Git: Support prompting for GPG password

[deeprobin]

• VSCode Version: 1.19.3
• OS Version: Windows 10

Hey, Git don't work in Visual Studio Code, when i have gpg signing activated.

Steps to reproduce: https://help.github.com/articles/signing-commits-with-gpg/

Does this issue occur when all extensions are disabled?: Yes

[stevenhay]

It doesn't work if you use in gits default gpg feature, however, if you install Gpg4win and tell git to use that instead then it works.

git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

[deeprobin]

@stevenhay Yes, but it's nice if visual studio code supports it from his self (without any other applications)

[stevenhay]

Oh yeah I agree, definitely. Just thought I'd give a workaround for now though, I could have been more clear.

[NatoBoram]

Solutions proposed here did not solve my problem.

Error :

gpg: cannot open tty `/dev/tty': No such device or address
error: gpg failed to sign the data
fatal: failed to write commit object

Configuration :

git config --global commit.gpgsign
true

cat ~/.gnupg/gpg-agent.conf
default-cache-ttl 46000
pinentry-program /usr/bin/pinentry-gtk-2
allow-preset-passphrase

If someone could shed some light on gpg-agent.conf, I'd like to know what settings are actually useful to sign my commits.

VSCode-Insiders :

{
	"git.enableCommitSigning": true,
}

OS :

neofetch --backend off
OS: Ubuntu 16.04.4 LTS x86_64 
Kernel: 4.13.0-39-generic 
Uptime: 17 hours, 15 mins 
Packages: 2984 
Shell: bash 4.3.48 
Resolution: 1024x768, 1920x1080 
DE: GNOME 3.18.5 
WM: GNOME Shell 
WM Theme: Adwaita 
Theme: Adwaita [GTK2/3] 
Icons: Elementary-xfce-dark [GTK2/3] 
CPU: Intel i5 660 (4) @ 2.895GHz 
GPU: NVIDIA GeForce 8400 GS Rev. 2 
Memory: 2452MiB / 7840MiB 

So... How do we GPG-sign our commits with VSCode?

[pedzed]

@NahomAgidew For Ubuntu 18.04, it should be

pinentry-program /usr/bin/pinentry-gnome3

As can be seen with

ls -l /usr/bin/ | grep pinentry

But that does not seem to be enough.

P.S. This issue is a dupe of #5065.

[pedzed]

Thanks to @DrSensor, run this:

git config --global gpg.program $(which gpg)

[DrSensor]

Glad it helps ☺️

Seems it needs to be added in VSCode documentation. Just like this error, it should pop up a notification when the error gpg: cannot open tty '/dev/tty': No such device or address occur would be a great update for the next release 🙂

[mzabaluev]

It would be nice if Visual Studio Code itself provided interactive passphrase prompts via the gpg-agent protocol. It's not an issue for a non-sandboxed installation, but it would help in Flatpak and Snap.

[holms]

I've handled this already. You need to set git to call GPG auth from UI. And then it will work for you.

…

On Wed, 31 Oct 2018, 5:04 pm Mikhail Zabaluev ***@***.*** wrote: It would be nice if Visual Studio Code itself provided interactive passphrase prompts via the gpg-agent protocol. It's not an issue for a non-containerized installation, but it would help in Flatpak and Snap. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#43809 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AARJfolAXDzQYhYx_KYLMk2vaMZYBX63ks5uqbwLgaJpZM4SH_zk> .

[mzabaluev]

I've handled this already. You need to set git to call GPG auth from UI. And then it will work for you.

It does not when the gpg-agent socket is not forwarded into the app container.

[holms]

.Try this config:

holms@debian ~/.aws> cat   ~/.gnupg/gpg-agent.conf 
default-cache-ttl 46000
pinentry-program /usr/bin/pinentry-gtk-2
allow-preset-passphrase

That's when I've got GUI auth window once committing to git from vscode. By default you've got cli auth, and then vscode doesn't nothing, once I've switch to pinentry-gtk-2 it started to work.

