-grab 
no-allow-external-cache 
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 86400
max-cache-ttl 86400
Vladimir Botka
  • 1,335
1

What worked for me (gpg 2.1.11) was just to set the pinentry-timeout option to a big value (like 24 hours), by adding the following to my ~/.gnupg/gpg-agent.conf file:

# time until pinentry closes in seconds
pinentry-timeout 86400
Justin Ludwig
  • 784