diff --git a/Yubikey.md b/Yubikey.md index 1891023..fe739b4 100644 --- a/Yubikey.md +++ b/Yubikey.md @@ -30,6 +30,11 @@ notes) ## Moving GPG keys onto Yubikey +[Helpful Guide](https://github.com/drduh/YubiKey-Guide?tab=readme-ov-files) + +> Note: The above guide is what was really followed / worked the best for me, the below guide was +> also helpful, but the above one covers more items, trouble shooting, and SSH setup using GPG keys. + [helpful-youtube-video](https://www.youtube.com/watch?v=xGsixSh6sC4) The `GPG-Suite` application needs to be installed on macOS in order to interact with the yubikey. @@ -38,14 +43,6 @@ The `GPG-Suite` application needs to be installed on macOS in order to interact brew install gpg-suite-no-mail ``` -> Note: GPG-Suite also installs a GUI for the pinentry program used by PGP, which doesn't seem to -> work well with the yubikey (I also don't like GUI's generally). Need to add the following line to -> `~/.gnupg/gpg-agent.conf`. - -```bash -echo "pinentry-program /opt/homebrew/bin/pinentry" >> ~/.gnupg/gpg-agent.conf -``` - This then gives you access to use the `gpg --card-edit` command that allows you to add gpg-keys to the yubikey itself. @@ -187,12 +184,6 @@ operation using the private keys stored in the yubikey. When done type `Q`, then you can change other items about the card if you'd like, such as name, url, etc. -## Set long-press of yubikey to be the GPG user password - -When the private GPG keys on the card are protected by a password you are prompted every time you -sign a code commit, so I setup the long press of the yubikey to output the gpg user's password -rather than have to get it from a password manager. - ## Test it. Create a test file that you can sign. @@ -204,7 +195,7 @@ echo "Test test..." >> /tmp/test.txt Sign the test file. ```bash -gpg --clearsign /tmp/test.txt +gpg --encrypt /tmp/test.txt ``` Check that it worked. @@ -213,6 +204,12 @@ Check that it worked. cat /tmp/test.txt.asc ``` +Decrypt the file, here it will ask for password of the private key (not the GPG User or Admin PIN). + +```bash +gpg --decrypt /tmp/test.txt.asc +``` + Remove the yubikey and try again, it shouldn't be possible without the yubikey being inserted. > Note: I was having trouble afterwards on `Gitea` that was saying signatures were suspicious, I had @@ -220,29 +217,17 @@ Remove the yubikey and try again, it shouldn't be possible without the yubikey b > being the important part > [stack-overflow-link](https://stackoverflow.com/questions/78554135/unverified-github-commits-using-gpg-keys-on-yubikey). -## FIDO SSH setup +## SSH setup -[Setup Instructions](https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html) +[Setup Instructions](https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#ssh) -> Note: I tried using the GPG ssh-agent, but it was tough to get configured properly and this FIDO -> method is more similar to how I'm used to working with SSH. +> Note: My dotfiles should already have the appropriate environment variables and gpg configuration, +> they just need to be linked properly. -You must setup a FIDO PIN prior to starting, which can be done in the `Passkeys` section of the -Yubico-Authenticator app. +[Extra Setup Steps](https://jms1.net/yubikey/make-ssh-use-gpg-agent.md) -I had to start by installing OpenSSH and reload my shell. - -```bash -brew install openssh && zsh -l -``` - -Generate the SSH credentials, make sure to secure the private key that is generated with a -passphrase. When using SSH you will need to provide the password to unlock the private SSH key and -also a short press on the yubikey. - -```bash -ssh-keygen -t ed25519-sk -O resident -C "Yubikey (primary)" -``` +The above includes links to extra LaunchAgent files needed to be setup on macOS for ssh using GPG +keys to work properly. #### Adding SSH key to another computer, using the yubikey.