Why doesn't gpg-agent forwarding work?

Kevin Gallagher kevin at z.cash
Sun Oct 16 19:58:59 CEST 2016

Hi all,

I've tried to get this working to no avail. I've consulted past postings
to this list as well as various online references. Some people seem to
have got this to work, but most seem to have trouble. I would appreciate
any guidance or help anyone can offer.

I want my gpg-agent to be shared with another host, specifically a
Vagrant/VirtualBox virtual machine, via Unix socket forwarding, which is
a feature that arrived with OpenSSH 6.7. I can get my gpg-agent's socket
forwarded, and I can talk to it with gpg-connect-agent, and even obtain
a list of keygrips for the keys residing on the local machine. However,
the forwarded gpg-agent socket does not seem to interface with the GPG
CLI utility, i.e. running `gpg2 --use-agent --list-keys` shows nothing.

This is important because I'm in the process of developing a
deterministic build environment for a project, and many of us prefer to
use smartcards or YubiKeys, so copying our secret keys into the VM is
not an option. The ability to forward the local gpg-agent into the VM
for signing operations would be very convenient.

GPG version on host: 2.1.15 (Debian stretch)
GPG version on VM: 2.0.26 (Debian jessie)

This illustrates what I'm doing:

    GPG_SOCK=$(echo "$GPG_AGENT_INFO" | cut -d: -f1)
    vagrant ssh vm -- -t -A \
        -R /home/vagrant/.gnupg/S.gpg-agent:$GPG_SOCK \
        -o StreamLocalBindUnlink=yes \
        -o ExitOnForwardFailure=yes

Setting some environment variables in the VM does not help:


I've tried alternate/matching versions of GnuPG, pored over the manpages
and options, and tried other stuff, with no luck. Does anyone have any
idea why it is that gpg-connect-agent can speak to the forwarded socket
but not gpg? Has someone here got this working before?

thanks in advance,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161016/ee057671/attachment.sig>

More information about the Gnupg-users mailing list