gpg-linux

I finally refactored the NeoMutt config and made it work nicely on my macOS. I will deal with the proper setup on my Arch Linux later, as we first need to deal with the gpg+pass on Arch. Show me the steps that i should follow to set them up on Arch, then we can deal with the NeoMutt later on.

Excellent! Let's set up GPG and pass on your Arch Linux system. Since you already have a working GPG key on macOS, we'll transfer your existing key rather than creating a new one. This ensures both systems use the same identity.

Part 1: Install Required Packages on Arch Linux

# Update your system first
sudo pacman -Syu

# Install GPG and pass
sudo pacman -S gnupg pass

# Optional but recommended: for better pinentry support
sudo pacman -S pinentry

Part 2: Transfer Your GPG Key from macOS to Arch Linux

On macOS: Export Your Keys

# First, list your keys to confirm the ID
gpg --list-secret-keys --keyid-format LONG

# Export your public key (replace with your key ID)
gpg --export --armor YOUR_KEY_ID > public-key.asc

# Export your private key (THIS IS CRITICAL - keep it safe)
gpg --export-secret-keys --armor YOUR_KEY_ID > private-key.asc

# Export the trust settings
gpg --export-ownertrust > ownertrust.txt

# Copy these files to your Arch machine
# You can use scp, USB drive, or any secure method
scp public-key.asc private-key.asc ownertrust.txt alowree@arch-linux:~/

On Arch Linux: Import Your Keys

# First, import your public key
gpg --import public-key.asc

# Then import your private key
gpg --import private-key.asc

# Finally, restore trust settings
gpg --import-ownertrust < ownertrust.txt

# Verify the key was imported correctly
gpg --list-secret-keys --keyid-format LONG

Part 3: Configure GPG on Arch Linux

Step 1: Set Up GPG Agent Configuration

# Create the GPG directory if it doesn't exist
mkdir -p ~/.gnupg

# Set proper permissions
chmod 700 ~/.gnupg

# Create the agent configuration
cat > ~/.gnupg/gpg-agent.conf << 'EOF'
# Use pinentry-tty for terminal-based passphrase entry
pinentry-program /usr/bin/pinentry-tty

# Cache passphrase for 8 hours of inactivity
default-cache-ttl 28800

# Maximum cache time regardless of activity
max-cache-ttl 86400

# Allow loopback pinentry (for pass)
allow-loopback-pinentry
EOF

# Set proper permissions
chmod 600 ~/.gnupg/gpg-agent.conf

Step 2: Configure GPG Itself

cat > ~/.gnupg/gpg.conf << 'EOF'
# Use SHA256 for better security
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

# Set default key (use your key ID)
default-key YOUR_KEY_ID

# No need to show the key version
no-emit-version

# Disable comments in armored output
no-comments
EOF

chmod 600 ~/.gnupg/gpg.conf

Step 3: Set GPG_TTY in Your Shell

# Add to ~/.zshrc (or ~/.bashrc if using bash)
echo 'export GPG_TTY=$(tty)' >> ~/.zshrc

# Also add for non-interactive shells (important for pass)
echo 'export GPG_TTY=$(tty)' >> ~/.profile

# Source it
source ~/.zshrc

Step 4: Restart GPG Agent

# Kill existing agent
gpgconf --kill all

# Start fresh
gpg-connect-agent /bye

# Verify it's working
gpg-connect-agent 'getinfo version' /bye

Part 4: Test GPG on Arch Linux

# Create a test file
echo "Testing GPG on Arch Linux" > test.txt

# Encrypt it (use your email or key ID)
gpg --encrypt --recipient YOUR_EMAIL test.txt

# Remove the original
rm test.txt

# Decrypt it
gpg --decrypt test.txt.gpg

# You should see the original text

Part 5: Set Up pass on Arch Linux

Step 1: Initialize Password Store

# Initialize with your GPG key ID
pass init YOUR_KEY_ID

# Verify it's set up correctly
cat ~/.password-store/.gpg-id

Step 2: Create Your Password Store Structure

# Create directories
mkdir -p ~/.password-store/{Email,Banking,Social,Wifi,Tokens,Servers}

# Add your email passwords
pass insert Email/twineintl
pass insert Email/soundfreaq
pass insert Email/biaget

# Add other passwords as needed
pass insert Banking/chase
pass insert Social/twitter
pass insert Wifi/home

Step 3: Verify pass Works

# List all passwords
pass

# Retrieve a password (should prompt for GPU passphrase first time)
pass Email/twineintl

# Test with clipboard (optional)
pass -c Email/twineintl

Part 6: Set Up Synchronization Between macOS and Arch

Option 1: Use Git (Recommended)

# On macOS, initialize Git in your password store
cd ~/.password-store
pass git init
pass git add .
pass git commit -m "Initial password store"

