Environment
- macOS: Tahoe (Darwin 25.3.0)
- Agent.app version:
/Applications/Agent.app (built Nov 14, 2023)
- Bundled GnuPG: 2.3.8
- Architecture: Apple Silicon (arm64)
Problem
After upgrading to macOS Tahoe, Agent.app silently terminates after some idle time (likely during sleep/wake cycles). When this happens, GPG commit signing fails with:
[GNUPG:] PINENTRY_LAUNCHED 25954 mac 1.3.1.1 - xterm-256color - - 502/20 0
gpg: signing failed: Operation cancelled
fatal: failed to write commit object
pinentry-mac shows a dialog: "Please insert the card with serial number: 3131 AFCEC5DB", indicating the smartcard daemon has lost connection to the Agent.
Workaround: Manually restarting Agent.app restores GPG signing — until the next termination.
Root Cause Analysis
The GPG signing chain is:
git commit → Keeta GPG (/Users/<user>/.keeta_agent/gnupg/bin/gpg)
→ gpg-agent → scdaemon (gnupg-pkcs11-scd)
→ libssh-agent-pkcs11-provider.dylib → SSH agent → Agent.app
When Agent.app terminates, the SSH agent becomes unavailable (ssh-add -l returns "Connection refused"), which causes scdaemon to fail to find the smartcard, resulting in the "Operation cancelled" error from pinentry.
No crash reports are generated in ~/Library/Logs/DiagnosticReports/, which suggests macOS is terminating the process (e.g., via jetsam memory pressure or App Nap) rather than the app crashing.
Additional Findings
1. gpgconf has hardcoded build paths
$ ~/.keeta_agent/gnupg/bin/gpgconf --list-components
gpg:OpenPGP:/Users/rkeene/devel/gpg-sign-se/build/pkgs/installed/gnupg-2.3.8/bin/gpg
This causes gpgconf --kill gpg-agent to fail:
gpgconf: error running '/Users/rkeene/devel/gpg-sign-se/build/pkgs/installed/gnupg-2.3.8/bin/gpg-connect-agent': probably not installed
Users cannot gracefully restart the gpg-agent without killing the process manually.
2. scdaemon version mismatch warning on startup
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.8)
gpg: Note: Outdated servers may lack important security fixes.
3. Card not found on startup
gpg: OpenPGP card not available: Not found
This appears during checkCardStatus on app startup (observed when running the binary directly from terminal).
Environment
/Applications/Agent.app(built Nov 14, 2023)Problem
After upgrading to macOS Tahoe,
Agent.appsilently terminates after some idle time (likely during sleep/wake cycles). When this happens, GPG commit signing fails with:pinentry-macshows a dialog: "Please insert the card with serial number: 3131 AFCEC5DB", indicating the smartcard daemon has lost connection to the Agent.Workaround: Manually restarting Agent.app restores GPG signing — until the next termination.
Root Cause Analysis
The GPG signing chain is:
When Agent.app terminates, the SSH agent becomes unavailable (
ssh-add -lreturns "Connection refused"), which causesscdaemonto fail to find the smartcard, resulting in the "Operation cancelled" error from pinentry.No crash reports are generated in
~/Library/Logs/DiagnosticReports/, which suggests macOS is terminating the process (e.g., via jetsam memory pressure or App Nap) rather than the app crashing.Additional Findings
1.
gpgconfhas hardcoded build pathsThis causes
gpgconf --kill gpg-agentto fail:Users cannot gracefully restart the gpg-agent without killing the process manually.
2. scdaemon version mismatch warning on startup
3. Card not found on startup
This appears during
checkCardStatuson app startup (observed when running the binary directly from terminal).