Agent.app silently terminates on macOS Tahoe after sleep/wake, breaking GPG signing #26
Description
Environment
- macOS: Tahoe (Darwin 25.3.0)
- Agent.app version:
/Applications/Agent.app(built Nov 14, 2023) - Bundled GnuPG: 2.3.8
- Architecture: Apple Silicon (arm64)
Problem
After upgrading to macOS Tahoe, Agent.app silently terminates after some idle time (likely during sleep/wake cycles). When this happens, GPG commit signing fails with:
[GNUPG:] PINENTRY_LAUNCHED 25954 mac 1.3.1.1 - xterm-256color - - 502/20 0
gpg: signing failed: Operation cancelled
fatal: failed to write commit object
pinentry-mac shows a dialog: "Please insert the card with serial number: 3131 AFCEC5DB", indicating the smartcard daemon has lost connection to the Agent.
Workaround: Manually restarting Agent.app restores GPG signing — until the next termination.
Root Cause Analysis
The GPG signing chain is:
git commit → Keeta GPG (/Users/<user>/.keeta_agent/gnupg/bin/gpg)
→ gpg-agent → scdaemon (gnupg-pkcs11-scd)
→ libssh-agent-pkcs11-provider.dylib → SSH agent → Agent.app
When Agent.app terminates, the SSH agent becomes unavailable (ssh-add -l returns "Connection refused"), which causes scdaemon to fail to find the smartcard, resulting in the "Operation cancelled" error from pinentry.
No crash reports are generated in ~/Library/Logs/DiagnosticReports/, which suggests macOS is terminating the process (e.g., via jetsam memory pressure or App Nap) rather than the app crashing.
Additional Findings
1. gpgconf has hardcoded build paths
$ ~/.keeta_agent/gnupg/bin/gpgconf --list-components
gpg:OpenPGP:/Users/rkeene/devel/gpg-sign-se/build/pkgs/installed/gnupg-2.3.8/bin/gpg
This causes gpgconf --kill gpg-agent to fail:
gpgconf: error running '/Users/rkeene/devel/gpg-sign-se/build/pkgs/installed/gnupg-2.3.8/bin/gpg-connect-agent': probably not installed
Users cannot gracefully restart the gpg-agent without killing the process manually.
2. scdaemon version mismatch warning on startup
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.8)
gpg: Note: Outdated servers may lack important security fixes.
3. Card not found on startup
gpg: OpenPGP card not available: Not found
This appears during checkCardStatus on app startup (observed when running the binary directly from terminal).