gopass
gopass copied to clipboard
gopasspw
cannot save existing YubiKey age identity
I was just trying to set up a fresh gopass install / store with existing AGE keys.
I have an existing YubiKey age identity that I know works:
(actual content altered)
❯ age-plugin-yubikey -i
# Serial: 77777777, Slot: 1
# Name: age identity deadbeef
# Created: Thu, 12 Jan 2077 11:12:34 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Always (A physical touch is required for every decryption)
# Recipient: age1yubikey1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AGE-PLUGIN-YUBIKEY-1XXXXXXXXXXXXXXXXXXXXX
~ ❯ gopass age identities add AGE-PLUGIN-YUBIKEY-1XXXXXXXXXXXXXXXXXXXXX age1yubikey1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Error: failed to save age identity
gopass 1.15.16 go1.24.2 darwin arm64
It also looks like the entire age backend setup is borked.
Here's when trying to setup gopass with the interactive setup:
# ensure we start from a clean slate
rm -rf .local/share/gopass/
rm -rf .cache/gopass/
rm -rf .config/gopass
~ ❯ gopass setup --crypto age
__ _ _ _ _ _ ___ ___
/'_ '\ /'_'\ ( '_'\ /'_' )/',__)/',__)
( (_) |( (_) )| (_) )( (_| |\__, \\__, \
'\__ |'\___/'| ,__/''\__,_)(____/(____/
( )_) | | |
\___/' (_)
🌟 Welcome to gopass!
🌟 Initializing a new password store ...
🔐 No useable cryptographic keys. Generating new key pair
🧪 Creating cryptographic key pair (age) ...
⚠ Do you want to enter a passphrase? (otherwise we generate one for you) [y/N/q]:
Passphrase: this is not real
⚠ You need to remember this very well!
Did you save your passphrase? [Y/n/q]:
✅ Key pair for age generated
⚠ 🔐 We need to unlock your newly created private key now! Please enter the passphrase you just generated.
2025/04/23 15:43:59 failed to check private keys: failed to create new private key: failed to list private keys: failed to decrypt /Users/mz/.config/gopass/age/identities: pinentry error: pinentry error: pinentry: unexpected response: "S ERROR curses.isatty 83918950 "
Can you confirm this is also not working with gopass 1.15.16?
The curses.isatty might be an unrelated pinentry problem. Which pinentry are you using?
Does running echo GETPIN | pinentry also trigger the problem?
Can you confirm this is also not working with gopass 1.15.16?
./gopass-1.15.16-darwin-arm64/gopass age identities add AGE-PLUGIN-YUBIKEY-1XXXXXXXXXXXXXXXXXXXXX age1yubikey1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Error: failed to save age identity
Which pinentry are you using?
The one that homebrew installed when I did a brew install gopass:
❯ pinentry --version
pinentry-curses (pinentry) 1.3.1
Copyright (C) 2016 g10 Code GmbH
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Does running echo GETPIN | pinentry also trigger the problem?
Yes.
❯ echo GETPIN | pinentry
OK Pleased to meet you, process 29060
S ERROR curses.isatty 83918950
ERR 83918950 Inappropriate ioctl for device <Pinentry>
Sorry, 1.15.16 is the latest, I meant to confirm it didn't work with the previous one, 1.15.15.
Seems I cannot reproduce on my side running 1.15.16:
$ gopass setup --crypto age
__ _ _ _ _ _ ___ ___
/'_ '\ /'_'\ ( '_'\ /'_' )/',__)/',__)
( (_) |( (_) )| (_) )( (_| |\__, \\__, \
'\__ |'\___/'| ,__/''\__,_)(____/(____/
( )_) | | |
\___/' (_)
🌟 Welcome to gopass!
🌟 Initializing a new password store ...
🔐 No useable cryptographic keys. Generating new key pair
🧪 Creating cryptographic key pair (age) ...
⚠ Do you want to enter a passphrase? (otherwise we generate one for you) [y/N/q]: y
Enter passphrase for your new keypair: this is not real
Retype passphrase for your new keypair: this is not real
✅ Key pair for age generated
⚠ 🔐 We need to unlock your newly created private key now! Please enter the passphrase you just generated.
✅ Key pair age18rxqe0g200eljcl7wf7alf956eawlxgt7vwsq7adf5ww0cmdau8ql8lydd validated
🔐 Cryptographic keys generated
🌟 Configuring your password store ...
Please enter an email address for password store git config []:
❓ Do you want to add a git remote? [y/N/q]: n
✅ Configuration written
Which further increases my belief this might be a pinentry-related issue. Maybe take a look at #1879 since it seems similar.
Running update-alternatives --display pinentry, what are your options?
Consider using update-alternatives --config pinentry to select pinentry-gnome3 instead, maybe.
Running
update-alternatives --display pinentry, what are your options? Consider usingupdate-alternatives --config pinentryto selectpinentry-gnome3instead, maybe.
Ah, I'm on darwin / macOS.
update-alternatives is not available.
Sorry, 1.15.16 is the latest, I meant to confirm it didn't work with the previous one, 1.15.15.
Interesting, 1.15.15 seems to work:
❯ gopass version
gopass 1.15.15-git+HEAD go1.24.2 darwin arm64
❯ gopass age identities add AGE-PLUGIN-YUBIKEY-.... age1yubikey1q....
Enter your PIN:
Retype your PIN:
⚠ New age identities are not automatically added to your recipient list, consider adding it using 'gopass recipients add age1yubikey1q....'
⚠ If you do not add this recipient to the recipient list, make sure to re-encrypt using 'gopass fsck --decrypt' to properly support this identity
I can confirm adding a Yubikey recipient works when pinentry works on 1.15.16:
$ gopass age identities add AGE-PLUGIN-YUBIKEY-1GKZKJQYZL98RLMC67F9PJ age1yubikey1qt2r3tfk7wvlykudm7ew28dqqm3h8ln9zfsxsq4lcd2w8rh4n4hhz46ur24
⚠ New age identities are not automatically added to your recipient list, consider adding it using 'gopass recipients add age1yubikey1qt2r3tfk7wvlykudm7ew28dqqm3h8ln9zfsxsq4lcd2w8rh4n4hhz46ur24'
⚠ If you do not add this recipient to the recipient list, make sure to re-encrypt using 'gopass fsck --decrypt' to properly support this identity
Be careful to run gopass setup --crypto age prior to adding the Yubikey identity, btw.
I think this is a MacOS Pinentry issue. Not sure how to solve it.
1.15.16 pulled in the latest version of age to mitigate a CVE. IIRC we were previously pinned to a specific branch that's still vulnerable.
Another change I can see related to PIN entry between v1.15.15 and v1.15.16 might be https://github.com/gopasspw/gopass/pull/3031
@twpayne how tested is your package against pinentry-curses?
@twpayne how tested is your package against
pinentry-curses?
go-pinentry should be neutral with respect to the pinentry program used - it speaks the Assuan protocol which is text exchanged over stdin/stdout.
If you believe that go-pinentry is the problem, then you can build gopass with an older version of go-pinenty and report back.
