Yubikey + GNUPG 2.1.14 + GPG Agent Forwarding + Mutt 1.6.0 (gpgme 1.6.0): Not asking for PIN for smartcard on first use of an encryption key

Thomas Glanzmann thomas at glanzmann.de
Thu Jul 21 16:20:17 CEST 2016

Hello Peter,

> GnuPG doesn't expect that you forward the normal gpg-agent socket. For
> forwarding to a remote machine, there is the gpg-agent.conf option

> extra-socket [socket file]

I see, I read a lot of tutorials on the web, nobody seems to really
understand what they're doing. In one of these tutorials someone
mentions that the extra socket is obsolete, so I did not use it. But
with your answer, I'll definetly use it from now on.

> I'm a bit surprised you still get a graphical pinentry on your original
> display when you unset DISPLAY on the remote side. I would expect it to
> try a textual pinentry on the TTY indicated by the remote side, which
> probably should fail as well since it is the name of a TTY on the remote
> side.

>From what I learned so far, the behaviour depends on the entry
'pinentry-mode' if you set it to 'default' it asks the remote agent. If
you put it to loopback it asks by itseld. If don't have it set at all,
it did not work, but this might be also related to my display issue.
However thanks to your feedback my setup is now much saner as it used to

> I'm probably missing a detail somewhere. The keep-{display,tty} sounds
> like it indeed should work correctly, but it is quite restrictive.

It does, and will keep it but change my usage to use the extra socket.


More information about the Gnupg-users mailing list