Like already described here i got still problems by using subkeys with gpg-agent in keychain up to 2.8.2..

Just got it to work by this stupid workaround:

diff --git a/usr/bin/keychain b/usr/bin/keychain-modified
index 5f0bf9d..3b8b1f8 100755
--- a/usr/bin/keychain
+++ b/usr/bin/keychain-modified
@@ -981,7 +981,11 @@ gpg_listmissing() {
        for glm_k in "$@"; do
                # Check if this key is known to the agent.      Don't know another way...
                if echo | env -i GPG_TTY="$GPG_TTY" PATH="$PATH" GPG_AGENT_INFO="$GPG_AGENT_INFO" \
-                               gpg --no-options --use-agent --no-tty --sign --local-user "$glm_k" -o- >/dev/null 2>&1; then
+                               gpg --no-options --use-agent --no-tty --sign --local-user "$glm_k" -o- >/dev/null 2>&1 && \
+                               echo > /tmp/test && gpg --use-agent --quiet --batch --encrypt -r "$glm_k" /tmp/test && \
+                               gpg --use-agent --quiet --batch --decrypt /tmp/test.gpg; then
+                       rm -f /tmp/test && rm -f /tmp/test.gpg
+
                        # already know about this key
                        mesg "Known gpg key: ${CYANN}${glm_k}${OFF}"
                        continue

If not, then this is a feature request.

I just updated openssh on my cygwin and ssh-keygen has a new form of output:

$ ssh-keygen -l -f ~/.ssh/id_rsa
4096 SHA256:n2CLvs7hleghcyPIf/oyNVQKCuOxMXctIzKlLga3vL4 user@machine (RSA)

This makes keychain output this when I open a new terminal:

 * Warning: Can't determine fingerprint from the following line, falling back to filename

When i try to use the fish shell, i enter the needed snippet in my fish config, but i get these errors:
`Unsupported use of '='. In fish, please use 'set SSH_AUTH_SOCK /tmp/ssh-xnA5AcVFHhKY/agent.1204'.

• (line 1): SSH_AUTH_SOCK=/tmp/ssh-xnA5AcVFHhKY/agent.1204; export SSH_AUTH_SOCK;
  ^
  from sourcing file -
  called on line 67 of file ~/.config/fish/config.fish

from sourcing file ~/.config/fish/config.fish
called during startup

Unsupported use of '='. In fish, please use 'set SSH_AGENT_PID 1206'.

• (line 2): SSH_AGENT_PID=1206; export SSH_AGENT_PID;
  ^
  from sourcing file -
  called on line 67 of file ~/.config/fish/config.fish

from sourcing file ~/.config/fish/config.fish
called during startup

`

And even if i just use this command, instead of the recommended
# keychain alternative ?? if status --is-interactive; keychain ~/.ssh/id_rsa end

i get the problem, that i can't really can't use my ssh keys.

A way to get just the KEY=value settings (without the export that --eval makes) for agents would be nice for systemd to be able to get the settings to pass on to other services.

Maybe a --systemd flag to have keychain call "systemctl --user set-environment ..." itself would be useful?

Do not forget to add ForwardAgent yes in /etc/ssh/ssh_config

please push out tags corresponding to cut points of releases

currently zero releases are present as no git tags have been pushed (created):
https://github.com/funtoo/keychain/releases

it would be interesting to see what changes have been made since last release, but as no tags are present, can't really see

In http://www.funtoo.org/Keychain, the first fish example is truncated. I suppose it should be:

if status --is-interactive
  keychain --eval --quiet -Q id_rsa | source
end

Hello,

after moving from Linux to Free/PC-BSD I have problem invoking gpg-agent via keychain, iow. when I try:

gour@atmarama ~> keychain --eval -Q 52B5C810 | source

 * keychain 2.8.0 ~ http://www.funtoo.org
 * Starting ssh-agent...
 * Warning: can't find 52B5C810; skipping

although the above key is present and pinentry-gtk-2 dialog is invoked when I e.g. launch Emacs where it 's required by mu4e client

I also noticed that the problem might be with the following:

gour@atmarama ~> keychain --agents gpg,ssh

 * keychain 2.8.0 ~ http://www.funtoo.org
ps: illegal argument: gour
usage: ps [-aCcdefHhjlmrSTuvwXxZ] [-O fmt | -o fmt] [-G gid[,gid...]]
          [-J jid[,jid...]] [-M core] [-N system]
          [-p pid[,pid...]] [-t tty[,tty...]] [-U user[,user...]]
       ps [-L]
 * Starting gpg-agent...
 * Starting ssh-agent...

