YubiKey GPG Signature Pin

I recently bought a YubiKey to accelerate my personal gpg adoption rate, which was quite modest, to say the least. This turned out to be a good decision - using this dongle is fun and setting it up was not too painful. I can only recommend the tutorial by Jeff Clement.

But one thing has been starting too bother me: each email I’d sign would pop up two windows asking me to ‘unlock my card’. While this was annoying, I don’t send that many private emails anyway, and I sign even less, so I made a mental note to fix the configuration and walked on. But when I started signing git commits, I began to wonder. The same issue here, each time I do git commit -S, a wild pop-up appears.

Well, I thought, maybe the gpg-agent is misconfigured or the cache is entirely disabled. Searching the internet for variations of ‘gpg smartcard mac pinentry popup cache’ was really unhelpful, results were rare and pretty unrelated to the problem at hand. Also, I was still convinced that this was somehow related to my Mac setup, which did not make interpreting the results any easier.

Finally, it dawned to me: RTFM! The official SmartCard-HOWTO is not that rich, but turns out to hold all information to get me started. Desperately browsing through the howto, I stumbled over the little bugger in section 3.1.1. where the items in the output of gpg --card-status are explained. One entry - Signature PIN - is documented as

When set to “forced”, gpg requests the entry of a PIN for each signature operation. When set to “non forced”, gpg may cache the PIN as long as the card has not been removed from the reader.

After all, this is a goddamn feature of the pgp card spec! Feeling kind of stupid, I immediately ran gpg --card-edit and entered the magic sequence which finally enabled signature PIN caching.

gpg/card> admin
gpg/card> forcesig
gpg/card> quit