Can't get gnupg to work: no pinentry

Hi there,

I can’t get Gnupg to work no matter what I try. I’ve read the different topics and github issues and tried the different work-around but I’m still getting the same error when trying to generate keys : no pinentry.

In my pkgs in configuration.nix I added pinentry and pinentry-gnome, and gnupg. I tried all the different flavors of pinentry like pinentry_gnome and same thing with gnupg.

I tried them alone or together, every combination.
I also added or disabled the user agent with

#programs.gnupg.agent = {
#enable = true;
#pinentryFlavor = "gnome3";
#enableSSHSupport = true;

In the same manner, I tried this configuration alone or in combination of the pkgs.

I reloaded gnupgconf, stopped and restarted the agent, nothing works.
I have no gpg-agent.conf file somehow
Using a GUI will give the same (absence of )result

running the agent in debug mode will give this result

gpg-agent[14939]: starting a new PIN Entry
gpg-agent[14939]: can't connect to the PIN entry module '/nix/store/f9kky9505yj9sbvg2i643ikw3nw9p092-gnupg-2.2.27/bin/pinentry': IPC connect call failed
gpg-agent[14939]: DBG: error calling pinentry: No pinentry <GPG Agent>
gpg-agent[14939]: command 'GENKEY' failed: No pinentry
gpg-agent[14939]: DBG: chan_9 -> ERR 67108949 No pinentry <GPG Agent>

I’m stuck, if anyone has an idea :slight_smile:

I also struggled to get this working on my nixOS setup!

I had to enable the pcscd service.

The snippets from my configuration.nix are:

services.pcscd.enable = true;
programs.gnupg.agent = {
   enable = true;
   pinentryFlavor = "curses";
   enableSSHSupport = true;

I also have the pinentry-curses added to systemPackages.

1 Like

I use pinentryFlavor = "gtk2"; because I’ve found that all the other flavors have at least one context where they just don’t work. But gtk2 has never failed me, even when I’m only logged in remotely over SSH


I had some trouble with gnome pinentry that I fixed by setting:

services.dbus.packages = [ pkgs.gcr ];

Perhaps could be useful for you too


Thank you for you replies @ElvishJerricco and @efx , that didn’t do it unfortunately.

I have had Nixos running for 2 weeks and this is the first dead end I’m running into. In my field it’s a big one, I cannot communicate with some of my sources without pgp.
I get that there could be some path issue but this system is too new for me to understand at the moment.

I will try that right now @Misterio
EDIT : nop, didn’t do the trick…

Have you been making sure to restart gpg-agent (pkill gpg-agent) between each configuration change?

Yes I did, I used kill and reload the config, also trying independently, even tried reboot on the most “usual” combination I was trying

Let’s dig deeper.

I just remembered I had to modify my gpg-agent.conf configuration in ~/.gnupg.
Here is the contents of that file:

 $  cat ~/.gnupg/gpg-agent.conf

    debug ipc
    # disable-scdaemon
    pinentry-program /run/current-system/sw/bin/pinentry

gpgconf came in handy for debugging configuration changes.
I ran gpgconf --reload gpg-agent throughout after making changes.

I also highly recommend reading some of the GnuPG developer’s troubleshooting advice in tickets like this one.

I also remember I used @rnhmjoj’s splendid troubleshooting advice found in this closed NixOS issue.
Specifically using systemctl to see the logs from gpg-agent and restart it.

  • see the logs
systemctl --user status gpg-agent
  • restart it (this is probably better than my gpgconf --reload advice above)
systemctl --user restart gpg-agent

Thx everybody!

It works. I switched back to Guix while I needed gpg because I knew it worked over there and I knew how to install it quickly (I needed to be sure I would not take too long to get to work.)

When I reinstalled Nixos gnupg just worked with my config, so I assume it was a user error, I may have only reloaded gpg-agent and not restart it (as I was aware that I may have to do it, thx @efx for the reminder as it took me some time to find this information)
EDIT: I used the same configuration.nix file

While we are at it, what is the difference between a rebuild, a reboot and a reinstallation? Shouldn’t that be the same things? And between reloading a service and rebooting. Shouldn’t a reload be sufficient? Why not?

When I rebuild Nixos, it tells me which services are reloaded and which are not. If I carefully check those indication and eventually manually reload the one that weren’t, should I reboot? If so, how do I know a reboot may be needed?

Thank you very much for your patience and efforts :slight_smile: )

1 Like

Thanks for this tip. I just tried half an hour to get gnome3 or other settings (including the gcr workaround provided below) to work. gtk2 is the only one that works in a terminal, and in a Wayland session…

Similarly to what was mentioned above, I’m using this config for quite a long time without any problems.

  # GnuPG
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  services.pcscd.enable = true;