Let me say that I use fish-shell and trying to invoke keychain with:

# Keychain
if status --is-interactive
   keychain --eval --quiet -Q id_rsa | source
   keychain --eval --quiet -Q 52B5C810 | source
end

Any hint what might be the problem?

In my environment, we generally use a suffix for ALL PKI related files, including the private key (e.g. .pub, .pem, .ppk, etc). This confuses keychain which spits out a warning and then fails.

My first take at fixing this on my system was to add additional logic to strip off the last file suffix if the first approach failed. This seemed okay for my purposes, and perhaps others too. But perhaps it would be more robust to match on either a signature OR a filename, so that regardless of the name (or even existance) of the public key, one could still proceed reasonably. Comments?

Hello.

I use gpg-agent with --enable-ssh-support with keys on the yubikey (can be any smartcard compatible hardware).

keychain called like this

eval keychain --eval --agents ssh gpg --inherit any

does not inherit pid and sock of the gpg-agent (that's faking ssh-agent) and I can use only one of them at once, but not both.

Ideally keychain would inherit other already running agents and if there's no valid key in .ssh then it should ask them 'hey, maybe you can help with authentication to something I don't have key for'.

Reproducing it does not require any hardware, just an 'authenticating' gpg key exported to SSH format and a few lines in bash/zsh. Happy to provide them if you don't have already.

In a Debian Jessie, I've installed keychain=2.8.1-0.1 (from stretch repo), as I wanted the listing keys feature. If I didn't imported any key, I get:

$ keychain -l
/usr/bin/keychain: 1537: [: end: unexpected operator
end

Cloning this repo (tag 2.8.1) and executing the keychain.sh directly, says the same but line 1375.
If having more than one, prints the ¿fingerprint? and says something similar.

See https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart for details.
I'm running gpg v2.1 and keychain is able to start the gpg agent.

However pidf files for gpg are empty in ~/.keychain. This lead to this warning Warning: GPG_AGENT_INFO in environment is invalid; ignoring it everytime keychain checks for the agent.
Also --write-env-file has no effect in this gpg version.

Regards

Hi,

I'm using Keychain like this in my .bashrc

eval `keychain --inherit any --eval id_rsa A84A216F`

I use GPGTools' GPG Suite Beta 5 on OS X Yosemite.

Keychain's start command for gpg-agent is

start_out=`gpg-agent --daemon $start_gpg_timeout 2>/dev/null`

However, /usr/local/MacGPG2/bin/gpg-agent returns exit code 2 if launched with --daemon and the agent was already running ("a gpg-agent is already running - not starting a new one"). (It returns exit code 0 if launched as just gpg-agent, but I don't think this is the solution).

I believe Keychain expects this return code to be 0, and so errors before attempting to load my GPG key.

I expected Keychain to detect that gpg-agent was already and continue loading, not for it to error.

I think I have a fix, which is to accept exit code 2 in addition to 0, but am unsure how that affects other platforms. I'll submit a PR shortly.

In ssh config files host options I.E. IdentityFile may be case insensitive. The following will cause keychain to not find the github.com key when run with keychain -c github.com

Host github.com
    User git
    IDENTITYFILE ~/.ssh/keys/github.com

Looks like ssh-add -l (as of openssh-clients-6.7p1-2.fc22.x86_64 at least) has a new (unrecognized) output format:

2048 SHA256:XXXXX .../AAA (RSA)
2048 SHA256:XXXXX .../BBB (RSA)
2048 SHA256:XXXXX .../CCC (RSA)
4096 SHA256:XXXXX .../DDD (RSA)
4096 SHA256:XXXXX .../EEE (RSA)

I would like to start the gpg-agent with --allow-preset-passphrase but this does not seem to be possible without patching keychain.

I get the following when running on debian stable and bash 4.4.11:

localhost:~ uname -a
Linux localhost 3.14.0 #1 SMP PREEMPT Wed Apr 5 13:09:13 PDT 2017 x86_64 GNU/Linux
localhost:~ keychain

 * keychain 2.8.2 ~ http://www.funtoo.org
/usr/bin/keychain: 2: eval: Syntax error: Unterminated quoted string

This is a fairly recent error, probably in the last week? Haven't changed anything in my config, I usually call the following in my .profile (also gives the same error):

eval "$(keychain --eval --noask --agents ssh --quiet)"

Tested on Ubuntu Xenial.

