Since a while, I've been using git-buildpackage to manage the Debian packaging for OpenTTD. This offers the option to sign the tags created by git-buildpackage, which is of course cool. However, I've found that I always need to load my GPG key into my gpg-agent first to make that work. If I didn't, I'd see the following:

You need a passphrase to unlock the secret key for
user: "Matthijs Kooijman <matthijs@stdin.nl>"
1024-bit DSA key, ID 8A2FAFBC, created 2005-05-27

gpg: cancelled by user
gpg: skipped "Matthijs Kooijman <matthijs@stdin.nl>": bad passphrase
gpg: signing failed: bad passphrase
error: gpg failed to sign the tag
error: unable to sign the tag

This also occurs when calling git tag directly, but not when calling gpg --sign.

I've finally done some research to this, and found that this can be solved by setting the GPG_TTY variable in every shell. According to the gpg-agent manual, you should add the following to your ~/.bashrc:

GPG_TTY=$(tty)
export GPG_TTY

And whaddayaknow, it works! Sounded pretty silly to me (why not just use $tty directly?), but it actually makes some sense. First of all, $(tty) is not an evironment variable, but an invocation of the tty command.

Secondly, it seems of course silly to put this in the environment when the passphrase-asking code could just find out the current tty by itself. However, it seems that it is actually gpg-agent itself that initiates the passphrase dialog. When I unset $GPG_AGENT_INFO in my terminal, git tag asks for a passhprase normally (but just with an "Enter passphrase:" prompt, instead of the full-screen curses-based prompt I get normally).

This probably means that whatever code is calling gpg-agent from within git tag, is sending along the value of the GPG_TTY variable (or perhaps simple all of the environment?). I guess the gpg command automatically sets the GPG_TTY variable internally, which is why using gpg directly just worked.

This also explains why, after entering my passphrase, my key was added to the agent as well.