nicolo-ribaudo/_yubikey_gpg.md

## _yubikey_gpg.md

      
    Raw
  

              _yubikey_gpg.md
            
          
    Meta

Key ID: C6CB6CC54E363735
Subkeys: AAFDA9101C58F338, A96EDD9C10BC77A5, 5BB1D2E5A4C8404B
Setup GPG

git config --global user.signingkey AAFDA9101C58F338
git config --global commit.gpgsign true
curl https://gist.githubusercontent.com/nicolo-ribaudo/2d3b27778d2b248947ddbb5c48b1bc3c/raw/414167846c58ed7bc039507b3ca05ec33e9a294a/pubkey.pem | gpg --import
gpg --edit-key C6CB6CC54E363735 # configure ultimate trust
Misc

Restart deamon (linux)
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent
Setup SSH

~/.gnupg/gpg-agent.conf
enable-ssh-support
ttyname $GPG_TTY
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-gnome3
# pinentry-program /opt/homebrew/bin/pinentry-mac
.bashrc/.zshrc
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
gpgconf --launch gpg-agent
Supporting GPG through SSH

That setup above is when running from a single device. To support using a device both as standalone and as a ssh server for remote clients, use the following config.
On the server, in .zshrc:
# For SSH from PGP on the Yubikey
GPG_AGENT_SOCKET="/run/user/1000/gnupg/S.gpg-agent"
GPG_AGENT_SOCKET_REMOTE="/run/user/1000/gnupg/S.gpg-agent.from-ssh"
if [[ -n $SSH_CONNECTION ]]; then
  # Remote
  if [[ "$(realpath $GPG_AGENT_SOCKET)" == $GPG_AGENT_SOCKET_REMOTE ]]; then
    # Already running with the remote agent
  else
    gpgconf --kill gpg-agent
    rm $GPG_AGENT_SOCKET 2> /dev/null || true
    ln -s $GPG_AGENT_SOCKET_REMOTE $GPG_AGENT_SOCKET
  fi
else
  # Local
  if [[ "$(realpath $GPG_AGENT_SOCKET)" == $GPG_AGENT_SOCKET_REMOTE ]]; then
    # Disconnect from the remote agent
    rm $GPG_AGENT_SOCKET || true
  fi
  export GPG_TTY="$(tty)"
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
  gpgconf --launch gpg-agent
fi
On the server, in /etc/ssh/sshd_config:
StreamLocalBindUnlink yes

On each remote client's ~/.ssh/config (note: the RemoteForward second path assumes MacOS):
Host <host name>
  ForwardAgent yes
  User <user name>
  RemoteForward /run/user/1000/gnupg/S.gpg-agent.from-ssh /Users/<user name>/.gnupg/S.gpg-agent.extra

Prime keycard

$ gpg --card-view
$ gpg --card-edit # run verify command

  
## pubkey.pem
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZHPBgBYJKwYBBAHaRw8BAQdAFy/GIyRyC4lpyri6ZNy3IRSFvJIbyut0G53v
oJxgJwG0IE5pY29sw7IgUmliYXVkbyA8aGVsbG9Abmljci5kZXY+iJYEExYKAD4C
GwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AWIQTlHXPG+n2+trly/uLGy2zF
TjY3NQUCZKXMkAIZAQAKCRDGy2zFTjY3Nbp0AP46pqXdfabk3nYbIb0y88GLK2Bh
DKUWDgd4ZU2tyldPVAD+IaLnyEwBeTKYKTGpelaBKk082xLOKnQedLtCMBax6gW0
Kk5pY29sw7IgUmliYXVkbyA8bmljb2xvLnJpYmF1ZG9AZ21haWwuY29tPoiTBBMW
CgA7FiEE5R1zxvp9vra5cv7ixstsxU42NzUFAmSly8YCGwMFCwkIBwICIgIGFQoJ
CAsCBBYCAwECHgcCF4AACgkQxstsxU42NzWODgEAghzB7TBhcO1q7kQh11N2yzyV
GlXA3RM1ROq2JASqjusA/jLlhjde9XpqbC9EW1uM1rnY+Bjk3mBkisqjim+4sUAD
tCVOaWNvbMOyIFJpYmF1ZG8gPG5yaWJhdWRvQGlnYWxpYS5jb20+iJMEExYKADsW
IQTlHXPG+n2+trly/uLGy2zFTjY3NQUCZKXL4wIbAwULCQgHAgIiAgYVCgkICwIE
FgIDAQIeBwIXgAAKCRDGy2zFTjY3NXj0AQDtWkTay6ZorxRIRk9tRtJ/JQ0k4Wm8
8/7NItvEfV+ogAEAsE29di5u1EBPz/LJVQp2qN1rCjbXtVm4dx4nLEEfpw64MwRk
c8O/FgkrBgEEAdpHDwEBB0BbIcCiSKIcSRAJO5lclt2EvC5g5uERFRhcHp7gUUoL
2oj1BBgWCgAmAhsCFiEE5R1zxvp9vra5cv7ixstsxU42NzUFAmZVoRQFCQPDENUA
gXYgBBkWCgAdFiEEJzAcphjG1MNMZj2Wqv2pEBxY8zgFAmRzw78ACgkQqv2pEBxY
8zgp7QD+OOoStlw+puxyQsrJ2LWlDpij+u7zDR2OFtv8749o7hABAJdJhtomYvQj
Fc9fGAGhpHoQRtDoGdxj2gCUIBOssIYOCRDGy2zFTjY3NZBXAQDL64ugSKomlreM
FlHudRD2cGyd5k7l4YdpyMDIidxD8wEA6ciW39a2dPoBbA/FuHmHWv8ghpbxDa+q
4XiUZ/zh9gm4OARkc8P5EgorBgEEAZdVAQUBAQdAAILUEKL4OB1YqiwZi8vm8BV9
fD2ASn6il6UfdVKCVAQDAQgHiH4EGBYKACYCGwwWIQTlHXPG+n2+trly/uLGy2zF
TjY3NQUCZlWhWgUJA8MQ4QAKCRDGy2zFTjY3NecpAP9ZojfcXqANX0b8ZhoCBWvs
MAkeYiW/OModni76LhXKGgEAmSxpCc5oGs5q/zALgT/PXyNwCypHvqZ08ddYELjJ
tQ64MwRkc8QVFgkrBgEEAdpHDwEBB0DmvmAJDC6cHxe3BcunFYbPs9JJMirOXDDR
8Cohj4UQvoh+BBgWCgAmAhsgFiEE5R1zxvp9vra5cv7ixstsxU42NzUFAmZVoVoF
CQPDEMUACgkQxstsxU42NzX2aQEA+DE49jjC9RpUuF1EnGtSwyJ3t3d2/V50Dd4C
BiJP3SoBALvrnavtAmJo8+mId/Nkkeij/uwyulBhxamEWvyJXm0M
=qu8h
-----END PGP PUBLIC KEY BLOCK-----
	-----BEGIN PGP PUBLIC KEY BLOCK-----

