diff options
Diffstat (limited to '')
| -rw-r--r-- | README.md | 65 |
1 files changed, 65 insertions, 0 deletions
@@ -14,6 +14,7 @@ To suggest an improvement, send a pull request or open an [issue](https://github * [Expiration](#expiration) * [Passphrase](#passphrase) - [Create Certify key](#create-certify-key) +- [Add additional uids (optional)](#add-additional-uids-optional) - [Create Subkeys](#create-subkeys) - [Verify keys](#verify-keys) - [Backup keys](#backup-keys) @@ -407,6 +408,50 @@ export KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" ``` +# Add additional uids (optional) + +## Rationale + +This is an optional step if you have a use case which requires [additional identities](https://github.com/drduh/YubiKey-Guide/issues/445). Some non-exhaustive example use cases are: + +- different email addresses for different languages +- different email addresses for professional versus personal but please see alternative reason below for not tying these addresses together +- anonymized email addresses for different git providers + +An alternative would be to have distinct keys but you would then require multiple YubiKeys, as each can only hold a single key for each type (signing, encryption, authentication). Nevertheless, there can be good reasons to have multiple YubiKeys: + +- if you have different email addresses for professional versus personal use cases, having distinct keys allow you to disassociate the identities +- if you are also using the YubiKey as a U2F or FIDO2 device, having multiple YubiKeys is generally recommended as a backup measure + +## Steps + +Define an array containing additional uids. As this is bash syntax, each array element should be surrounded by quotes and each element should be separated by a space: + +```console +declare -a additional_uids +additional_uids=("Super Cool YubiKey 2024" "uid 1 <uid1@example.org>") +``` + +Add the additional uids to the key: + +```console +for uid in "${additional_uids[@]}" ; do \ + echo "$CERTIFY_PASS" | gpg --batch --passphrase-fd 0 --pinentry-mode=loopback --quick-add-uid "$KEYFP" "$uid" +done +``` + +Adjust the trust of the additional uids to be ultimate: + +```console +gpg --command-fd=0 --pinentry-mode=loopback --edit-key "$KEYID" <<EOF +uid * +trust +5 +y +save +EOF +``` + # Create Subkeys Use the following command to generate Signature, Encryption and Authentication Subkeys using the previously configured key type, passphrase and expiration: @@ -1344,6 +1389,26 @@ Connect to the remote host and use `ssh-add -l` to confirm forwarding works. Agent forwarding may be chained through multiple hosts. Follow the same [protocol](#remote-host-configuration) to configure each host. +An alternate method is the [usbipd-win](https://github.com/dorssel/usbipd-win) library. If you encounter issues with accessing the YubiKey in WSL after configuring usbipd-win, you may need to add custom polkit rules to ensure proper permissions for the pcscd service. Here's an example configuration using a scard group (the group logic is optional): + +Create a new rule file at /etc/polkit-1/rules.d/99-pcscd.rules: + +```bash +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_card" && + subject.isInGroup("scard")) { + return polkit.Result.YES; + } +}); + +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && + subject.isInGroup("scard")) { + return polkit.Result.YES; + } +}); +``` + ### Replace agents To launch `gpg-agent` for use by SSH, use the `gpg-connect-agent /bye` or `gpgconf --launch gpg-agent` commands. |