Tag Archives: gpg-agent

Pinentry not working over SSH with x11forwarding (Thunderbird with Enigmail)

If you use Enigmail in Thunderbird over a SSH connection, sometimes you cannot input the passphrase for your private GPG key. pinentry-qt / pinentry-gnome3 / pinentry-gtk2 are not showing any dialog boxes.

Here is a workaround: You can cache the passphrase with gpg-agent, even if Thunderbird is already running. Enigmail will then use the cached passphrase from gpg-agent, because it runs gpg2 commands in a subshell in order to encrypt or sign messages.

Connect to the server using x11forwarding:

$ ssh -Y server

Note your DISPLAY environment variable:

$ echo $DISPLAY
localhost:10.0

Unset / delete the DISPLAY environment variable:

unset DISPLAY

Export GPG_TTY environment variable for gpg:

export GPG_TTY=$(tty)

Make sure that gpg-agent is running:

$ ps aux | grep gpg-agent
user 2058 0.0 0.0 168068 2228 ? Ss Nov10 0:07 gpg-agent --homedir /home/user/.gnupg --use-standard-socket --daemon

Insert the passphrase for your GPG key in gpg-agent by signing a dummy message. Make sure that you enter your passphrase in the pinentry tui not the gpg command prompt.

$ echo test | gpg2 --use-agent -s

The passphrase you are about to enter should be cached by gpg-agent. The cache lifetime is controlled by settings in ~/.gnupg/gpg-agent.conf . Now set the DISPLAY environment variable again to run Thunderbird. Use the value from previous command.

export DISPLAY=localhost:10.0

Start Thunderbird. You should now be able to sign and encrypt email messages with Enigmail without having to enter your gpg passphrase again because it is already cached by gpg-agent.

thunderbird &

 

Share