	mDMEZHPBgBYJKwYBBAHaRw8BAQdAFy/GIyRyC4lpyri6ZNy3IRSFvJIbyut0G53v
	oJxgJwG0IE5pY29sw7IgUmliYXVkbyA8aGVsbG9Abmljci5kZXY+iJYEExYKAD4C
	GwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AWIQTlHXPG+n2+trly/uLGy2zF
	TjY3NQUCZKXMkAIZAQAKCRDGy2zFTjY3Nbp0AP46pqXdfabk3nYbIb0y88GLK2Bh
	DKUWDgd4ZU2tyldPVAD+IaLnyEwBeTKYKTGpelaBKk082xLOKnQedLtCMBax6gW0
	Kk5pY29sw7IgUmliYXVkbyA8bmljb2xvLnJpYmF1ZG9AZ21haWwuY29tPoiTBBMW
	CgA7FiEE5R1zxvp9vra5cv7ixstsxU42NzUFAmSly8YCGwMFCwkIBwICIgIGFQoJ
	CAsCBBYCAwECHgcCF4AACgkQxstsxU42NzWODgEAghzB7TBhcO1q7kQh11N2yzyV
	GlXA3RM1ROq2JASqjusA/jLlhjde9XpqbC9EW1uM1rnY+Bjk3mBkisqjim+4sUAD
	tCVOaWNvbMOyIFJpYmF1ZG8gPG5yaWJhdWRvQGlnYWxpYS5jb20+iJMEExYKADsW
	IQTlHXPG+n2+trly/uLGy2zFTjY3NQUCZKXL4wIbAwULCQgHAgIiAgYVCgkICwIE
	FgIDAQIeBwIXgAAKCRDGy2zFTjY3NXj0AQDtWkTay6ZorxRIRk9tRtJ/JQ0k4Wm8
	8/7NItvEfV+ogAEAsE29di5u1EBPz/LJVQp2qN1rCjbXtVm4dx4nLEEfpw64MwRk
	c8O/FgkrBgEEAdpHDwEBB0BbIcCiSKIcSRAJO5lclt2EvC5g5uERFRhcHp7gUUoL
	2oj1BBgWCgAmAhsCFiEE5R1zxvp9vra5cv7ixstsxU42NzUFAmZVoRQFCQPDENUA
	gXYgBBkWCgAdFiEEJzAcphjG1MNMZj2Wqv2pEBxY8zgFAmRzw78ACgkQqv2pEBxY
	8zgp7QD+OOoStlw+puxyQsrJ2LWlDpij+u7zDR2OFtv8749o7hABAJdJhtomYvQj
	Fc9fGAGhpHoQRtDoGdxj2gCUIBOssIYOCRDGy2zFTjY3NZBXAQDL64ugSKomlreM
	FlHudRD2cGyd5k7l4YdpyMDIidxD8wEA6ciW39a2dPoBbA/FuHmHWv8ghpbxDa+q
	4XiUZ/zh9gm4OARkc8P5EgorBgEEAZdVAQUBAQdAAILUEKL4OB1YqiwZi8vm8BV9
	fD2ASn6il6UfdVKCVAQDAQgHiH4EGBYKACYCGwwWIQTlHXPG+n2+trly/uLGy2zF
	TjY3NQUCZlWhWgUJA8MQ4QAKCRDGy2zFTjY3NecpAP9ZojfcXqANX0b8ZhoCBWvs
	MAkeYiW/OModni76LhXKGgEAmSxpCc5oGs5q/zALgT/PXyNwCypHvqZ08ddYELjJ
	tQ64MwRkc8QVFgkrBgEEAdpHDwEBB0DmvmAJDC6cHxe3BcunFYbPs9JJMirOXDDR
	8Cohj4UQvoh+BBgWCgAmAhsgFiEE5R1zxvp9vra5cv7ixstsxU42NzUFAmZVoVoF
	CQPDEMUACgkQxstsxU42NzX2aQEA+DE49jjC9RpUuF1EnGtSwyJ3t3d2/V50Dd4C
	BiJP3SoBALvrnavtAmJo8+mId/Nkkeij/uwyulBhxamEWvyJXm0M
	=qu8h
	-----END PGP PUBLIC KEY BLOCK-----