gpg: can’t connect to the agent: IPC connect call failed

This was a fun one to solve.

I keep my GPG keys on a vFat USB drive as I don’t want to keep a copy on every machine that I use. Previously, I used Ubuntu and it worked fine as GPG used gnome-keyring to manage the keys. After upgrading to Arch however, I needed to run gpg-agent myself.

The error looked something like this:

$ gpg --decrypt some-file
gpg: DBG: locking for '/home/michael/.gnupg/gnupg_spawn_agent_sentinel.lock' done via O_EXCL
gpg: can't connect to the agent: IPC connect call failed
gpg: encrypted with 2048-bit RSA key, ID 5C14441F, created 2014-08-19
      "Michael Heap <[email protected]>"
gpg: decryption failed: No secret key

I thought “that’s fine, I’ll start GPG agent”

$ gpg-agent --daemon

gpg-agent[12228]: error binding socket to '/home/michael/.gnupg/S.gpg-agent': Operation not permitted

This is because S.gpg-agent is a socket and you can’t create sockets on vFat devices. Previously we could have used the --no-use-standard-socket option, but that was removed in gnupg v2.

The solution is to create a redirection file in ~/.gnupg/S.gpg-agent

$ printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > ~/.gnupg/S.gpg-agent

It should look like this:

$ cat .gnupg/S.gpg-agent 

%Assuan%
socket=/dev/shm/S.gpg-agent

Now if we run gpg-connect-agent to test it should come up fine

Michael is a polyglot software engineer, committed to reducing complexity in systems and making them more predictable. Working with a variety of languages and tools, he shares his technical expertise to audiences all around the world at user groups and conferences. You can follow @mheap on Twitter

Thoughts on this post

Boyd Waters 2016-05-31

God bless you sir for posting this one.

Was absolutely no feedback from GPG to give me clue. Was setting up on OpenBSD, which is new to me, and I figured I was missing some OpenBSD init…

bw 2016-12-28

At first I figured it was my own gpg setup to blame.
I have a masterkey with subkeys that do not contain the secret part as they only reside on the stick… yes FAT stick… So I set GNUPGHOME to point to my stick if I want to sign keys etc.) …but due to the update to gpg2 I was unable to use gpg for months! Until I found your post today. Eureka! Thanks thanks thanks!

Andreas 2017-03-23

Thank you a lot searched 2 days for the error.

Dirk Heinrichs 2017-04-22

Thanks a lot. Had the same problem ($HOME on an OpenAFS filesystem, which also doesn’t support sockets). But I needed to create 3 additional files:

S.gpg-agent.browser
S.gpg-agent.extra
S.gpg-agent.ssh

Of course, the socket file name inside those files needs to be adapted accordingly.

Lars 2018-07-27

Great hint, props to you and to Dirk as well! Encountered it while using the PGP Clean Room by Jacob Adams.

Leave a comment?

Leave a Reply