Don't forget to install pinentry :)

[plibither8]

Hi @joaomoreno, any updates regarding this issue? I can't find a conculsive solution anywhere on GitHub or the internet :/

[holms]

@plibither8 you need to gnome for this work or setup pinentry from my comment above

[plibither8]

@holms, tried that, I'm still getting the following error:

[plibither8]

Update: Solved this issue on my machine by configuring git to use gnupg2 instead of the regular gpg. Password is stored in the computer's password manager and I'm able to use VSCode's GUI to commit now.

Reference: https://askubuntu.com/a/805550

[rugglcon]

This doesn't work on MacOS Catalina, the UI doesn't prompt for passphrase.

[bendwyer]

This doesn't work on MacOS Catalina, the UI doesn't prompt for passphrase.

@rugglcon, the following fixed it for me:

brew install pinentry-mac
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent

Now upon your first commit with VS Code, you should be prompted. Granted it's not a native VS Code prompt, but it makes everything work.

Source: https://stackoverflow.com/a/40066889

[rugglcon]

@bendwyer what I ended up doing (should have came back and updated my comment) was installing the GPG Keychain application for Mac, and they cache your password until your next reboot. So I commit once outside of VSCode to enter my pass phrase, then the rest of my commits I can do from Code.

[sergeyshevch]

@noce2 Check that you have installed expect package on your WSL system.
@wdhongtw Thanks for the great extension. You solved my problem

[brunovieira97]

There's a huge gap on functionality that, from my perspective, could be fixed by Code supporting passphrase entry on consoles (and redirecting it to/from a modal in its own UI) for GPG.

Windows GPG has a default pinentry GUI that works just fine with VS Code today, but using that on SSH sessions is impossible on Windows, hanging because summoning a window through SSH is impossible.

I could just switch to pinentry-mode loopback, but doing so makes VS Code hang when trying to commit a file with signing set to true. If Code could just generate a modal input, all of those problems with Code Remote Development would be fixed and local development would work as well.

[viceice]

My workaround is to add a shell wrapper for the gpg executable to front of PATH on wsl2

#!/bin/sh
exec /mnt/c/Users/kriese/scoop/apps/gpg/current/bin/gpg.exe "$@"

[nv6]

Hi @sangeeth96 , I have the same idea, and I just wrote an extension to send passphrase to the gpg-agent.

If you don't mind 3rd party solution, you can give it a try. :D

• GPG Indicator - Visual Studio Marketplace

Works perfectly, thanks 👌🏽

[argtus]

This doesn't work on MacOS Catalina, the UI doesn't prompt for passphrase.

@rugglcon, the following fixed it for me:

brew install pinentry-mac
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent

Now upon your first commit with VS Code, you should be prompted. Granted it's not a native VS Code prompt, but it makes everything work.

Source: https://stackoverflow.com/a/40066889

Thanks, this solution worked. To streamline it a bit and to avoid some copy paste errors you can also do:

echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf

[SuperSecureHuman]

I have the same problem on VS code linux (v1.64)

Currently I commit via integrated terminal, and push it via the gui.

Any solutions/workarounds yet?

Thanks!

[telometto]

I have the same problem on VS code linux (v1.64)

Currently I commit via integrated terminal, and push it via the gui.

Any solutions/workarounds yet?

Thanks!

In three days this issue will be four years old; let's celebrate and see if we can get it to at least 10 years!

[deeprobin]

I have the same problem on VS code linux (v1.64)

Currently I commit via integrated terminal, and push it via the gui.
Any solutions/workarounds yet?
Thanks!

In three days this issue will be four years old; let's celebrate and see if we can get it to at least 10 years!

🎉 🎉 🎉

[deeprobin]

Unfortunately, we only find workarounds. And I think you can see that enough people find this issue quite important.

Pushing this issue into the backlog is not good imo. GPG Signing is an essential feature of Git. Even if I am a CLI user, I think this would be especially important for repositories that require GPG signed commits.

Even if it might be cool to let this issue get 10 years old, I hope not.

Maybe someone might look into this and create a pull request that solves this problem (Shouldn't be witchcraft imo - other editors and IDEs get this right).

@joaomoreno I guess this is not realistic with the February 2022 Milestone, but would it be possible to push this issue into the March 2022 Milestone?

