Why doesn't gpg-agent forwarding work?

Stephan Beck stebe at mailbox.org
Wed Oct 19 00:21:00 CEST 2016

Hi Kevin,

Kevin Gallagher:
> Hi all,
> I've tried to get this working to no avail. I've consulted past postings
> to this list as well as various online references. Some people seem to
> have got this to work, but most seem to have trouble. I would appreciate
> any guidance or help anyone can offer.
> I want my gpg-agent to be shared with another host, specifically a
> Vagrant/VirtualBox virtual machine, via Unix socket forwarding, which is
> a feature that arrived with OpenSSH 6.7. I can get my gpg-agent's socket
> forwarded, and I can talk to it with gpg-connect-agent, and even obtain
> a list of keygrips for the keys residing on the local machine. However,
> the forwarded gpg-agent socket does not seem to interface with the GPG
> CLI utility, i.e. running `gpg2 --use-agent --list-keys` shows nothing.

Have you considered adding the debug flag to the command (--debug-level
> This is important because I'm in the process of developing a
> deterministic build environment for a project, and many of us prefer to
> use smartcards or YubiKeys, so copying our secret keys into the VM is
> not an option. The ability to forward the local gpg-agent into the VM
> for signing operations would be very convenient.
> GPG version on host: 2.1.15 (Debian stretch)
> GPG version on VM: 2.0.26 (Debian jessie)

> Setting some environment variables in the VM does not help:
>     GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:0:1
>     GPG_SOCK=/home/vagrant/.gnupg/S.gpg-agent
>     GPG_TTY=/dev/pts/1

And if you'd try to add this to the VM's .bashrc file via ssh/scp
(assuming that the Vagrant's VM is headless and has a bash)

if [ -f "${HOME}/.gpg-agent-info" ]; then
     . "${HOME}/.gpg-agent-info"
       export GPG_AGENT_INFO
       export SSH_AUTH_SOCK
       export SSH_AGENT_PID

Wouldn't that start the "target shell" (forcibly) with the agent being
fired up and all ready for sshing?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161018/9ddb9d2d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161018/9ddb9d2d/attachment.sig>

More information about the Gnupg-users mailing list