Automated-ish setup of Yubikey for SSH logins (replace ssh-agent with gpg-agent from brew)

setupYubikey.sh

#! /bin/bash

set -e

GPGCONF_PATH=$(which gpgconf)

if [[ "$GPGCONF_PATH" != "/usr/local/bin/gpgconf" ]]; then
	echo "You don't have gnupg installed from brew, lets install it."
	brew install gnupg pinentry-mac ykpers
else
	echo "GnuPG seems in the right place."
fi

PINENTRY_MAC_PATH=$(which pinentry-mac)

if [[ "$PINENTRY_MAC_PATH" != "/usr/local/bin/pinentry-mac" ]]; then
	echo "You don't have pinentry installed from brew, lets install it."
	brew install gnupg pinentry-mac ykpers
else
	echo "PinEntry-mac seems in the right place."
fi

YK_MAC_PATH=$(which ykinfo)

if [[ "$YK_MAC_PATH" != "/usr/local/bin/ykinfo" ]]; then
	echo "You don't have ykpers installed from brew, lets install it."
	brew install gnupg pinentry-mac ykpers
else
	echo "ykpers seems in the right place."
fi

echo "Checking Yubikey hardware (ykpers/ykinfo)..."
ykinfo -a

echo "Checking Yubikey data (via gpg --card-status)..."
gpg --card-status

echo "Checking csrutil status; you should see disabled. If not, disable it via Recovery."
echo "---------------------------- check below -----------------------------------------"
csrutil status
echo "---------------------------- check above -----------------------------------------"

cat << EOD 
If you see 'enabled' in the output above:
1) Boot into your Recovery OS (hold Cmd+R at boot) and run 'csrutil disable', then boot normally
2) Run this script again
3) Boot into your Recovery OS (hold Cmd+R at boot) and run 'csrutil enable', then boot normally
Done.
Press ENTER to continue or Ctrl-C to stop.
EOD

read

cat << EOD
I will need to sudo to disable ssh-agent from Apple.
Please give me sudo password now, I will reuse it later.
EOD

sudo hostname -f

echo "Starting setup..."

mkdir -p $HOME/.gnupg

echo "Writing $HOME/.gnupg/gpg-agent.conf"
cat << EOD > $HOME/.gnupg/gpg-agent.conf
pinentry-program /usr/local/bin/pinentry-mac
enable-ssh-support
default-cache-ttl 86400
max-cache-ttl 86400
EOD

echo "Writing $HOME/Library/LaunchAgents/gpg.agent.daemon.plist"
cat << 'EOD' > $HOME/Library/LaunchAgents/gpg.agent.daemon.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>gpg.agent.daemon.plist</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/bin/gpgconf</string>
		<string>--launch</string>
		<string>gpg-agent</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>
EOD

echo "Writing $HOME/Library/LaunchAgents/gpg.agent.setenv.plist"
cat << 'EOD' > $HOME/Library/LaunchAgents/gpg.agent.setenv.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>gpg.agent.setenv</string>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/sh</string>
		<string>-c</string>
		<string>/bin/launchctl setenv SSH_AUTH_SOCK $HOME/.gnupg/S.gpg-agent.ssh</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>
EOD

echo "This was all very easy until now."
echo "Now we have to have disabled Apple's ssh-agent which is under rootless 'System Integrity Protection'."
echo "Some of the commands below will fail, its normal, but SIP should not be mentioned."

launchctl unload  /System/Library/LaunchAgents/com.openssh.ssh-agent.plist || true
launchctl unload -w  /System/Library/LaunchAgents/com.openssh.ssh-agent.plist || true
sudo launchctl unload /System/Library/LaunchAgents/com.openssh.ssh-agent.plist || true
sudo launchctl unload -w /System/Library/LaunchAgents/com.openssh.ssh-agent.plist || true
sudo mv /System/Library/LaunchAgents/com.openssh.ssh-agent.plist /System/Library/LaunchAgents/com.openssh.ssh-agent.plist.bak || true

echo "Now, if you correctly disabled SIP/rootless, just reboot and everything should work."
echo "If SIP is still enabled, you still have SSH_AUTH_SOCK pointing to the wrong place."
echo "Good luck!"