eth-p/guide.md

## guide.md

      
    Raw
  

              guide.md
            
          
    GPG Master Key on New Computer Guide:

Resources:

How do I even make a master key?
How do I use GPG to SSH?

TL;DR Guide for New Computers


Set up a GUI pinentry.

pinentry-mac
pinentry-touchid


Import your master private key.
$ gpg --import "master-key"
gpg: key 0123456789ABCDEF: public key "You <your@own.email>" imported
gpg: key 0123456789ABCDEF: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1


Get the full fingerprint of your master key.
gpg --list-keys 0123456789ABCDEF
pub   rsa4096 2018-03-18 [C]
      0123456789ABCDEF0123456789ABCDEF01234567
uid           [ unknown] You <your@own.email>
sub   rsa4096 2018-03-18 [E]


Generate your signing subkey.
$ gpg --quick-add-key 0123456789ABCDEF0123456789ABCDEF01234567 ed25519 sign
$ gpg --list-keys --with-subkey-fingerprint 0123456789ABCDEF
pub   rsa4096 2018-03-18 [C]
      0123456789ABCDEF0123456789ABCDEF01234567
uid           [ unknown] You <your@own.email>
sub   ed25519 2022-03-26 [S]
      DEADBEEF00000000000000000000000000000000   <-- This is your signing key.


Tell git to use your signing subkey.
$ git config --global commit.gpgsign true 
$ git config --global user.signingkey DEADBEEF00000000000000000000000000000000


Generate your SSH subkeys.
$ gpg --quick-add-key $MASTER_KEY rsa4096 auth
$ gpg --quick-add-key $MASTER_KEY ed25519 auth
$ gpg --list-keys --with-subkey-fingerprint --with-keygrip 0123456789ABCDEF
...
sub   ed25519 2022-03-26 [A]
      DEADBEEF11111111111111111111111111111111   <-- This is your ed25519 SSH key.
      Keygrip = CAFE1111DDDD1111DDDD1111DD       <-- And this is its keygrip.
sub   rsa4096 2022-03-26 [A]
      DEADBEEF22222222222222222222222222222222   <-- This is your rsa4096 SSH key.
      Keygrip = CAFE2222DDDD2222DDDD2222DD       <-- And this is its keygrip.


Configure gnupg to act as a ssh-agent.
$ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
$ gpg-connect-agent reloadagent /bye
OK
And find some way to add export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" to your bashrc.


Add your SSH subkeys to the list of keys in the emulated ssh-agent.
$ echo CAFE1111DDDD1111DDDD1111DD >> ~/.gnupg/sshcontrol
$ echo CAFE2222DDDD2222DDDD2222DD >> ~/.gnupg/sshcontrol


Export your SSH subkeys.
$ gpg --export-ssh-key "DEADBEEF11111111111111111111111111111111!" > ~/.ssh/id_ed25519.pub
$ gpg --export-ssh-key "DEADBEEF22222222222222222222222222222222!" > ~/.ssh/id_rsa.pub
Note the "!" at the end of the key. This is important for making sure it exports that exact key.


Purge the master private key.
$ gpg --list-secret-keys --with-keygrip 0123456789ABCDEF
pub   rsa4096 2018-03-18 [C]
      0123456789ABCDEF0123456789ABCDEF01234567
      Keygrip = BADBADBADBADBADBADBADBADBADBADBADBADBAD0
uid           [ unknown] You <your@own.email>
sub   rsa4096 2018-03-18 [E]
...

$ gpg-connect-agent "DELETE_KEY BADBADBADBADBADBADBADBADBADBADBADBADBAD0" /bye
OK


Reupload the master public key.
GitHub won't know about the new subkeys until you do this.
It would also probably be a good idea to keep a running list of subkeys.


Mac-Specific Stuff

Launch GNUPG Agent Automatically:


Download the org.gnupg.agent.plist file, and save it to $HOME/Library/LaunchAgents.

You may need to change the program path on line 9.


Install the Launch Agent:
$ launchctl bootstrap "gui/$(id -u)" ~/Library/LaunchAgents/org.gnupg.agent.plist
$ launchctl enable "gui/$(id -u)/org.gnupg.agent"


## org.gnupg.agent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
            <key>Label</key>
            <string>org.gnupg.agent</string>
            <key>ProgramArguments</key>
            <array>
                <string>/bin/sh</string>
                <string>-c</string>
                <string>
                    rm "$SSH_AUTH_SOCK"
                    ln -s "$HOME/.gnupg/S.gpg-agent.ssh" "$SSH_AUTH_SOCK"
                    /opt/homebrew/bin/gpg-agent --daemon
                    /opt/homebrew/bin/gpg-connect-agent
                </string>
            </array>
            <key>EnvironmentVariables</key>
            <dict>
                <key>PATH</key>
                <string>/opt/homebrew/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin</string>
            </dict>

            <key>RunAtLoad</key>
            <true/>
            <key>KeepAlive</key>
            <true/>
            <key>Umask</key>
            <integer>63</integer>

            <key>Sockets</key>
            <dict>
                    <key>Listeners</key>
                    <dict>
                            <key>SecureSocketWithKey</key>
                            <string>SSH_AUTH_SOCK</string>
                    </dict>
            </dict>
    </dict>
</plist>
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>Label</key>
	<string>org.gnupg.agent</string>
	<key>ProgramArguments</key>
	<array>
	<string>/bin/sh</string>
	<string>-c</string>
	<string>
	rm "$SSH_AUTH_SOCK"
	ln -s "$HOME/.gnupg/S.gpg-agent.ssh" "$SSH_AUTH_SOCK"
	/opt/homebrew/bin/gpg-agent --daemon
	/opt/homebrew/bin/gpg-connect-agent
	</string>
	</array>
	<key>EnvironmentVariables</key>
	<dict>
	<key>PATH</key>
	<string>/opt/homebrew/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin</string>
	</dict>

	<key>RunAtLoad</key>
	<true/>
	<key>KeepAlive</key>
	<true/>
	<key>Umask</key>
	<integer>63</integer>

	<key>Sockets</key>
	<dict>
	<key>Listeners</key>
	<dict>
	<key>SecureSocketWithKey</key>
	<string>SSH_AUTH_SOCK</string>
	</dict>
	</dict>
	</dict>
	</plist>