So I’ve had a lot of GPG issues over the last few months, and part of that has been me not bothering particularly to ensure I’ve got a consistent setup across my machines.
Part of the issue is that I’m using a yubikey, and keep having to look at external references to make sure it works consistently. I’m going to keep this as a reference for what I’ve used recently to make everything work.
So I want to use GPG for a few things:
- SSH Access to servers
- Signing emails for 57North where required
- Signing Debian packages
- Use pass on a variety of machines with 1 GPG key
- Super secret internet communications
With the yubikey as a common access key across my machines, this means I have a single key and don’t need to be tied to my dev desktop to do all the activities above. It’s a nice goal.
I use fish shell across all my machines as it makes me happy.
For my gpg setup to run correctly, so far i’ve had to install
apt install gnupg2 gnupg-agent dirmngr scdaemon pcscd hopenpgp-tools yubikey-personalization pinentry-curses
This puts all the pieces in place for the yubikey to act as my GPG smartcard and ssh auth token.
hibby@fennec ~> cat .gnupg/gpg-agent.conf # https://github.com/drduh/config/blob/master/gpg-agent.conf enable-ssh-support default-cache-ttl 60 max-cache-ttl 120 pinentry-program /usr/bin/pinentry-gtk2
This enables ssh and sets the pinentry program to be a popup. I prefer pinentry-curses on my terminal, but I just can’t make it work on fish.
This ensure that fish starts my gpg agent and knows where the socket is via the correct environment variables.
I was missing this step for a long time.
hibby@fennec ~> cat .config/fish/gnupg.fish # Ensure that GPG Agent is used as the SSH agent set -e SSH_AUTH_SOCK set -U -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket) set -x GPG_TTY (tty) gpgconf --launch gpg-agent
After this, if you run
ssh-add -L when the key is attached, you will see your ssh-pubkey. Remove the key, it disappears.
Connect to a server like github to verify it works -
ssh firstname.lastname@example.org -vvvv should ask you for pinentry/input action and output a list of what it’s doing. Verify it used the right key. If not, back to debugging.