GnuPG + pinentry-mac

编译安装 GnuPG 2.5.20, pinentry-mac 1.3.1.1.

背景

macOS 26.5 (25F71)

TL;DR

配置

.gnupg/gpg-agent.conf 
pinentry-program /usr/local/bin/pinentry-mac
default-cache-ttl 300
max-cache-ttl 7200
# disable-scdaemon
# log-file ~/.gnupg/gpg-agent.log
# debug-level guru
# debug-all

初次

% gpg --full-generate-key

常用

% gpg --list-secret-keys --keyid-format=long
% gpg --armor --export <KEY>

调试

% gpg-connect-agent reloadagent /bye
% gpg-connect-agent /bye 
% gpgconf --kill gpg-agent

% echo "something" | gpg --clearsign

搭配 Git

% gpg --list-secret-keys --keyid-format=long
% git config --global user.signingkey <KEY>
% git config --global commit.gpgsign true

% git log --show-signature

PIN entry 配置

// [Save in Keychain] 默认不选中
% defaults write org.gpgtools.pinentry-mac UseKeychain NO

// [Save in Keychain] 按钮隐藏
% defaults write org.gpgtools.pinentry-mac DisableKeychain YES

GnuPG 2.5.20

Name Version Date Size Tarball Signature
GnuPG (stable) 2.5.20 2026-05-13 8132k download download
GnuPG (stable with libs) 2.5.20 2026-05-13 14881k download download 
% cd /usr/local/src/
% curl --remote-name https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-w32-2.5.20_20260513.tar.xz
% tar zxvf https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-w32-2.5.20_20260513.tar.xz
% cd gnupg-w32-2.5.20
% cat README

...
  GnuPG ~2.6~ depends on the following GnuPG related packages:

    npth         (https://gnupg.org/ftp/gcrypt/npth/)
    libgpg-error (https://gnupg.org/ftp/gcrypt/libgpg-error/)
    libgcrypt    (https://gnupg.org/ftp/gcrypt/libgcrypt/)
    libksba      (https://gnupg.org/ftp/gcrypt/libksba/)
    libassuan    (https://gnupg.org/ftp/gcrypt/libassuan/)
...
Name Version Date Size Tarball Signature
Libgpg-error 1.61 2026-05-07 1098k download download
Libgcrypt 1.12.2 2026-04-15 4337k download download
Libksba 1.8.0 2026-05-13 704k download download
Libassuan 3.0.2 2025-02-18 579k download download
nPth 1.8 2024-11-12 310k download download

gnupg-w32-2.5.20 携带的库为 npth 1.8, libgpg-error 1.61, libgcrypt 1.12.2, libksba 1.8.0, libassuan 3.0.2.

% cat README

...
As with all packages, you just have to do

    mkdir build
    cd build
    ../configure
    make
    make check
    make install
...

验证

% curl -s https://gnupg.org/signature_key.asc | gpg --import
gpg: directory '/Users/xxx/.gnupg' created
gpg: keybox '/Users/xxx/.gnupg/pubring.kbx' created
gpg: key 528897B826403ADA: 4 signatures not checked due to missing keys
gpg: /Users/xxx/.gnupg/trustdb.gpg: trustdb created
gpg: key 528897B826403ADA: public key "Werner Koch (dist signing 2020)" imported
gpg: key E98E9B2D19C6C8BD: 2 signatures not checked due to missing keys
gpg: key E98E9B2D19C6C8BD: public key "Niibe Yutaka (GnuPG Release Key)" imported
gpg: key ECB664CBE1332EEF: 1 signature not checked due to a missing key
gpg: key ECB664CBE1332EEF: public key "Alexander Kulbartsch (GnuPG Release Key)" imported
gpg: key 549E695E905BA208: 1 signature not checked due to a missing key
gpg: key 549E695E905BA208: public key "GnuPG.com (Release Signing Key 2021)" imported
gpg: key 3ADF34EBDBB200A4: public key "GnuPG.com (Release Signing Key 2026)" imported
gpg: Total number processed: 5
gpg:               imported: 5
gpg: no ultimately trusted keys found

% gpg --verify ./gnupg-w32-2.5.20_20260513.tar.xz.sig ./gnupg-w32-2.5.20_20260513.tar.xz
gpg: Signature made Wed May 13 20:49:24 2026 CST
gpg:                using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Good signature from "Werner Koch (dist signing 2020)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
      6DAA6E64A76D2840571B4902528897B826403ADA

初次使用

% gpg --full-generate-key
gpg (GnuPG) 2.5.20; Copyright (C) 2026 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
  (16) ECC and Kyber
Your selection? 
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection? 
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Is this correct? (y/N) 

GnuPG needs to construct a user ID to identify your key.

Real name:
Email address:
Comment:
You selected this USER-ID:

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry

需要 pinentry, 记得安装完成后重启 gpg-agent.

