GPG pinentry not working - adduid command fails silently

HartmannsgruberBen · April 10, 2026, 6:49am

Problem

I’m trying to add a new UID to my GPG key using `gpg --edit-key`, but the `adduid` command fails silently without prompting for a passphrase.
GPG returns to the prompt immediately after showing “Secret key is needed.”

Environment

**NixOS**: 25.05 - **Window Manager**: Niri (Wayland compositor, no X11)
**Shell**: Ion Shell
**Terminal**: Running in a terminal emulator under Niri (not a raw TTY)
**GPG Version**: 2.4.9 ## Current NixOS Configuration

{ pkgs, lib, config, … }: { 
  options = { 
    gnupg.enable = lib.mkEnableOption “enable gnupg”; 
  }; 
  
  config = lib.mkIf config.gnupg.enable { 
    environment.systemPackages = with pkgs; \[ gnupg pinentry-curses \]; 
    programs.gnupg.agent = { enable = true; enableSSHSupport = true;
    pinentryPackage = pkgs.pinentry-curses; 
  }; 
}; 
}

~/.config/ion/initrc:

export GPG_TTY = $(tty)
let _ = $(gpg-connect-agent updatestartuptty /bye)

Agent knows about the TTY:

$ gpg-connect-agent updatestartuptty /bye
OK

systemctl --user status gpg-agent.service
● gpg-agent.service - GnuPG cryptographic agent and passphrase cache
Active: active (running)

The Problem
When I run:

$ gpg --edit-key <KEY_ID>
gpg> adduid
Secret key is needed.
gpg>

No pinentry dialog appears. GPG just returns to the prompt without asking for the passphrase.

TLATER · April 10, 2026, 7:02am

By adding that you’re probably running two agents. Wouldn’t be surprised if that’s the ussue.

programs.gnupg.agent sets up a systemd service, no need to manually start an agent. The GPG_TTY variable is also already set for you, assuming your shell correctly inherits its environment.

HartmannsgruberBen · April 10, 2026, 3:50pm

it doesn’t matter if I set this two lines inside my shell, the result is always the same.
I tried bash instead of ion, also the same result.
The issue should not be the two settings inside the shell config.

TLATER · April 10, 2026, 5:37pm

You definitely shouldn’t be “setting” them anyway (those aren’t settings, technically, but anyway), you don’t want to launch a second gpg agent.

If you check gpg -K, is the key you want to edit listed?

HartmannsgruberBen · April 10, 2026, 6:11pm

I removed the settings inside my shell totaly.
gpg -K lists my gpg-key and all the subkeys.

TLATER · April 11, 2026, 2:01am

Does the gpg agent complain about anything? Monitor its service with journalctl -f --user --unit gpg-agent and then try to edit your key.

HartmannsgruberBen · April 11, 2026, 6:39am

when I start watching the gpg-agent with journalctl and try to edit the key the following messages appear:

journalctl -f --user --unit gpg-agent
Apr 11 08:36:45 nixos-workstation systemd[1894]: Started GnuPG cryptographic agent and passphrase cache.
Apr 11 08:36:45 nixos-workstation gpg-agent[3677]: gpg-agent (GnuPG) 2.4.9 starting in supervised mode.
Apr 11 08:36:45 nixos-workstation gpg-agent[3677]: using fd 3 for std socket (/run/user/1001/gnupg/S.gpg-agent)
Apr 11 08:36:45 nixos-workstation gpg-agent[3677]: using fd 4 for ssh socket (/run/user/1001/gnupg/S.gpg-agent.ssh)
Apr 11 08:36:45 nixos-workstation gpg-agent[3677]: listening on: std=3 extra=-1 browser=-1 ssh=4