Developers Guide to GPG and YubiKey

oktadev-blog · June 23, 2021, 9:00pm

Tutorial: Set up a YubiKey for GPG and SSH!

oktadev-blog · September 25, 2021, 1:58pm

Soner Kalonya

Hey Brian! This is the best explanation I’ve ever seen on the entire Web! I’d have rated 10-stars if I could

oktadev-blog · October 5, 2021, 1:51pm

Brian Demers

You may need to restart your gpg agent (guess)? gpg-connect-agent reloadagent /bye

Either way, run gpg --list-secret-keys and you shouldn’t see a > next to your sec key.

oktadev-blog · October 5, 2021, 8:16pm

Brian Demers

I’m guessing you cannot import your key because the the stub of the key (the one the yubikey) already exists.

I’m sure there is a better way to do this, but the quick and dirty way would be to create a new key ring:
1. stop the GPG agent
2. move your ~/.gnupg directory out of the way mv ~/.gnupg ~/.gnupg.bak
3. import your secret key (a new key ring should be created)

Assuming that works you could move the keys to a new device, and restore your old ~/.gnupg.bak directory.

Again, I’m sure there is a better way to do this by telling GPG that you no longer want to use the smart card to manage the key.

Anyway, give that a shot, and let me know, if something like that works, maybe I can spend a bit of time adding another section to this post about managing multiple keys

oktadev-blog · October 6, 2021, 3:41pm

Brian Demers

Thanks Chuck!!

I’ll try to find some time to add a section on using multiple keys!

ritchiey · April 13, 2022, 6:14am

Thanks for that, Brian. Really well written and succinct.

I found one issue. This won’t work for users of ARM based Macs because the Homebrew directory is different.

# configure gpg-agent to use this pinentry application
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf

This will work on all Macs:

echo "pinentry-program $(which pinentry-mac)" >>  ~/.gnupg/gpg-agent.conf

bdemers · April 18, 2022, 8:31pm

Thanks @ritchiey
Great idea!!

chris_thomas · October 27, 2022, 9:06am

Thanks for sharing this great info about cloud. In Unique prompt i read about cloud but i can’t solve it codes.

davidpi · August 2, 2023, 12:51pm

I know this is an old post, but it was an amazing help for me getting my YubiKey setup with GPG signing and SSH! Thank you for that!

I had a question about the SSH keys. When I run ssh-add -L I see two ssh-keys. And in the guide the one with the card serial number is not shown. I am not sure if I am doing something wrong here. Both ssh-key values are the same also other than the ending.

ssh-rsa …== cardno:XX XXX XXX
ssh-rsa …== (none)

I will also add that when I remove the yubi-key I only see the ssh key (none).

ssh-rsa …== (none)