Created
January 28, 2023 18:06
-
-
Save Mugurell/05a7b4c8b666f7b6abb7e82b22750fd2 to your computer and use it in GitHub Desktop.
Collection of resources on configuring your Yubikey for MacOs ssh connections and git commit signing.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##Probably the best series for the setup of your new smart card: | |
https://www.youtube.com/watch?v=rGZtlgNhAVU&list=PLmoQ11MXEmahVl_uJVH0-a3XJtMV59PBu | |
| |
----- | |
----- | |
------ | |
| |
##How to add your yubikey to MacOs? | |
- import your public key on MacOs: `gpg --import keyfile` | |
- trust your new pgp key: `gpg --edit-key <any new key identifier>` | |
- How to sign commits with it (the public gpg key must be verified!)? | |
- set git to sign all commits: `git config --global commit.gpgsign true` | |
- set git to use a specific key for this: `git config --global signingKey=<sign key identifier>` | |
- add your public gpg key to Github - https://github.com/settings/keys | |
- more details - https://github.com/YubicoLabs/sign-git-commits-yubikey | |
| |
----- | |
----- | |
------ | |
| |
##How to connect through ssh using your `authorization` key?: | |
(Steps from https://gist.github.com/xirkus/20552a9b026413cc84191131bbeeb48a) | |
#### Enable `ssh` support for the `gpg-agent` | |
Append the following line to your `~/.gnupg/gpg-agent.conf` file: | |
``` | |
enable-ssh-support | |
``` | |
Restart your `gpg-agent` by sending the process the appropiate signal via `kill`. | |
### Identify the `keygrip` associated with your OpenPGP key | |
This is required to identify which secrets can be passed through to the `ssh-agent`. | |
> **WARNING:** For the purposes of integration, we will be using **ONLY** the Authentication subkey. | |
```sh | |
% gpg2 --with-keygrip -k [email protected] | |
... [REDACTED] | |
pub rsa4096 2020-10-14 [SC] | |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | |
Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | |
uid [ultimate] [email protected] <[email protected]> | |
sub rsa4096 2020-10-14 [E] | |
Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | |
sub rsa4096 2020-10-14 [A] | |
Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX <<<< We will need this one. | |
sub rsa4096 2020-10-14 [S] | |
Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | |
... [REDACTED] | |
``` | |
#### Configure the Authentication Subkey Keygrip | |
Add the keygrip to the following file (which may not exist) - `~/.gnupg/sshcontrol`. | |
#### Confgure your shell to export the `SSH_AUTH_SOCKET` environment variable | |
Add the following line to the appropriate start up file for your shell: | |
```sh | |
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) | |
``` | |
Verfiy that this environment variable is present: | |
```sh | |
% env | grep SSH | |
SSH_AUTH_SOCK=/Users/mel/.gnupg/S.gpg-agent.ssh | |
``` | |
If noting is listed, then the environment variable has not been properly exported. | |
#### Test the visibility of your Encryption OpenPGP subkey | |
If everything is working correctly, your Authentication subkey should now be visible to `ssh`. You can verify using the following commands: | |
```sh | |
% ssh-add -l | |
4096 SHA256:aLsYjSwRYVXc9WU6hrW0NjVIi4axQlN17DOhw5c2R7w cardno:0006086XXXXX (RSA) | |
``` | |
> **NOTE:** The `cardno` should be the same as the one associated with your Yubikey Smart Card in `gpg`. | |
To generate the public portion of this new Authentication ssh key, use the following command: | |
```sh | |
% ssh-add -L | |
ssh-rsa AAAA...[REDACTED]...spqw== cardno:0006086XXXXX | |
``` | |
***This is the public key that you can upload to remote servers for authentication purposes.*** | |
#### Last but not least - Configure GitHub with the public key of the OpenPGP Authentication Subkey. | |
##### Instructions | |
To complete this last step, you will need to be logged into your GitHub account. | |
1. Navigate to your https://github.com/settings/keys | |
1. Create an `New SSH Key` | |
1. Paste in the output of the `ssh-add -L` command above. Label the key and save. | |
1. Attempt to pull/checkout a repository with your github account. When you first attempt to use the Yubikey, you should be prompted for the default PIN. Enter it to continue (and be mindful of the number of retries you have before the Yubikey is locked). | |
1. If you've provided your default PIN correctly, you should notice the LED on your Yubikey flashing. Simply touch it to proceed. | |
#### Solve `sign_and_send_pubkey: signing failed for RSA` error: | |
`gpg-connect-agent updatestartuptty /bye` will ensure the next operation will show the pin prompt. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment