Based on the following guides:
- https://worklifenotes.com/2019/07/05/yubikey-for-ssh-on-windows-complete-walkthrough/
- https://scatteredcode.net/signing-git-commits-using-yubikey-on-windows/
- https://bhavik.io/2019/02/02/yubikey-git-ssh.html
- Open Powershell
- Set up new PINs:
- Tip: the PINs doesn't have to be numeric-only
gpg --expert --edit-card > admin > factory-reset # optional step > passwd # choose 1 to change PIN # default PIN is 123456 # choose 3 to change Admin PIN # default PIN is 12345678 > q > forcesig > quit - Add identification data
gpg --expert --edit-card > admin > name # type your last names # and then your first names > lang # type your preference language (e.g., en) - Check keys:
gpg --expert --card-status
- Go to Tools > Manage smartcard
- Click on Generate new keys (I recommend creating a RSA 4096 key)
- In Kleopatra, click on Settings > Configure Kleopara
- Select GnuPG System
- Go to the tab Private Keys
- Check Enable ssh support and Enable putty support
- Click on Apply settings
- Run this command to add Github to the list of known hosts and avoid a freezing issue using git:
plink -agent -v [email protected]- If this command fails with an
FATAL ERROR: No supported authentication methods available (server sent: publickey)error, try restarting the GPG Agent
- If this command fails with an
- Verify that the key is set up correctly:
gpg --list-secret-keys --keyid-format LONG- Look for something like
sec > rsa4096/683AB68D867FEB5C. - The key is the string after rsa4060/
- Look for something like
- Point Git to globally use GnuPG:
git config --global gpg.program "c:\Program Files\GnuPG\bin\gpg.exe" git config --global commit.gpgsign true git config --global user.signingkey KEY_FROM_THE_PREVIOUS_STEP git config --global core.sshcommand "plink -agent" - If you haven't set up your Git user data, do it now:
git config --global user.email [email protected] git config --global user.name "Your Full Name Here" - Generate a public SSH key:
gpg --export-ssh-key [email protected] > id_rsa.pub - Add the public key into your Github account
- Open Kleopatra, double-click on your click, click Export...
- Make sure you are exporting the public key. It should start with "-----BEGING PBP PUBLIC KEY BLOCK-----"
- Copy the key
- Go into Github
- Click on your profile image
- Click on Settings
- On the sidebar, click on SSH and GPG Keys
- Click on New GPG Key
- Paste the key
- Instead of using the
sshcommand on Powershell, you have to use theplinkcommand:plink username@server
- On Kleopatra main screen, select your certificates
- Go to File > Export...
- Select a place to store your OpenPGP certificates
- On Kleopatra main screen, go to File > Import...
- Select your OpenPGP certificates files
- On Powershell, list the existing keys:
gpg --list-secret-keys --keyid-format LONG- If no key show up, try restarting the GPG Agent
- To edit a key:
gpg --edit-key KEYID - To set trust level to ultimate:
trust
5 # to trust completely (ultimate)
y # to confirm your decision
save
- If you have issues connecting to your smartkey, try restarting the GPG Agent:
gpg-connect-agent killagent /bye
gpg-connect-agent /bye
Now you're all set. When using git or ssh, it should get the private key from your Yubikey and ask for its PIN number.
Enjoy :)
FYI from the end of this blog post by I Am Justyn:
git-bash comes pre-installed with a whole bunch of gpg* binaries located in
<git-bash-install-dir>\usr\bin\. When using this version of gpg, git bash (elevated or not) cannot access the yubikey. You can install gpg4win with choco.,... And from this gist by BoGnY, you can tell git-bash to use the alternate gpg binary with:
$ git config --global gpg.program "/c/Program Files (x86)/GnuPG/bin/gpg.exe"