-if type -P keychain >/dev/null ; then
- [ -e ~/.keychain/${HOSTNAME}-sh ] && source ~/.keychain/${HOSTNAME}-sh
- [ -e ~/.keychain/${HOSTNAME}-sh-gpg ] && source ~/.keychain/${HOSTNAME}-sh-gpg
+# If an auth sock is already set & available, use it.
+# This way ssh agent forwarding still works.
+if type keychain >/dev/null 2>&1 ; then
+ if [ ! -S "${SSH_AUTH_SOCK}" ] ; then
+ : ${HOSTNAME:=$(hostname)}
+ [ -e ~/.keychain/${HOSTNAME}-sh ] && . ~/.keychain/${HOSTNAME}-sh
+ fi
+ if [ -z "${GPG_AGENT_INFO}" ] ; then
+ : ${HOSTNAME:=$(hostname)}
+ [ -e ~/.keychain/${HOSTNAME}-sh-gpg ] && . ~/.keychain/${HOSTNAME}-sh-gpg
+ fi
fi
+
+# The agent might try to spawn pinentry on the tty it started
+# on instead of the tty gpg is now running on.
+export GPG_TTY="$(tty)"