Help with GPG agent forwarding

Ben Warren ben at
Fri May 22 19:18:40 CEST 2015


I’m trying to set things up so that I can sign files on a remote Linux machine using keys on my mac.  It looks like the new agent forwarding should fit the bill, and it feels like I’m really close, but missing something critical.

Setup details:

local machine:
* OSX Yosemite
* OpenSSH 6.8p1, installed using Homebrew
* gpg and gpg-agent v2.1.4

remote machine:
* Ubuntu 14.04
* OpenSSH 6.7p1, installed from source
* gpg and gpg-agent v2.1.3, installed from source

Locally, I start gpg-agent like this:

eval $(gpg-agent --daemon --extra-socket=S.gpg-extra-agent)

To connect, I use this command line:

 ssh <remote host> -R <remote home>/.gnupg/S.gpg-agent:~/.gnupg/S.gpg-extra-agent

It seems that the UNIX socket tunnel is set up: I see the “S.gpg-agent” socket file appear on the remote machine and neither the SSH client nor server complains.

But… I don’t see the key info going through.

Local side:

$ gpg -k
pub   dsa2048/00D026C4 2010-08-19 [expires: 2015-08-18]
uid       [ultimate] GPGTools Team <team at>
uid       [ultimate] GPGMail Project Team (Official OpenPGP Key) <gpgmail-devel at>
uid       [ultimate] GPGTools Project Team (Official OpenPGP Key) <gpgtools-org at>
uid       [ultimate] [jpeg image of size 5871]
sub   elg2048/DBCBE671 2010-08-19 [expires: 2015-08-18]
< snip my keys >

Remote side:

$ gpg2 -k
$ gpg2 --output myfile.sig --sign myfile.txt
gpg: no default secret key: No secret key
gpg: signing failed: No secret key

I’m a little confused as to where gpg-agent needs to be running, and what config options both for the agent and client need to be set.  Please give me ideas as to what may be missing and how I can debug this further.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3583 bytes
Desc: not available
URL: </pipermail/attachments/20150522/202d545f/attachment.bin>

More information about the Gnupg-users mailing list