When reading .ssh/config, keychain uses the "[[" bash builtin. However, the shebang is running the script as "/bin/sh". Calling it through "bash keychain ..." works for me, but I just wondered if "[[" should work and something else is wrong?

I'm running OSX 10.9.5

% keychain --agents ssh --inherit any --confhost

 * keychain 2.8.0 ~ http://www.funtoo.org
 * Inheriting ssh-agent (36488)
/opt/local/bin/keychain: line 1155: declare: -A: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]
/opt/local/bin/keychain: line 1165: *.somewhere.com: syntax error: operand expected (error token is "*.somewhere.com")

darwin only has bash 3 and declare does not seem to support -A. Even when I install bash4 with port I still get:

/opt/local/bin/keychain: line 1165: keypaths["$h"]: bad array subscript

It would be nice to have an option not to enter manually pass-phrase on start but request it on first usage instead.

In the OSX example usage section the command:

eval `keychain --eval --agents ssh --inherit all id_dsa`

Should be:

eval `keychain --eval --agents ssh --inherit any id_dsa`

Instead, .keychain is appended. Since I see the comment says "be backwards compatible", maybe a way to set "absolute directory" is in order?

D-Bus is another service which would be convenient to control with keychain.

I don't know if it's a bug, or an improvement idea :

When I use SCP to another server, which has not already load the key, the prompt is blocked, key isn't asked ...
But using SSH, key is correctly asked.

Of course, for SCP, the workaround is '--noask' option.
But I need to be prompted when I launch SSH (and not SCP.. )

Maybe it could be a way to do that ? Detect when prompting if SCP or SSH has been entered ?

SSH config files can have regular expressions that will apply options to any matching hostname. For example consider the following:

Host myhost-*
  IdentityFile ~/.ssh/keys/myhostkey

Host myhost-external
  Hostname external_url
  Port 2222
Host myhost-internal
  Hostname internal_url
  Port 22

keychain will fail to find the private key for myhostkey because myhost-* won't match the keyname, however this is a perfectly legal ssh config.

see https://bugs.funtoo.org/browse/FL-2231

When I use --agents ssh,gpg instead of --agents gpg,ssh the output I get is not csh compatible.

WIth gpg agent, the --timeout only influences the --default-cache-ttl option.
If somebody wants to set this longer than 2 hours, I guess that this will have no effect unless also the --max-cache-ttl option is used (or unless the user changes the default for max-cache-ttl in his local .gnupg options). Thus, I suggest to set --max-cache-ttl either automatically to a huge value or at least introduce some extra option to keychain so that the user can do this without overriding his local .gnupg configuration.

I am trying to cache the password for an SSH key, but I am still prompted for passphrase after initially entering it upon loading my first shell. I am using an EdDSA key. Ubuntu 16.04 & Keychain 2.8.1

In my ~/.zshrc I have:
keychain --eval --quiet --nogui id_ed25519 > /dev/null

Running keychain -l gives me:

/usr/bin/keychain: 1537: [: SHA256:+SSHKEYPRIVATEINFORMATION: unexpected operator
SHA256:+SAMEOUTPUTOFSSHKEYPRIVATEINFORMATION
/usr/bin/keychain: 1537: [: end: unexpected operator
end

Thanks for your help Daniel!

On OS X using homebrew, keychain is pretty unusable if you want to use openssh or gnupg/gnupg2 from homebrew since keychain overrides path and hombrew installs everything into /usr/local/bin.

I'd suggest not setting/overriding it at all.

I'm starting up keychain as port of my shell login-script. And I normally have a KDE "konsole" window containing several shell sub-windows (tabs).

Now when logging in, each shell processes the login-script (.bash_profil) and each shell starts keychain. So I end up with six or even more keychain dialog-boxes in parallel.

I would appreciate if keychain would implement some locking to avoid this. Thanks!

Under OpenSUSE 42.1, gpg 2.1.15 and keychain 2.8.3 (current master), after eval "$(keychain --agents gpg ---eval 99999999)" (some key) and entering the correct passphrase in the pinentry-program, the entered passphrase does not persist in cache.

Instead, the pinentry-program asks again for the passphrase the next time needed. (For example, eval "$(keychain --agents gpg ---eval 99999999)" will also ask for the passphrase again.)

when installing the mac osx package the installer doesn't make the script /usr/bin/keychain executable. current have to chmod 755 /usr/bin/keychain after install.

