The Will Will Web

因為我現在每次 git commit 都會進行 GPG 簽章，但第一次 commit 時會跳出一個視窗輸入 OpenPGP 的密鑰的密碼，接著會自動將 gpg-agent 程式跑在背景，在一定時間內就不用再次輸入密碼。不過 gpg-agent 預設快取時間只有 600 秒 (十分鐘)，但我一天內不會每 10 分鐘 Commit 一次，這個快取功能形同虛設，完全沒用！這篇文章將分享如何調整預設值，讓你在一天內都不用再次輸入 GPG 密碼。

預設 Git for Windows 就已經內建 gpg-agent 代理程式，位於 C:\Program Files\Git\usr\bin\gpg-agent.exe。若你在 Windows 安裝 Gpg4win 的話，也會幫你安裝另一套 GNU Privacy Guard (GnuPG) 命令列工具，其中也包含 gpg-agent 代理程式。

找出 gpg-agent.conf 設定檔的所在路徑

• 查詢 GPG 版本資訊

  gpg --version
  

  Linux

  $ gpg --version
  gpg (GnuPG) 2.2.20
  libgcrypt 1.8.6
  Copyright (C) 2020 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  
  Home: /home/will/.gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
          CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2
  

  Windows (%AppData%\gnupg\gpg-agent.conf)

  C:\>gpg --version
  gpg (GnuPG) 2.2.23
  libgcrypt 1.8.6
  Copyright (C) 2020 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  
  Home: C:/Users/user/AppData/Roaming/gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
          CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2
  

  Git for Windows (%userprofile%\.gnupg\gpg-agent.conf)

  gpg (GnuPG) 2.2.27-unknown
  libgcrypt 1.8.7
  Copyright (C) 2021 Free Software Foundation, Inc.
  License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  
  Home: /c/Users/user/.gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
          CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2
  

  🔥 從上述版本資訊可以看到一個 Home: 欄位，這裡指出 gpg-agent.conf 設定檔的所在路徑！

• 常見的 gpg-agent.conf 設定檔路徑

  Linux / macOS

  ~/.gnupg/gpg-agent.conf
  

  Windows (請用 gpg --version 確認使用的路徑)

  %AppData%\gnupg\gpg-agent.conf
  

  %userprofile%\.gnupg\gpg-agent.conf
  

調整 gpg-agent 快取時間

• 延長快取時間的 gpg-agent.conf 設定內容範例

  default-cache-ttl 86400
  max-cache-ttl 604800
  

  單位：秒 (Seconds)

  default-cache-ttl 設定 24 小時內自動密碼快取失效，如果期間有存取過快取，會重置快取時間，自動延長到期時間到當下加上 24 小時。

  max-cache-ttl 設定 7 天，代表快取到第七天之後，無論如何都需要再次輸入密碼。

• 重新載入 gpg-agent.conf 設定

  gpgconf --reload gpg-agent
  

• 查詢目前 gpg-agent.conf 設定

  gpgconf --list-options gpg-agent
  

  Monitor:1:0:Options controlling the diagnostic output:0:0::::
  verbose:12:0:verbose:0:0::::
  quiet:8:0:be somewhat more quiet:0:0::::
  Configuration:1:0:Options controlling the configuration:0:0::::
  disable-scdaemon:8:1:do not use the SCdaemon:0:0::::
  enable-ssh-support:0:0:enable ssh support:0:0::::
  ssh-fingerprint-digest:24:2:use ALGO to show ssh fingerprints:1:1:ALGO:"md5::
  enable-putty-support:0:0:enable putty support:0:0::::
  Debug:1:1:Options useful for debugging:0:0::::
  debug-level:26:1:set the debugging level to LEVEL:1:1:LEVEL:"none::
  log-file:8:1:write server mode logs to FILE:32:1:FILE:::
  Security:1:0:Options controlling the security:0:0::::
  default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::86400
  default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800::
  max-cache-ttl:24:2:set maximum PIN cache lifetime to N seconds:3:3:N:7200::604800
  max-cache-ttl-ssh:24:2:set maximum SSH key lifetime to N seconds:3:3:N:7200::
  ignore-cache-for-signing:8:0:do not use the PIN cache when signing:0:0::::
  allow-emacs-pinentry:8:1:allow passphrase to be prompted through Emacs:0:0::::
  grab:8:2::0:0::::
  no-allow-external-cache:8:0:disallow the use of an external password cache:0:0::::
  no-allow-mark-trusted:8:1:disallow clients to mark keys as "trusted":0:0::::
  no-allow-loopback-pinentry:8:2:disallow caller to override the pinentry:0:0::::
  Passphrase policy:1:1:Options enforcing a passphrase policy:0:0::::
  enforce-passphrase-constraints:8:2:do not allow bypassing the passphrase policy:0:0::::
  min-passphrase-len:24:1:set minimal required length for new passphrases to N:3:3:N:8::
  min-passphrase-nonalpha:24:2:require at least N non-alpha characters for a new passphrase:3:3:N:1::
  check-passphrase-pattern:24:2:check new passphrases against pattern in FILE:32:1:FILE:::
  max-passphrase-days:24:2:expire the passphrase after N days:3:3:N:0::
  enable-passphrase-history:8:2:do not allow the reuse of old passphrases:0:0::::
  pinentry-timeout:24:1:set the Pinentry timeout to N seconds:3:3:N:0::
  

關閉 gpg-agent 背景程式

如果你想要立即關閉 gpg-agent 程式的話，可以用以下命令完成：

gpgconf --kill gpg-agent

相關連結

• Keep GnuPG credentials cached for entire user session - Super User
• Gpg4win - Secure email and file encryption with GnuPG for Windows
• 如何使用 GPG (GnuPG) 對 Git Commit 與 Tag 進行簽章