aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--README.md65
1 files changed, 65 insertions, 0 deletions
diff --git a/README.md b/README.md
index ac07c63..fcd054e 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,7 @@ To suggest an improvement, send a pull request or open an [issue](https://github
* [Expiration](#expiration)
* [Passphrase](#passphrase)
- [Create Certify key](#create-certify-key)
+- [Add additional uids (optional)](#add-additional-uids-optional)
- [Create Subkeys](#create-subkeys)
- [Verify keys](#verify-keys)
- [Backup keys](#backup-keys)
@@ -407,6 +408,50 @@ export KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10;
printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP"
```
+# Add additional uids (optional)
+
+## Rationale
+
+This is an optional step if you have a use case which requires [additional identities](https://github.com/drduh/YubiKey-Guide/issues/445). Some non-exhaustive example use cases are:
+
+- different email addresses for different languages
+- different email addresses for professional versus personal but please see alternative reason below for not tying these addresses together
+- anonymized email addresses for different git providers
+
+An alternative would be to have distinct keys but you would then require multiple YubiKeys, as each can only hold a single key for each type (signing, encryption, authentication). Nevertheless, there can be good reasons to have multiple YubiKeys:
+
+- if you have different email addresses for professional versus personal use cases, having distinct keys allow you to disassociate the identities
+- if you are also using the YubiKey as a U2F or FIDO2 device, having multiple YubiKeys is generally recommended as a backup measure
+
+## Steps
+
+Define an array containing additional uids. As this is bash syntax, each array element should be surrounded by quotes and each element should be separated by a space:
+
+```console
+declare -a additional_uids
+additional_uids=("Super Cool YubiKey 2024" "uid 1 <uid1@example.org>")
+```
+
+Add the additional uids to the key:
+
+```console
+for uid in "${additional_uids[@]}" ; do \
+ echo "$CERTIFY_PASS" | gpg --batch --passphrase-fd 0 --pinentry-mode=loopback --quick-add-uid "$KEYFP" "$uid"
+done
+```
+
+Adjust the trust of the additional uids to be ultimate:
+
+```console
+gpg --command-fd=0 --pinentry-mode=loopback --edit-key "$KEYID" <<EOF
+uid *
+trust
+5
+y
+save
+EOF
+```
+
# Create Subkeys
Use the following command to generate Signature, Encryption and Authentication Subkeys using the previously configured key type, passphrase and expiration:
@@ -1344,6 +1389,26 @@ Connect to the remote host and use `ssh-add -l` to confirm forwarding works.
Agent forwarding may be chained through multiple hosts. Follow the same [protocol](#remote-host-configuration) to configure each host.
+An alternate method is the [usbipd-win](https://github.com/dorssel/usbipd-win) library. If you encounter issues with accessing the YubiKey in WSL after configuring usbipd-win, you may need to add custom polkit rules to ensure proper permissions for the pcscd service. Here's an example configuration using a scard group (the group logic is optional):
+
+Create a new rule file at /etc/polkit-1/rules.d/99-pcscd.rules:
+
+```bash
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.debian.pcsc-lite.access_card" &&
+ subject.isInGroup("scard")) {
+ return polkit.Result.YES;
+ }
+});
+
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
+ subject.isInGroup("scard")) {
+ return polkit.Result.YES;
+ }
+});
+```
+
### Replace agents
To launch `gpg-agent` for use by SSH, use the `gpg-connect-agent /bye` or `gpgconf --launch gpg-agent` commands.