diff options
| -rw-r--r-- | README.md | 76 |
1 files changed, 74 insertions, 2 deletions
@@ -67,6 +67,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d - [Prerequisites](#prerequisites) - [WSL configuration](#wsl-configuration) - [Remote host configuration](#remote-host-configuration) + * [macOS](#macos-1) - [Remote Machines (GPG Agent Forwarding)](#remote-machines-gpg-agent-forwarding) * [Steps for older distributions](#steps-for-older-distributions) * [Chained GPG Agent Forwarding](#chained-gpg-agent-forwarding) @@ -210,6 +211,12 @@ $ sudo apt -y upgrade $ sudo apt -y install wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization ``` +You may additionally need (particularly for Ubuntu 18.04 and 20.04): + +```console +$ sudo apt -y install libssl-dev swig libpcsclite-dev +``` + To download a copy of this guide: ```console @@ -1983,6 +1990,13 @@ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent ``` +If you use fish, the correct lines for your `config.fish` would look like this (consider putting them into the `is-interactive` block depending on your use case): +```fish +set -x GPG_TTY (tty) +set -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket) +gpgconf --launch gpg-agent +``` + Note that if you use `ForwardAgent` for ssh-agent forwarding, `SSH_AUTH_SOCK` only needs to be set on the *local* laptop (workstation), where the YubiKey is plugged in. On the *remote* server that we SSH into, `ssh` will automatically set `SSH_AUTH_SOCK` to something like `/tmp/ssh-mXzCzYT2Np/agent.7541` when we connect. We therefore do **NOT** manually set `SSH_AUTH_SOCK` on the server - doing so would break [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding). If you use `S.gpg-agent.ssh` (see [SSH Agent Forwarding](#remote-machines-ssh-agent-forwarding) for more info), `SSH_AUTH_SOCK` should also be set on the *remote*. However, `GPG_TTY` should not be set on the *remote*, explanation specified in that section. @@ -2187,10 +2201,10 @@ $ doas reboot Windows can already have some virtual smartcard readers installed, like the one provided for Windows Hello. To ensure your YubiKey is the correct one used by scdaemon, you should add it to its configuration. You will need your device's full name. To find out what is your device's full name, plug your YubiKey and open PowerShell to run the following command: -```` powershell +``` powershell PS C:\WINDOWS\system32> Get-PnpDevice -Class SoftwareDevice | Where-Object {$_.FriendlyName -like "*YubiKey*"} | Select-Object -ExpandProperty FriendlyName Yubico YubiKey OTP+FIDO+CCID 0 -```` +``` The name slightly differs according to the model. Thanks to [Scott Hanselman](https://www.hanselman.com/blog/HowToSetupSignedGitCommitsWithAYubiKeyNEOAndGPGAndKeybaseOnWindows.aspx) for sharing this information. @@ -2287,6 +2301,64 @@ On the remote host, type `ssh-add -l` - if you see the ssh key, that means forwa **Note** Agent forwarding may be chained through multiple hosts - just follow the same [protocol](#remote-host-configuration) to configure each host. You may also read this part on [chained ssh agent forwarding](#chained-ssh-agent-forwarding). +## macOS + +To use gui applications on macOS, [a little bit more setup is needed](https://jms1.net/yubikey/make-ssh-use-gpg-agent.md). + +Create `$HOME/Library/LaunchAgents/gnupg.gpg-agent.plist` with the following contents: + +``` +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" + "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> + <dict> + <key>Label</key> + <string>gnupg.gpg-agent</string> + <key>RunAtLoad</key> + <true/> + <key>KeepAlive</key> + <false/> + <key>ProgramArguments</key> + <array> + <string>/usr/local/MacGPG2/bin/gpg-connect-agent</string> + <string>/bye</string> + </array> + </dict> +</plist> +``` + +```console +launchctl load gnupg.gpg-agent.plist +``` + +Create `$HOME/Library/LaunchAgents/gnupg.gpg-agent-symlink.plist` with the following contens: + +``` +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ProperyList-1.0/dtd"> +<plist version="1.0"> + <dict> + <key>Label</key> + <string>gnupg.gpg-agent-symlink</string> + <key>ProgramArguments</key> + <array> + <string>/bin/sh</string> + <string>-c</string> + <string>/bin/ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK</string> + </array> + <key>RunAtLoad</key> + <true/> + </dict> +</plist> +``` + +```console +launchctl load gnupg.gpg-agent-symlink.plist +``` + +You will need to either reboot, or log out and log back in, in order to activate these changes. + # Remote Machines (GPG Agent Forwarding) This section is different from ssh-agent forwarding in [SSH](#ssh) as gpg-agent forwarding has a broader usage, not only limited to ssh. |