Adding a git tag to the repo will create a versioned tarball; we've had a packaging request at Homebrew and we prefer to use versioned tarballs instead of git commits when possible:

Homebrew/legacy-homebrew#23901

Thanks.

It seems that the agent is started but didn't add any keys

horsleyli@horsleyli-asus:~$ cat ~/.bash_profile 
#!/bin/sh
/usr/bin/keychain $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh

horsleyli@horsleyli-asus:~$ ll ~/.ssh
total 28
drwx------  2 horsleyli horsleyli  4096 12月 11 00:29 ./
drwxr-xr-x 61 horsleyli horsleyli  4096  2月 24 01:35 ../
-rw-------  1 horsleyli horsleyli  1743  1月 22  2014 id_rsa
-rw-------  1 horsleyli horsleyli   483  7月 27  2013 id_rsa.pub
-rw-r--r--  1 horsleyli horsleyli 11052  2月 15 13:23 known_hosts
horsleyli@horsleyli-asus:~$ ssh-add -l
The agent has no identities.
horsleyli@horsleyli-asus:~$

Loading ssh-agent and gpg-agent simultaneously (for probably a lot of users) is a waste of resources in a time when now gpg-agent can provide all features of ssh-agent with --enable-ssh-support.

In a sense, this is a dupe of issue #58, but it requests for more: IMHO, it should not only be possible to make use of a running gpg-agent with --enable-ssh-support but also to have a possibility to use this option when starting gpg-agent from within keychain.

It might be impossible to autodetect whether gpg-agent ssh-support (that's why perhaps issue #58 is unfixable), but I suggest a new --agents item, e.g. "gpg+ssh" or "gpg-ssh" to assume/guarantee that the running gpg agent is started with --enable-ssh-support.

current shebang is marked as #/bin/sh

however the code (2.8.0) is not compatible with /bin/sh being mksh-50d-5.x86_64:

/usr/bin/keychain[59]: shopt: not found

ps: 2.7.1 was fine.

i would love if keychain supported inheriting gnome keyring variables.

my use scenario: i launch desktop session and it launches gnome keyring. now i ssh in to that machine, i would like to reuse that gnome-keyring session. for that it's needed to export GNOME_KEYRING_CONTROL variable, and perhaps GNOME_KEYRING_PID if intending to stop it

GNOME_KEYRING_CONTROL=/run/user/500/keyring-NK834z
GNOME_KEYRING_PID=1928

USER       PID  PGRP                  STARTED TT          VSZ   RSS STAT CMD
glen      1928  1868 Tue Jun 10 11:33:52 2014 ?        370056  5328 SLl  gnome-keyring-daemon --start

to start a new ageng you can invoke:

gnome-keyring-daemon --start

and maybe even specify components --components=pkcs11,secrets,ssh,gpg:

$ gnome-keyring-daemon --help
gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used
Usage:
  gnome-keyring-daemon [OPTION...] - The Gnome Keyring Daemon

Help Options:
  -h, --help                                  Show help options

Application Options:
  -s, --start                                 Start a dameon or initialize an already running daemon.
  -r, --replace                               Replace the daemon for this desktop login environment.
  -f, --foreground                            Run in the foreground
  -d, --daemonize                             Run as a daemon
  -l, --login                                 Run by PAM for a user login. Read login password from stdin
  -c, --components=pkcs11,secrets,ssh,gpg     The optional components to run
  -C, --control-directory                     The directory for sockets and control data
  -V, --version                               Show the version number and exit.

I've just updating from keychain 2.7.1 to take advantage of a bug fix. But the command line interface seems to have changed. In 2.7.1

  keychain DEADBEEF

seems to work fine for adding a GPG key. While in 2.8.2 I have to do

 keychain --agents gpg DEADBEEF

Otherwise, I get the slightly obscure "can't find DEADBEEF; skipping" warning.

Fantastic tool BTW, been using it for years.

The entire GPG_AGENT_INFO mechanism was apparently removed, and so starting gpg-agent no longer outputs anything that can be used to get the pid. I'm not sure what the fix here should be.

It only applies to ssh-agent. Is there a way to make it also apply to the gpg keys that are loaded into memory?

I am happily using keychain for my SSH keys in Cygwin on Windows. Now Cygwin is shipped with old GPG with no gpg-agent.
I have successfully setup my installation of gpg4win which ships Gnupg v2+ on Windows and I am able to use gpg-agent from within Cygwin.
Now gpg-agent is not on PATH and is started with gpg-connect-agent.exe.
Do keychain use gpg-connect-agent.exe?

