Skip to content

Instantly share code, notes, and snippets.

@tsekityam

tsekityam/GPGTools and SSH.md

Last active September 6, 2021 22:28
Show Gist options
  • Save tsekityam/71a93754dbdb99a19cbcfe4d1e0c9169 to your computer and use it in GitHub Desktop.
Save tsekityam/71a93754dbdb99a19cbcfe4d1e0c9169 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
GPGTools and SSH.md
  1. add the following code to ~/bash_profile
# Enable GPG keys for SSH Auth
if [ -f "${HOME}/.gpg-agent-info" ]; then
     . "${HOME}/.gpg-agent-info"
       export GPG_AGENT_INFO
       export SSH_AUTH_SOCK
       export SSH_AGENT_PID
fi
  1. add the following code to ~/.gnupg/gpg-agent.conf
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
enable-ssh-support
write-env-file
use-standard-socket
default-cache-ttl 600
max-cache-ttl 7200
debug-level advanced
log-file /var/log/gpg-agent.log
Raw
GPGTools with YubiKey Guide.md

I have spent two nights in order to figure out how to use GPGTools to manage my GPG Key created in Yubikey 4.

If you generate GPG key in Yubikey directly, the key will not be shown in GPGTools. GPGTools teams offers a guide on how to import the public key to the app, however, the app still doesn't know they can use the private key in YubiKey to perform decryption.

Fortunately, there is another guide offered by SIGILANCE. This guide shows how to import the secret key to GPGTools.

This gist is what did I do to get GPGTools works with the key generated in YubiKey.

Steps

  1. Install GPGTools

  2. Insert Yubikey 4 to the Mac

  3. $ gpg --card-edit

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) 
                                              
gpg: Note: keys are already stored on the card!

Replace existing keys? (y/N) y
What keysize do you want for the Signature key? (4096) 
What keysize do you want for the Encryption key? (4096) 
What keysize do you want for the Authentication key? (4096) 
Please specify how long the key should be valid.            
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Thu Jul 11 20:12:32 2019 HKT
Is this correct? (y/N) y
                        
GnuPG needs to construct a user ID to identify your key.

Real name: Tse Kit Yam
Email address: me@kytse.com
Comment:                   
You selected this USER-ID:
    "Tse Kit Yam <me@kytse.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: Note: backup of card key saved to '/Users/tsekityam/.gnupg/<#secret#>.gpg'
gpg: key <#Key ID#> marked as ultimately trusted
gpg: revocation certificate stored as '/Users/tsekityam/.gnupg/openpgp-revocs.d/<#secret#>.rev'
public and secret key created and signed.

gpg/card> quit

P.S. The parameters I used during the generation may not fit your needs. Anyway, that doesn't matter.

  1. $ gpg --output yubikey.gpg --export-secret-keys <#Key ID#>

  2. Import yubikey.gpg to GPGTools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment