Mugurell/Use yubikeys for Github on MacOS

## Use yubikeys for Github on MacOS
##Probably the best series for the setup of your new smart card:
https://www.youtube.com/watch?v=rGZtlgNhAVU&list=PLmoQ11MXEmahVl_uJVH0-a3XJtMV59PBu

&nbsp;

-----
-----
------
&nbsp;

##How to add your yubikey to MacOs?
  - import your public key on MacOs: `gpg --import keyfile`
  - trust your new pgp key: `gpg --edit-key <any new key identifier>`
- How to sign commits with it (the public gpg key must be verified!)?
  - set git to sign all commits: `git config --global commit.gpgsign true`
  - set git to use a specific key for this: `git config --global signingKey=<sign key identifier>`
  - add your public gpg key to Github - https://github.com/settings/keys
  - more details - https://github.com/YubicoLabs/sign-git-commits-yubikey

&nbsp;

-----
-----
------
&nbsp;

##How to connect through ssh using your `authorization` key?:
(Steps from https://gist.github.com/xirkus/20552a9b026413cc84191131bbeeb48a)

#### Enable `ssh` support for the `gpg-agent`

Append the following line to your `~/.gnupg/gpg-agent.conf` file:

```
enable-ssh-support
```

Restart your `gpg-agent` by sending the process the appropiate signal via `kill`.

### Identify the `keygrip` associated with your OpenPGP key

This is required to identify which secrets can be passed through to the `ssh-agent`.

> **WARNING:** For the purposes of integration, we will be using **ONLY** the Authentication subkey.

```sh
% gpg2 --with-keygrip -k mel.llaguno@protonmail.com
... [REDACTED]

pub   rsa4096 2020-10-14 [SC]
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid           [ultimate] mel.llaguno@protonmail.com <mel.llaguno@protonmail.com>
sub   rsa4096 2020-10-14 [E]
      Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sub   rsa4096 2020-10-14 [A]
      Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX <<<< We will need this one.
sub   rsa4096 2020-10-14 [S]
      Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

... [REDACTED]
```

#### Configure the Authentication Subkey Keygrip

Add the keygrip to the following file (which may not exist) - `~/.gnupg/sshcontrol`.

#### Confgure your shell to export the `SSH_AUTH_SOCKET` environment variable

Add the following line to the appropriate start up file for your shell:

```sh
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
```

Verfiy that this environment variable is present:

```sh
% env | grep SSH
SSH_AUTH_SOCK=/Users/mel/.gnupg/S.gpg-agent.ssh
```

If noting is listed, then the environment variable has not been properly exported.

#### Test the visibility of your Encryption OpenPGP subkey

If everything is working correctly, your Authentication subkey should now be visible to `ssh`. You can verify using the following commands:

```sh
% ssh-add -l
4096 SHA256:aLsYjSwRYVXc9WU6hrW0NjVIi4axQlN17DOhw5c2R7w cardno:0006086XXXXX (RSA)
```

> **NOTE:** The `cardno` should be the same as the one associated with your Yubikey Smart Card in `gpg`.

To generate the public portion of this new Authentication ssh key, use the following command:

```sh
% ssh-add -L
ssh-rsa AAAA...[REDACTED]...spqw== cardno:0006086XXXXX
```

***This is the public key that you can upload to remote servers for authentication purposes.***

#### Last but not least - Configure GitHub with the public key of the OpenPGP Authentication Subkey.

##### Instructions

To complete this last step, you will need to be logged into your GitHub account.

1. Navigate to your https://github.com/settings/keys
1. Create an `New SSH Key`
1. Paste in the output of the `ssh-add -L` command above. Label the key and save.
1. Attempt to pull/checkout a repository with your github account. When you first attempt to use the Yubikey, you should be prompted for the default PIN. Enter it to continue (and be mindful of the number of retries you have before the Yubikey is locked).
1. If you've provided your default PIN correctly, you should notice the LED on your Yubikey flashing. Simply touch it to proceed.

#### Solve `sign_and_send_pubkey: signing failed for RSA` error:
`gpg-connect-agent updatestartuptty /bye` will ensure the next operation will show the pin prompt.
	##Probably the best series for the setup of your new smart card:
	https://www.youtube.com/watch?v=rGZtlgNhAVU&list=PLmoQ11MXEmahVl_uJVH0-a3XJtMV59PBu



	-----
	-----
	------


	##How to add your yubikey to MacOs?
	- import your public key on MacOs: `gpg --import keyfile`
	- trust your new pgp key: `gpg --edit-key <any new key identifier>`
	- How to sign commits with it (the public gpg key must be verified!)?
	- set git to sign all commits: `git config --global commit.gpgsign true`
	- set git to use a specific key for this: `git config --global signingKey=<sign key identifier>`
	- add your public gpg key to Github - https://github.com/settings/keys
	- more details - https://github.com/YubicoLabs/sign-git-commits-yubikey



	-----
	-----
	------


	##How to connect through ssh using your `authorization` key?:
	(Steps from https://gist.github.com/xirkus/20552a9b026413cc84191131bbeeb48a)

	#### Enable `ssh` support for the `gpg-agent`

	Append the following line to your `~/.gnupg/gpg-agent.conf` file:

	```
	enable-ssh-support
	```

	Restart your `gpg-agent` by sending the process the appropiate signal via `kill`.

	### Identify the `keygrip` associated with your OpenPGP key

	This is required to identify which secrets can be passed through to the `ssh-agent`.

	> WARNING: For the purposes of integration, we will be using ONLY the Authentication subkey.

	```sh
	% gpg2 --with-keygrip -k mel.llaguno@protonmail.com
	... [REDACTED]

	pub rsa4096 2020-10-14 [SC]
	XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
	Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
	uid [ultimate] mel.llaguno@protonmail.com <mel.llaguno@protonmail.com>
	sub rsa4096 2020-10-14 [E]
	Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
	sub rsa4096 2020-10-14 [A]
	Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX <<<< We will need this one.
	sub rsa4096 2020-10-14 [S]
	Keygrip = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

	... [REDACTED]
	```

	#### Configure the Authentication Subkey Keygrip

	Add the keygrip to the following file (which may not exist) - `~/.gnupg/sshcontrol`.

	#### Confgure your shell to export the `SSH_AUTH_SOCKET` environment variable

	Add the following line to the appropriate start up file for your shell:

	```sh
	export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
	```

	Verfiy that this environment variable is present:

	```sh
	% env \| grep SSH
	SSH_AUTH_SOCK=/Users/mel/.gnupg/S.gpg-agent.ssh
	```

	If noting is listed, then the environment variable has not been properly exported.

	#### Test the visibility of your Encryption OpenPGP subkey

	If everything is working correctly, your Authentication subkey should now be visible to `ssh`. You can verify using the following commands:

	```sh
	% ssh-add -l
	4096 SHA256:aLsYjSwRYVXc9WU6hrW0NjVIi4axQlN17DOhw5c2R7w cardno:0006086XXXXX (RSA)
	```

	> NOTE: The `cardno` should be the same as the one associated with your Yubikey Smart Card in `gpg`.

	To generate the public portion of this new Authentication ssh key, use the following command:

	```sh
	% ssh-add -L
	ssh-rsa AAAA...[REDACTED]...spqw== cardno:0006086XXXXX
	```

	*This is the public key that you can upload to remote servers for authentication purposes.*

	#### Last but not least - Configure GitHub with the public key of the OpenPGP Authentication Subkey.

	##### Instructions

	To complete this last step, you will need to be logged into your GitHub account.

	1. Navigate to your https://github.com/settings/keys
	1. Create an `New SSH Key`
	1. Paste in the output of the `ssh-add -L` command above. Label the key and save.
	1. Attempt to pull/checkout a repository with your github account. When you first attempt to use the Yubikey, you should be prompted for the default PIN. Enter it to continue (and be mindful of the number of retries you have before the Yubikey is locked).
	1. If you've provided your default PIN correctly, you should notice the LED on your Yubikey flashing. Simply touch it to proceed.

	#### Solve `sign_and_send_pubkey: signing failed for RSA` error:
	`gpg-connect-agent updatestartuptty /bye` will ensure the next operation will show the pin prompt.