[telometto]

@deeprobin True. My comment was meant as a tongue-in-cheek. As you mentioned, it is pretty essential as a feature to get this working and sort of ridiculous that it hasn't been implemented yet. I don't know how busy the project is, but I'm guessing that it is very busy; especially in regards to it being the most used editor.
That being said, I don't think Microsoft neither lacks the money, nor the manpower, to get this working. I think many people would like to use this as a flatpak if it were fully functioning; I know I would, at least.

[deeprobin]

@telometto
Exactly. And there are certainly people who are interested who haven't commented under this issue or given it a thumbs up.

At the company I work for, for example, I've noticed that many people don't have a GitHub account because they don't do much programming in their private lives.

[SuperSecureHuman]

Now I think
How hard is it to implement, when an another 3rd party extension does it perfectly 🤷

https://marketplace.visualstudio.com/items?itemName=wdhongtw.gpg-indicator

Like, is it possible to do something like

if git config says sign commit
invoke what ever that extension does

[deeprobin]

Now I think How hard is it to implement, when an another 3rd party extension does it perfectly 🤷

https://marketplace.visualstudio.com/items?itemName=wdhongtw.gpg-indicator

Like, is it possible to do something like

if git config says sign commit invoke what ever that extension does

Yes I think there is the magic:
https://github.com/wdhongtw/vscode-gpg-indicator/blob/a400f5179420cf16980e7cdb6bb44e44172fcae1/src/indicator/gpg.ts#L76-L93

@wdhongtw Since you created the extension, maybe you feel like creating a pull request?

Maybe using the GPGME Library via FFI interop would be more performant (and generally better) instead of invoking the binary directly ¹.
But I think (currently) this is not so bad, since quite a lot of built-in extensions call binaries.

Footnotes

1. Issue regarding the direct call of binaries ↩

[wdhongtw]

@deeprobin , would you like to review the PR for my extension wdhongtw/vscode-gpg-indicator#27 ?
I thought this PR is the first step, before that the extension can be robust enough to be merged into VS Code someday.

---

Althought beening the author of the extension, I thought there are some other possibilities to this issue:

Solution 1: Handle the GPG agnet forwarding for some environment

I create the extension since I found no way to forward GPG agent from Windows to Remove Linux environment (AFAIK).
So I put the GPG key directly in the remote machine, and create a extension to provide passphrase throught the VS Code UI.

But if the agent-forwarding did work at first place, there is no need for the VS Code to handle the passphrase stuffs by itself.

Solution 2: Inject another pinentry program for the VS Code.

For other usecases that the signing key does exist at the remote machine, the only problem is that there is no way (except pinentry-curses, which require GPG_TTY to works properly) for GPG agent to query the passphrase from user.

If the VS Code can inject a special pinentry program for GPG agent, then when the signing process is triggered, the GPG agent can then require VS Code to prompt user for the passphrase. And provides better UX for the commit signing process. (Comparing to my extension, which requres the user to unlock the key before the commit action.)

[deeprobin]

Now I think How hard is it to implement, when an another 3rd party extension does it perfectly 🤷
https://marketplace.visualstudio.com/items?itemName=wdhongtw.gpg-indicator
Like, is it possible to do something like
if git config says sign commit invoke what ever that extension does

Yes I think there is the magic: https://github.com/wdhongtw/vscode-gpg-indicator/blob/a400f5179420cf16980e7cdb6bb44e44172fcae1/src/indicator/gpg.ts#L76-L93

@wdhongtw Since you created the extension, maybe you feel like creating a pull request?

Maybe using the GPGME Library via FFI interop would be more performant (and generally better) instead of invoking the binary directly 1. But I think (currently) this is not so bad, since quite a lot of built-in extensions call binaries.

Footnotes

1. [Issue regarding the direct call of binaries](https://github.com/microsoft/vscode/issues/142976) [↩](#user-content-fnref-1-82c1147346a49d8e1d50515dbd3905ae)

Pinging some maintainers: @lszomoru @eamodio

[deeprobin]

@deeprobin , would you like to review the PR for my extension wdhongtw/vscode-gpg-indicator#27 ? I thought this PR is the first step, before that the extension can be robust enough to be merged into VS Code someday.

@wdhongtw

I've added a few comments to your PR. But I must say that I am not an experienced extension developer. I deal more with the underground of Node: V8, ...

[SuperSecureHuman]

It magically works now. IDK what has changed. Now when I try to commit, I get a popup (Its a kde pop-up thing) that asks my password. Note that I am on i3 window manager, and I am not sure which change I made to the system in past month did this.

[JasonGantner]

The GPG Indicator Extensio sure is nice but having to unlock the key rather than being prompted the password at each commit kinda defeats the purpose of having it encrypted in the first place.

VSCode already injects an "askpass.sh" program for git password prompting (it's a wrapper for a node.js script). I guess it could be used as a starting point for a pinentry-vscode that would work out-of-the-box for both local and remote gpg signing.

A nice improvement would be a GPG wrapper to get signing to be handled through vscode (be it local or remote) rather than gpg being called directly by git. This would avoid reconfiguring git everywhere or copying sensitive keys to a bunch of locations.

[SuperSecureHuman]

It magically works now. IDK what has changed. Now when I try to commit, I get a popup (Its a kde pop-up thing) that asks my password. Note that I am on i3 window manager, and I am not sure which change I made to the system in past month did this.

Update:

Hope this image explains something :)

[SuperSecureHuman]

Another update:

I think I found it

Installing gtk2 in my arch system, allowed it to have the gui fronted to enter my password.

Hope this helps someone

[SuperSecureHuman]

Complete steps which I think might solve this issue:

1. Install one of these packages (https://archlinux.org/packages/core/x86_64/pinentry/)

2. Add this into your bash/zsh/shell rc file

export GPG_TTY=$(tty)

I had to do this to get it working. If I comment, it fails.

3. Type pin and use tab completion to see the options you have. In my case its

4. I choose to use pinentry-gnome3 from my options. Now type which pinentry-gnome3 to find the binary path.

5. Create/Edit ~/.gnupg/gpg-agent.conf and add this

pinentry-program /usr/bin/pinentry-gnome3

The /usr/bin path thingy is the one from ur previous step.

[ShamoX]

This doesn't work on MacOS Catalina, the UI doesn't prompt for passphrase.

@rugglcon, the following fixed it for me:

brew install pinentry-mac
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent

Now upon your first commit with VS Code, you should be prompted. Granted it's not a native VS Code prompt, but it makes everything work.

Source: https://stackoverflow.com/a/40066889

Almost perfect for me.

I have a recent mac, and so pinentry-mac's path was incorrect and there is a better way to restart gpg-agent:

brew install pinentry-mac
brew link --overwrite gnupg # just in case
echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agent

Source: https://superuser.com/questions/1628782/gpg-signing-failed-no-pinentry

[nboynick]

I recently came across this issue myself, and while the pinentry-mac solution works for me, I was wondering if it is safe to rely on pinentry-mac considering that the GitHub repository has been archived and the last commit was nine years ago. I do not know how to evaluate such a security risk myself, so I was hoping someone else might be able to chime in.

[ShamoX]

I recently came across this issue myself, and while the pinentry-mac solution works for me, I was wondering if it is safe to rely on pinentry-mac considering that the GitHub repository has been archived and the last commit was nine years ago. I do not know how to evaluate such a security risk myself, so I was hoping someone else might be able to chime in.

Hello,

The pinentry-mac project has been deprecated because macOS interface has been integrated into the main pinentry project.

As you can see in the pinentry-mac formula (line 7), the GitHub used is the one of GPGTools/pinentry.

I guess we can use it safely.

[arijoon]

For anyone using WSL Ubuntu the following worked for me:

Install pinentry gtk2: sudo apt-get install pinentry-gtk2
Set it as the pinentry program in ~/.gnupg/gpg-agent.conf

pinentry-program /usr/bin/pinentry-gtk-2

This will result in a graphical pinentry prompt from both vscode and terminal. The downside here is that unfortunately terminal also follows the same pattern. If anyone knows whether its possible to override the pinentry-program option with an env var, let me know please as that would allow us to create a wrapper to switch depending on whether a tty is attached or not. I don't really like this solution (graphic prompt from terminal) but its the most stable solution at the moment for me (on WSL)