I am not sure if this is a bug or a feature, or if the problem lies with keychain or gpg-agent, so please advise. I have both gnupg-1.4.7-r1 and -1.9.21 installed. keychain-2.6.6 and pinentry-0.7.2-r3. Let me explain the issue with an example. Suppose you create a gpg key as prescribed using the gentoo handbook: http://www.gentoo.org/doc/en/gnupg-user.xml. Say the key looks like this: pub 1024D/AAAAAAAA 2007-08-11 uid John Doe <doe@null.org> sub 2048g/BBBBBBBB 2007-08-11 where AAAAAAAA is the main key id and BBBBBBBB is the ELG encryption subkey. You add AAAAAAA to keychain normally. Assuming no gpg-agent is running, you login and keychain kicks off pinentry for key AAAAAAAA. You enter the passphrase. Now do this: cd /tmp echo hello > file gpg --encrypt file (Press return for the John Doe recipient.) Now, when I decrypt the file: gpg --decrypt file.asc gpg-agent kicks off pinentry for the passphrase to the BBBBBBBB subkey so it can decrypt the file encoded with the John Doe public key. That second request for the BBBBBBBB subkey passphrase is the problem. Why doesn't gpg-agent use the main key's passphrase for the subkey? I tried adding both AAAAAAAA and BBBBBBBB to keychain, but you only get prompted for one passphrase -- it seems to know the two keys belong together. Since there is no separate passphrase for the BBBBBBBB encryption subkey, I should not be prompted to enter that passphrase a second time. (I have my cache values set way high, so there's no caching expiration issue). Is this a bug or a feature? Reproducible: Always
My gpg.conf (of course) has use-agent in it.
Tried with gnupg-2.0.6, got the same result. I think you forgot to mention you are also signing the message... In future, please try to separate the keychain and gnupg... Step to reproduce: $ gpg-agent --daemon bash $ gpg --encrypt --sign --default-key CC629C68 --encrypt-to test9@test9 > x1 $ gpg --decrypt < x1 You got prompted twice for passphrase, once for the signature (primary key) and once for the decryption (subkey), although they seem to have common passphrase. I suggest you should discuss this at upstream mailing list, as it seems by design... "GnuPG Users" <gnupg-users@gnupg.org> I am sorry I cannot help you with this one.