# Add remote (private repository on GitHub/GitLab)
pass git remote add origin git@github.com:alowree/password-store.git
pass git push -u origin main

# On Arch Linux, clone the repository
git clone git@github.com:alowree/password-store.git ~/.password-store

# Set the GPG key for this store
pass init YOUR_KEY_ID

# Verify it works
pass

Option 2: Use rsync/scp (Simple but Manual)

# On macOS, after updating passwords
rsync -avz ~/.password-store/ alowree@arch-linux:~/.password-store/

# On Arch Linux, after syncing
pass init YOUR_KEY_ID  # Re-initialize with your key

Part 7: Configure GPG Agent for Non-Interactive Use

Since pass may be called from scripts (like isync), ensure GPG works without a terminal:

# Create a script to preseed the GPG cache
cat > ~/.local/bin/gpg-preseed << 'EOF'
#!/bin/bash
# Pre-cache your GPG passphrase so it's ready for automated scripts
echo "Enter your GPG passphrase to cache it:"
pass Email/twineintl > /dev/null
echo "GPG passphrase cached"
EOF

chmod +x ~/.local/bin/gpg-preseed

# Run it once after login (will prompt once)
~/.local/bin/gpg-preseed

Part 8: Test the Complete Setup

# Create a comprehensive test script
cat > ~/test-gpg-pass.sh << 'EOF'
#!/bin/bash

echo "Testing GPG + pass setup on Arch Linux"
echo "======================================"

# Test 1: GPG key exists
echo -n "1. GPG key: "
if gpg --list-secret-keys | grep -q "sec"; then
    echo "✓"
else
    echo "✗"
fi

# Test 2: pass is initialized
echo -n "2. Pass store: "
if pass &>/dev/null; then
    echo "✓"
else
    echo "✗"
fi

# Test 3: Can retrieve password
echo -n "3. Password retrieval: "
if pass Email/twineintl &>/dev/null; then
    echo "✓"
else
    echo "✗"
fi

# Test 4: GPG agent is caching
echo -n "4. GPG agent: "
if gpg-connect-agent 'getinfo version' /bye &>/dev/null; then
    echo "✓"
else
    echo "✗"
fi

echo "======================================"
echo "Setup complete!"
EOF

chmod +x ~/test-gpg-pass.sh
~/test-gpg-pass.sh

Part 9: Set Up GPG Agent on Login

For Zsh (if using Zsh)

# Add to ~/.zshrc
cat >> ~/.zshrc << 'EOF'

# GPG Agent setup for pass
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

# Pre-cache GPG passphrase (optional, uncomment if desired)
# ~/.local/bin/gpg-preseed 2>/dev/null &
EOF

source ~/.zshrc

For systemd (to ensure GPG agent runs in user session)

# Enable GPG agent socket for user
systemctl --user enable gpg-agent.socket
systemctl --user enable gpg-agent-ssh.socket
systemctl --user start gpg-agent.socket
systemctl --user start gpg-agent-ssh.socket

# Check status
systemctl --user status gpg-agent.socket

Part 10: Common Arch Linux Specific Issues

Issue 1: Pinentry not working

# Install multiple pinentry options
sudo pacman -S pinentry pinentry-gtk2 pinentry-qt

# Test which one works
pinentry-tty
# Type GETPIN and press Enter, then type a test passphrase

# If pinentry-tty doesn't work, try pinentry-curses
sudo pacman -S pinentry-curses

# Update gpg-agent.conf to use curses instead
sed -i 's/pinentry-tty/pinentry-curses/' ~/.gnupg/gpg-agent.conf
gpgconf --kill all

Issue 2: Locale warnings

# Generate locales if you see warnings
sudo locale-gen

# Set your locale
echo 'export LANG=en_US.UTF-8' >> ~/.zshrc

Issue 3: Random number generation

# Install rng-tools for better entropy (optional)
sudo pacman -S rng-tools
sudo systemctl enable rngd
sudo systemctl start rngd

Final Verification Checklist

• GPG key imported successfully (gpg --list-secret-keys)
• GPG agent running (gpg-connect-agent 'getinfo version' /bye)
• pass initialized (pass shows store structure)
• Can retrieve password (pass Email/twineintl)
• GPG_TTY set in shell (echo $GPG_TTY)
• Passphrase caching works (second retrieval doesn't prompt)

Next Steps for Arch Linux

Once GPG and pass are working, we'll:

1. Install and configure isync/mbsync to sync your email
2. Set up goimapnotify for real-time notifications
3. Install and configure NeoMutt using your existing configs
4. Create systemd services for automatic email syncing

Ready to proceed with the Arch Linux setup whenever you are! Let me know when GPG and pass are working, and we'll move on to isync and NeoMutt.