I recently bought a YubiKey to accelerate my personal gpg adoption rate, which was quite modest, to say the least. This turned out to be a good decision - using this dongle is fun and setting it up was not too painful. I can only recommend the tutorial by Jeff Clement.
But one thing has been starting too bother me: each email I’d sign would pop up
two windows asking me to ‘unlock my card’. While this was annoying, I don’t
send that many private emails anyway, and I sign even less, so I made a mental
note to fix the configuration and walked on. But when I started signing git
commits, I began to wonder. The same issue here, each time I do
git commit -S,
a wild pop-up appears.
Well, I thought, maybe the
gpg-agent is misconfigured or the cache is entirely
disabled. Searching the internet for variations of ‘gpg smartcard mac pinentry
popup cache’ was really unhelpful, results were rare and pretty unrelated to the
problem at hand. Also, I was still convinced that this was somehow related to my
Mac setup, which did not make interpreting the results any easier.
Finally, it dawned to me: RTFM! The official SmartCard-HOWTO is not that
rich, but turns out to hold all information to get me started. Desperately
browsing through the howto, I stumbled over the little bugger in section 3.1.1.
where the items in the output of
gpg --card-status are explained. One entry -
Signature PIN - is documented as
When set to “forced”, gpg requests the entry of a PIN for each signature operation. When set to “non forced”, gpg may cache the PIN as long as the card has not been removed from the reader.
After all, this is a goddamn feature of the pgp card spec! Feeling kind of stupid,
I immediately ran
gpg --card-edit and entered the magic sequence which finally
enabled signature PIN caching.
gpg/card> admin gpg/card> forcesig gpg/card> quit