So I’ve had a lot of GPG issues over the last few months, and part of that has been me not bothering particularly to ensure I’ve got a consistent setup across my machines.

Part of the issue is that I’m using a yubikey, and keep having to look at external references to make sure it works consistently. I’m going to keep this as a reference for what I’ve used recently to make everything work.


So I want to use GPG for a few things:

  • SSH Access to servers
  • Signing emails for 57North where required
  • Signing Debian packages
  • Use pass on a variety of machines with 1 GPG key
  • Super secret internet communications

With the yubikey as a common access key across my machines, this means I have a single key and don’t need to be tied to my dev desktop to do all the activities above. It’s a nice goal.

System Setup

My systems are, generally, based on Debian as I do an amount of packaging work on Debian. My desktop environments vary wildly as I like to change regularly - this has caused me issues in the past.

I use fish shell across all my machines as it makes me happy.

Required Software

For my gpg setup to run correctly, so far i’ve had to install

apt install gnupg2 gnupg-agent dirmngr scdaemon pcscd hopenpgp-tools yubikey-personalization pinentry-curses

This puts all the pieces in place for the yubikey to act as my GPG smartcard and ssh auth token.

Required Configs


hibby@fennec ~> cat .gnupg/gpg-agent.conf 
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-gtk2

This enables ssh and sets the pinentry program to be a popup. I prefer pinentry-curses on my terminal, but I just can’t make it work on fish.


This ensure that fish starts my gpg agent and knows where the socket is via the correct environment variables.

I was missing this step for a long time.

hibby@fennec ~> cat .config/fish/ 
# Ensure that GPG Agent is used as the SSH agent
set -U -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket)

set -x GPG_TTY (tty)

gpgconf --launch gpg-agent

After this, if you run ssh-add -L when the key is attached, you will see your ssh-pubkey. Remove the key, it disappears.

Connect to a server like github to verify it works - ssh -vvvv should ask you for pinentry/input action and output a list of what it’s doing. Verify it used the right key. If not, back to debugging.


  • DrDuh - Great guideline on how all this works
  • - Solved the fish problem