cameri/yubikey_ssh_gpg.sh

## yubikey_ssh_gpg.sh
mkdir -m 0700 -p ~/.gnupg
brew install gnupg

# install pinentry-mac
brew install pinentry-mac
echo "pinentry-program ${$(which pinentry-mac)}" >> ~/.gnupg/gpg-agent.conf

# Run for the first time
gpgconf --launch gpg-agent
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh

# Test SSH keys (Insert Yubikey)
ssh-add -l

cat << EOF >> ~/.zprofile
gpgconf --launch gpg-agent
export SSH_AUTH_SOCK=\$HOME/.gnupg/S.gpg-agent.ssh
# Fix sign_and_send_pubkey: signing failed for RSA "card:XXX" from agent: agent refused operation
# Ref: https://support.nitrokey.com/t/nitrokey-ssh-git-sign-and-send-pubkey-signing-failed-agent-refused-operation/1886/3
export GPG_TTY=\$(tty)
EOF

# Setup gpg agent for apps without a terminal
cat << EOF > ~/Library/LaunchAgents/homebrew.gpg.gpg-agent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <!-- Sets a name for a task -->
  <key>Label</key>
  <string>homebrew.gpg.gpg-agent</string>
  <!-- Sets a command to run and its options -->
  <key>ProgramArguments</key>
  <array>
    <string>/usr/local/bin/gpgconf</string>
    <string>--launch</string>
    <string>gpg-agent</string>
  </array>
  <!-- Tells it to run the task once the XML is loaded -->
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>
EOF

# Load plist
launchctl load -F ~/Library/LaunchAgents/homebrew.gpg.gpg-agent.plist

# Verify (should return a zero)
launchctl list | grep gpg-agent
pgrep -fl gpg-agent

# Map Mac's default SSH agent socket to gpg socket
cat << EOF > ~/Library/LaunchAgents/link-ssh-auth-sock.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>link-ssh-auth-sock</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>/bin/ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>
EOF

# Verify
launchctl load -F ~/Library/LaunchAgents/link-ssh-auth-sock.plist

# Connect Yubikey and fetch keys
gpg --card-edit
> fetch
> quit

# get secret key
gpg --list-secret-keys

# configure git to use gpg
git config --global user.signingkey YOUR_PGP_KEY
git config --global commit.gpgsign true

# verify your git config
cat ~/.gitconfig
# or
git config --list --global
	mkdir -m 0700 -p ~/.gnupg
	brew install gnupg

	# install pinentry-mac
	brew install pinentry-mac
	echo "pinentry-program ${$(which pinentry-mac)}" >> ~/.gnupg/gpg-agent.conf

	# Run for the first time
	gpgconf --launch gpg-agent
	export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh

	# Test SSH keys (Insert Yubikey)
	ssh-add -l

	cat << EOF >> ~/.zprofile
	gpgconf --launch gpg-agent
	export SSH_AUTH_SOCK=\$HOME/.gnupg/S.gpg-agent.ssh
	# Fix sign_and_send_pubkey: signing failed for RSA "card:XXX" from agent: agent refused operation
	# Ref: https://support.nitrokey.com/t/nitrokey-ssh-git-sign-and-send-pubkey-signing-failed-agent-refused-operation/1886/3
	export GPG_TTY=\$(tty)
	EOF

	# Setup gpg agent for apps without a terminal
	cat << EOF > ~/Library/LaunchAgents/homebrew.gpg.gpg-agent.plist
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<!-- Sets a name for a task -->
	<key>Label</key>
	<string>homebrew.gpg.gpg-agent</string>
	<!-- Sets a command to run and its options -->
	<key>ProgramArguments</key>
	<array>
	<string>/usr/local/bin/gpgconf</string>
	<string>--launch</string>
	<string>gpg-agent</string>
	</array>
	<!-- Tells it to run the task once the XML is loaded -->
	<key>RunAtLoad</key>
	<true/>
	</dict>
	</plist>
	EOF

	# Load plist
	launchctl load -F ~/Library/LaunchAgents/homebrew.gpg.gpg-agent.plist

	# Verify (should return a zero)
	launchctl list \| grep gpg-agent
	pgrep -fl gpg-agent

	# Map Mac's default SSH agent socket to gpg socket
	cat << EOF > ~/Library/LaunchAgents/link-ssh-auth-sock.plist
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>Label</key>
	<string>link-ssh-auth-sock</string>
	<key>ProgramArguments</key>
	<array>
	<string>/bin/sh</string>
	<string>-c</string>
	<string>/bin/ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	</dict>
	</plist>
	EOF

	# Verify
	launchctl load -F ~/Library/LaunchAgents/link-ssh-auth-sock.plist

	# Connect Yubikey and fetch keys
	gpg --card-edit
	> fetch
	> quit

	# get secret key
	gpg --list-secret-keys

	# configure git to use gpg
	git config --global user.signingkey YOUR_PGP_KEY
	git config --global commit.gpgsign true

	# verify your git config
	cat ~/.gitconfig
	# or
	git config --list --global