I am trying to load a key like this

keychain ~/.ssh/build.pem

* Warning: Cannot find public key for ~/.ssh/build.pem

using ssh-add works fine.
ssh-add ~/.ssh/build.pem
Identity added: ~.ssh/build.pem (~/.ssh/build.pem)`

After updating my MacBook to 'El Capitan' keychain stopped working.

keychain -l should behave in the same way that ssh-add -l does.

I have (according to http://www.funtoo.org/Keychain)

eval `keychain --eval --agents ssh,gpg id_rsa 370D5DFF`
eval `source ~/.keychain/$HOSTNAME-sh`
eval `source ~/.keychain/$HOSTNAME-sh-gpg`

in my ~/.bash_profile.

source ~/.bash_profile gives the following error:

* keychain 2.8.1 ~ http://www.funtoo.org
 * Found existing ssh-agent: 2278
 * Starting gpg-agent...
 * Known ssh key: /home/wilk/.ssh/id_rsa
 * Adding 1 gpg key(s): 370D5DFF
 * Error: Problem adding (is pinentry installed?); giving up

However, there is no error when this ~/.bash_profile is sourced by logging through ssh into the machine. Any idea what could be wrong ?

It seems that I am only able to story the passphrase throught "su - username", but not through "sudo -u username bash ...".

Therefore, it seems that there is no way for me to story the passphrase for www-data, so that a cgi script called by apache can keylessly access a remote server through ssh.

Is my understanding correct?

sudo -u www-data -H bash -c 'keychain $HOME/.ssh/id_rsa; bash $HOME/.keychain/$HOSTNAME-sh'

enter passphrase...

sudo -u www-data ssh host1

it will ask for the passphrase for id_rsa.

I know bugs should be reported on Jira but I don't have any account there and I did not find a way to create one, so here is my bug report.

Since I update from keychain 2.7.1 to 2.8.1, whenever I open up a new shell, keychain keeps asking me to enter my passphrase for one of my two keys.

Here is the config I have in my zshrc:

keychain ~/.ssh/id_rsa ~/.ssh/id_rsa.perso
. ~/.keychain/$(hostname)-sh
. ~/.keychain/$(hostname)-sh-gpg

So keychain asks me the passphrase for id_rsa.perso. Always... It does not "know" id_rsa.perso.:

* keychain 2.8.2 ~ http://www.funtoo.org
* Found existing ssh-agent: 1837
* Known ssh key: /home/XXX/.ssh/id_rsa
* Adding 1 ssh key(s): /home/XXX/.ssh/id_rsa.perso
Enter passphrase for /home/XXX/.ssh/id_rsa.perso:

But if I enter my passphrase once and then hit Ctrl+C on subsequent messages telling me to enter my passphrase, everything works fine.

With 2.7.1, this did not happen. I entered my passphrase once and subsequent calls found the key was loaded.

I'm running on Gentoo, kernel 4.1.15-r1.

It seems the output of gpg -k changed in gpg v2: it displays the whole 40-something digits of the key. Since keychain uses this output, the 8 digits used in the examples of http://www.funtoo.org/Keychain don't work anymore. For my setup (gpg 2.11.15 on Ubuntu 16.10) , the following patch fixes this problem:

*** /usr/bin/keychain   2016-10-27 00:35:13.992931873 +0200
--- /usr/bin/keychain~  2015-09-14 10:02:06.000000000 +0200
***************
*** 1076,1082 ****
        # Check for gpg
        if wantagent gpg; then
            if [ -z "$pm_gpgsecrets" ]; then
!               pm_gpgsecrets="`gpg --list-secret-keys 2>/dev/null | cut -d/ -f2 | cut -d' ' -f7 | xargs`"
                [ -z "$pm_gpgsecrets" ] && pm_gpgsecrets='/'    # arbitrary
            fi
            case " $pm_gpgsecrets " in *" $pm_k "*)
--- 1076,1082 ----
        # Check for gpg
        if wantagent gpg; then
            if [ -z "$pm_gpgsecrets" ]; then
!               pm_gpgsecrets="`gpg --list-secret-keys 2>/dev/null | cut -d/ -f2 | cut -d' ' -f1 | xargs`"
                [ -z "$pm_gpgsecrets" ] && pm_gpgsecrets='/'    # arbitrary
            fi
            case " $pm_gpgsecrets " in *" $pm_k "*)
](url)