Skip to content

Instantly share code, notes, and snippets.

@nicolo-ribaudo

nicolo-ribaudo/_yubikey_gpg.md

Last active February 11, 2025 13:40
Show Gist options
  • Save nicolo-ribaudo/2d3b27778d2b248947ddbb5c48b1bc3c to your computer and use it in GitHub Desktop.
Save nicolo-ribaudo/2d3b27778d2b248947ddbb5c48b1bc3c to your computer and use it in GitHub Desktop.
Download ZIP
PGP key
Raw
_yubikey_gpg.md

Meta

Key ID: C6CB6CC54E363735

Subkeys: AAFDA9101C58F338, A96EDD9C10BC77A5, 5BB1D2E5A4C8404B

Setup GPG

git config --global user.signingkey AAFDA9101C58F338
git config --global commit.gpgsign true
curl https://gist.githubusercontent.com/nicolo-ribaudo/2d3b27778d2b248947ddbb5c48b1bc3c/raw/077ccef1f3210a9f9a3ab9b2d6811f61b2037bc7/pubkey.pem | gpg --import
gpg --edit-key C6CB6CC54E363735 # configure ultimate trust

Misc

Restart deamon (linux)

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

Setup SSH

~/.gnupg/gpg-agent.conf

enable-ssh-support
ttyname $GPG_TTY
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-gnome3
# pinentry-program /opt/homebrew/bin/pinentry-mac

.bashrc/.zshrc

export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
gpgconf --launch gpg-agent

Supporting GPG through SSH

That setup above is when running from a single device. To support using a device both as standalone and as a ssh server for remote clients, use the following config.

On the server, in .zshrc:

# For SSH from PGP on the Yubikey
GPG_AGENT_SOCKET="/run/user/1000/gnupg/S.gpg-agent"
GPG_AGENT_SOCKET_REMOTE="/run/user/1000/gnupg/S.gpg-agent.from-ssh"
if [[ -n $SSH_CONNECTION ]]; then
  # Remote
  if [[ "$(realpath $GPG_AGENT_SOCKET)" == $GPG_AGENT_SOCKET_REMOTE ]]; then
    # Already running with the remote agent
  else
    gpgconf --kill gpg-agent
    rm $GPG_AGENT_SOCKET 2> /dev/null || true
    ln -s $GPG_AGENT_SOCKET_REMOTE $GPG_AGENT_SOCKET
  fi
else
  # Local
  if [[ "$(realpath $GPG_AGENT_SOCKET)" == $GPG_AGENT_SOCKET_REMOTE ]]; then
    # Disconnect from the remote agent
    rm $GPG_AGENT_SOCKET || true
  fi
  export GPG_TTY="$(tty)"
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
  gpgconf --launch gpg-agent
fi

On the server, in /etc/ssh/sshd_config:

StreamLocalBindUnlink yes

On each remote client's ~/.ssh/config (note: the RemoteForward second path assumes MacOS):

Host <host name>
  ForwardAgent yes
  User <user name>
  RemoteForward /run/user/1000/gnupg/S.gpg-agent.from-ssh /Users/<user name>/.gnupg/S.gpg-agent.extra

Prime keycard

$ gpg --card-view
$ gpg --card-edit # run verify command
Raw
pubkey.pem
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZHPBgBYJKwYBBAHaRw8BAQdAFy/GIyRyC4lpyri6ZNy3IRSFvJIbyut0G53v
oJxgJwG0IE5pY29sw7IgUmliYXVkbyA8aGVsbG9Abmljci5kZXY+iJYEExYKAD4C
GwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AWIQTlHXPG+n2+trly/uLGy2zF
TjY3NQUCZKXMkAIZAQAKCRDGy2zFTjY3Nbp0AP46pqXdfabk3nYbIb0y88GLK2Bh
DKUWDgd4ZU2tyldPVAD+IaLnyEwBeTKYKTGpelaBKk082xLOKnQedLtCMBax6gW0
Kk5pY29sw7IgUmliYXVkbyA8bmljb2xvLnJpYmF1ZG9AZ21haWwuY29tPoiTBBMW
CgA7FiEE5R1zxvp9vra5cv7ixstsxU42NzUFAmSly8YCGwMFCwkIBwICIgIGFQoJ
CAsCBBYCAwECHgcCF4AACgkQxstsxU42NzWODgEAghzB7TBhcO1q7kQh11N2yzyV
GlXA3RM1ROq2JASqjusA/jLlhjde9XpqbC9EW1uM1rnY+Bjk3mBkisqjim+4sUAD
tCVOaWNvbMOyIFJpYmF1ZG8gPG5yaWJhdWRvQGlnYWxpYS5jb20+iJMEExYKADsW
IQTlHXPG+n2+trly/uLGy2zFTjY3NQUCZKXL4wIbAwULCQgHAgIiAgYVCgkICwIE
FgIDAQIeBwIXgAAKCRDGy2zFTjY3NXj0AQDtWkTay6ZorxRIRk9tRtJ/JQ0k4Wm8
8/7NItvEfV+ogAEAsE29di5u1EBPz/LJVQp2qN1rCjbXtVm4dx4nLEEfpw64MwRk
c8O/FgkrBgEEAdpHDwEBB0BbIcCiSKIcSRAJO5lclt2EvC5g5uERFRhcHp7gUUoL
2oj1BBgWCgAmAhsCFiEE5R1zxvp9vra5cv7ixstsxU42NzUFAmZVoRQFCQPDENUA
gXYgBBkWCgAdFiEEJzAcphjG1MNMZj2Wqv2pEBxY8zgFAmRzw78ACgkQqv2pEBxY
8zgp7QD+OOoStlw+puxyQsrJ2LWlDpij+u7zDR2OFtv8749o7hABAJdJhtomYvQj
Fc9fGAGhpHoQRtDoGdxj2gCUIBOssIYOCRDGy2zFTjY3NZBXAQDL64ugSKomlreM
FlHudRD2cGyd5k7l4YdpyMDIidxD8wEA6ciW39a2dPoBbA/FuHmHWv8ghpbxDa+q
4XiUZ/zh9gm4OARkc8P5EgorBgEEAZdVAQUBAQdAAILUEKL4OB1YqiwZi8vm8BV9
fD2ASn6il6UfdVKCVAQDAQgHiH4EGBYKACYCGwwWIQTlHXPG+n2+trly/uLGy2zF
TjY3NQUCZlWhWgUJA8MQ4QAKCRDGy2zFTjY3NecpAP9ZojfcXqANX0b8ZhoCBWvs
MAkeYiW/OModni76LhXKGgEAmSxpCc5oGs5q/zALgT/PXyNwCypHvqZ08ddYELjJ
tQ64MwRkc8QVFgkrBgEEAdpHDwEBB0DmvmAJDC6cHxe3BcunFYbPs9JJMirOXDDR
8Cohj4UQvoh+BBgWCgAmAhsgFiEE5R1zxvp9vra5cv7ixstsxU42NzUFAmZVoVoF
CQPDEMUACgkQxstsxU42NzX2aQEA+DE49jjC9RpUuF1EnGtSwyJ3t3d2/V50Dd4C
BiJP3SoBALvrnavtAmJo8+mId/Nkkeij/uwyulBhxamEWvyJXm0M
=qu8h
-----END PGP PUBLIC KEY BLOCK-----
@nicolo-ribaudo
Copy link
Author

On linux I needed to sudo apt install scdaemon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment