Yubikey GPG config

yubi_gpg.sh

#!/bin/zsh

##
## This automation was created to be used with MACOS based on the instructions from drduh
## (https://github.com/drduh/YubiKey-Guide)
##
## You need to install gpg first:
## brew install gnupg hopenpgp-tools ykman pinentry-mac
## and GPG Suite can also come in handy (https://gpgtools.org/)
##
## Install expect, to automate user expected input:
## brew install expect

#variables definition
#you may change this variables as you wish
firstname="FIRST"
lastname="LAST"
email="YOUREMAIL@protonmail.com"
username="${firstname} ${lastname}"
keySize=4096
masterKeyExpiration="0"
subkeysExpiration="0"



## Starting the process

export GNUPGHOME=$(mktemp -d)
cd $GNUPGHOME
#wget https://raw.githubusercontent.com/drduh/config/master/gpg.conf
masterkey=$(gpg --gen-random --armor 0 24)

echo "\n\n"
echo "********************************************************************************************"
echo "                                        ATTENTION"
echo "********************************************************************************************"
echo "The following key (securily generated) will be your master key, please keep it in a safe place"
echo "YOU REALLY NEED THIS KEY, SAVE IT"
echo ""
echo $masterkey
echo ""
echo "NOTE: Through this script, everytime a 'Passphrase' is asked, you should also use this key"
echo "Its not just for the script, so, don't trash it after"
echo "********************************************************************************************"

echo "press any key if you have saved the master key"
read trash


#this is needed so that passphrase input doesn't screw expect
GPG_TTY=$(tty)
export GPG_TTY


############################
# Generate master key
############################
expect <<- DONE

set timeout 30

spawn gpg --expert --full-generate-key

expect "Your selection? "
send -- "8 \r"

expect "Your selection? "
send -- "E \r"

expect "Your selection? "
send -- "S \r"

expect "Your selection? "
send -- "Q \r"

expect "What keysize do you want?*"
send -- "${keySize} \r"

expect "Key is valid for?*"
send -- "${masterKeyExpiration} \r"

expect "Is this correct? (y/N)"
send -- "y\r"

expect "Real name:*"
send -- "${username}\r"

expect "Email address:*"
send -- "${email}\r"

expect "Comment:*"
send -- "\r"

expect "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?*"
send -- "o\r"

expect eof

DONE

#get the generated key ID (last created)
tmp=$(ls -lt ~/.gnupg/openpgp-revocs.d | head -2 | tail -n 1) 
key="${tmp: -20: -4}"
keyid="0x${key}"
export KEYID=$keyid



expect <<- DONE

set timeout 30
spawn gpg --expert --edit-key $KEYID


#signing key
expect "gpg> "
send -- "addkey\r"

expect "Your selection? "
send -- "4 \r"

expect "What keysize do you want?*"
send -- "${keySize} \r"

expect "Key is valid for?*"
send -- "${masterKeyExpiration} \r"

expect "Is this correct? (y/N)"
send -- "y\r"

expect "Really create? (y/N)"
send -- "y\r"


#encryption key
expect "gpg> "
send -- "addkey\r"

expect "Your selection? "
send -- "6 \r"

expect "What keysize do you want?*"
send -- "${keySize} \r"

expect "Key is valid for?*"
send -- "${masterKeyExpiration} \r"

expect "Is this correct? (y/N)"
send -- "y\r"

expect "Really create? (y/N)"
send -- "y\r"


#authentication key
expect "gpg> "
send -- "addkey\r"

expect "Your selection? "
send -- "8 \r"

expect "Your selection? "
send -- "S \r"

expect "Your selection? "
send -- "E \r"

expect "Your selection? "
send -- "A \r"

expect "Your selection? "
send -- "Q \r"

expect "What keysize do you want?*"
send -- "${keySize} \r"

expect "Key is valid for?*"
send -- "${masterKeyExpiration} \r"

expect "Is this correct? (y/N)"
send -- "y\r"

expect "Really create? (y/N)"
send -- "y\r"

expect "gpg> "
send -- "trust\r"

expect "Your decision? "
send -- "5 \r"

expect "Do you really want to set this key to ultimate trust?* "
send -- "y \r"

expect "gpg> "
send -- "uid 1\r"

expect "gpg> "
send -- "primary\r"

expect "gpg> "
send -- "save\r"

expect eof

DONE




echo ""
echo "********************************************************************************************"
echo "                                        ATTENTION"
echo "********************************************************************************************"
echo "You will now be asked to change the yubikey pins"
echo "By default the admin pin is 12345678 and the regular pin 123456"
echo "Use the default to change yours. Please do not forget your new pins as they will be needed"
echo "********************************************************************************************"
echo ""
echo "Press any key to continue..."
read trash

#change pins
expect <<- DONE

set timeout 30

spawn gpg --change-pin

expect "Your selection? "
send -- "3\r"

expect "Your selection? "
send -- "1\r"

expect "Your selection? "
send -- "q\r"

expect eof

DONE



#change card data
expect <<- DONE

set timeout 30

spawn gpg --edit-card

expect "gpg/card> "
send -- "admin\r"

expect "gpg/card> "
send -- "name\r"

expect "Cardholder*"
send -- "${lastname}\r"

expect "Cardholder's given name: "
send -- "${firstname}\r"

expect "gpg/card> "
send -- "login\r"

expect "Login data (account name): "
send -- "${email}\r"

expect "gpg/card> "
send -- "quit\r"

expect eof

DONE


#send key 1 to yubi
expect <<- DONE

set timeout 90

spawn gpg --edit-key $KEYID

expect "gpg> "
send -- "key 1\r"

expect "gpg> "
send -- "keytocard\r"

expect "Your selection? "
send -- "1 \r"

expect "gpg> "
send -- "save\r"

expect eof

DONE


#send key 2 to yubi
expect <<- DONE

set timeout 90

spawn gpg --edit-key $KEYID

expect "gpg> "
send -- "key 2\r"

expect "gpg> "
send -- "keytocard\r"

expect "Your selection? "
send -- "2 \r"

expect "gpg> "
send -- "save\r"

expect eof

DONE



#send key 3 to yubi
expect <<- DONE

set timeout 90

spawn gpg --edit-key $KEYID

expect "gpg> "
send -- "key 3\r"

expect "gpg> "
send -- "keytocard\r"

expect "Your selection? "
send -- "3 \r"

expect "gpg> "
send -- "save\r"

expect eof

DONE


echo "Saving gpg public key in desktop (gpg_public_key.txt)"
gpg --export -a $email public.key > ~/Desktop/gpg_public_key.txt


cd ~/.gnupg

#Generating gpg.conf
gpgconf=$(cat <<EOF
use-agent
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
no-emit-version
EOF
)

echo $gpgconf > gpg.conf


#Generating gpg-agent.conf
gpgagent=$(cat <<EOF
# if on Mac OS X and GPG Suite is installed
# otherwise, look for 'pinentry' on your system
# enables SSH support (ssh-agent)
enable-ssh-support
# writes environment information to ~/.gpg-agent-info
write-env-file
use-standard-socket
# default cache timeout of 600 seconds
default-cache-ttl 600
max-cache-ttl 7200
EOF
)

#appending to zsh config
echo $gpgagent > gpg-agent.conf

zshcontent=$(cat <<EOF
if [ -S "$HOME/.gnupg/S.gpg-agent.ssh" ]; then
export SSH_AUTH_SOCK="$HOME/.gnupg/S.gpg-agent.ssh"
gpgconf --launch gpg-agent
gpgconf --kill all
fi
EOF
)


echo "Saving gpg data"
gpg --export -a > ~/Desktop/gpg.txt

gpg --armor --export-secret-keys $KEYID > ~/Desktop/master.key
gpg --armor --export-secret-subkeys $KEYID > ~/Desktop/sub.key


echo $zshcontent >> ~/.zshrc

gpg --card-status

echo ""
echo "********************************************************************************************"
echo "                                        ATTENTION"
echo "********************************************************************************************"
echo ""
echo "[+] Exported secret key to ~/Desktop/mastersub.key"
echo "[+] Exported subkeys key to ~/Desktop/sub.key"
echo ""
echo "[!] Back up these two files to outside this computer and delete them from here"
echo ""
echo "Almost done... Open a new terminal window and paste the following line to make sure everything is working:"
echo "gpg --card-status && ssh-add -L"
echo ""
echo "This should show you your ssh public key"