[可选] gpg/pinentry 1.3.2

Name Version Date Size Tarball Signature
Pinentry 1.3.2 2025-07-28 598k download download

需要 autoconf [>=2.69], automake [>=1.14].

configure:

	Pinentry v1.3.2 has been configured as follows:

	Revision:  d766080  (55142)
	Platform:  aarch64-apple-darwin25.5.0

	Curses Pinentry ..: yes
	TTY Pinentry .....: maybe
	Emacs Pinentry ...: no
	EFL Pinentry .....: no
	GTK+-2 Pinentry ..: no
	GNOME 3 Pinentry .: no
	Qt6 Pinentry .....: no
	Qt5 Pinentry .....: no
	Qt4 Pinentry .....: no
	TQt Pinentry .....: no
	W32 Pinentry .....: no
	FLTK Pinentry ....: no

	Fallback to Curses: yes
	Emacs integration : yes

	libsecret ........: no

	Default Pinentry .: pinentry-curses

编译 GNU Autoconf (version 2.73)

checking for GNU M4 that supports accurate traces... configure: error: no acceptable m4 could be found in $PATH.
GNU M4 1.4.8 or later is required; 1.4.16 or newer is recommended.
GNU M4 1.4.15 uses a buggy replacement strstr on some systems.
Glibc 2.9 - 2.12 and GNU M4 1.4.11 - 1.4.15 have another strstr bug.
autoconf-2.73 % M4=/usr/local/bin/m4 ./configure
autoconf-2.73 % make
autoconf-2.73 % sudo make install

编译 GNU M4 (version 1.4.21)

% /usr/bin/m4 --version
GNU M4 1.4.6
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Written by Rene' Seindal.
% /usr/local/bin/m4 --version
m4 (GNU M4) 1.4.21
Copyright (C) 2026 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by René Seindal.

编译 GNU Automake (version 1.18.1, 25 June 2025)

[推荐] pinentry-mac 1.3.1.1 (GPGTools/pinentry)

Name Version Date Size
Pinentry-mac 1.3.1.1 2025-01-29 750k 
pinentry-1.3.1.1 % ./autogen.sh 
autogen.sh: Running aclocal -I m4 ...
autogen.sh: Running autoheader...
autogen.sh: Running automake --gnu ...
autogen.sh: Running autoconf ...
configure.ac:350: warning: AC_LIB_PREPARE_PREFIX is m4_require'd but not m4_defun'd
m4/iconv.m4:10: AM_ICONV_LINKFLAGS_BODY is expanded from...
m4/iconv.m4:21: AM_ICONV_LINK is expanded from...
m4/iconv.m4:246: AM_ICONV is expanded from...
configure.ac:350: the top level
configure.ac:350: warning: AC_LIB_RPATH is m4_require'd but not m4_defun'd
m4/iconv.m4:10: AM_ICONV_LINKFLAGS_BODY is expanded from...
m4/iconv.m4:21: AM_ICONV_LINK is expanded from...
m4/iconv.m4:246: AM_ICONV is expanded from...
configure.ac:350: the top level
configure:10371: error: undefined or overquoted macro: AC_LIB_PREPARE_PREFIX
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
configure:10372: error: undefined or overquoted macro: AC_LIB_RPATH
configure:10377: error: undefined or overquoted macro: AC_LIB_LINKFLAGS_BODY
configure:10385: error: undefined or overquoted macro: AC_LIB_APPENDTOVAR
autogen.sh: You may now run:
  ./configure --enable-maintainer-mode && make

% ./configure --enable-maintainer-mode
./configure: line 10377: syntax error near unexpected token `iconv'
./configure: line 10377: `      AC_LIB_LINKFLAGS_BODY(iconv)'

AC_LIB_LINKFLAGS_BODY 宏由 gettext 提供。

安装 gettext-1.0.

gettext-1.0 % make
Undefined symbols for architecture arm64:
  "_iconv_ostream_create", referenced from:
      <initial-undefines>
ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[5]: *** [libtextstyle.la] Error 1
make[4]: *** [all] Error 2
make[3]: *** [all-recursive] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

系统自带 iconv 为 /usr/bin/iconv, /usr/lib/libiconv.2.dylib.

安装 libiconv-1.19.

编译安装

pinentry-1.3.1.1 % export ACLOCAL_PATH=/usr/local/share/gettext/m4
pinentry-1.3.1.1 % ./autogen.sh

pinentry-1.3.1.1 % ./configure --enable-maintainer-mode --disable-doc --disable-pinentry-curses --disable-silent-rules
configure:

	Pinentry v1.3.1.1 has been configured as follows:

	Revision:  0000000  (0)
	Platform:  aarch64-apple-darwin25.5.0

	Curses Pinentry ..: no
	TTY Pinentry .....: maybe
	Emacs Pinentry ...: no
	EFL Pinentry .....: no
	GTK+-2 Pinentry ..: no
	GNOME 3 Pinentry .: no
	Qt6 Pinentry .....: no
	Qt5 Pinentry .....: no
	Qt4 Pinentry .....: no
	TQt Pinentry .....: no
	W32 Pinentry .....: no
	FLTK Pinentry ....: no
	Mac OS X Pinentry : yes

	Fallback to Curses: yes
	Emacs integration : yes

	libsecret ........: no

	Default Pinentry .: pinentry-macosx
    
pinentry-1.3.1.1 % sudo cp -r macosx/pinentry-mac.app /usr/local/application

% sudo tee /usr/local/bin/pinentry-mac > /dev/null << 'EOF'
#!/bin/bash
exec /usr/local/application/pinentry-mac.app/Contents/MacOS/pinentry-mac "$@"
EOF
% sudo chmod +x /usr/local/bin/pinentry-mac

验证

% echo GETPIN | pinentry-mac
posted @ 2026-05-31 11:10  UPeRVv  阅读(4)  评论(0)    收藏  举报