cameri · September 10, 2022 01:42
diff --git a/yubikey_ssh_gpg.sh b/yubikey_ssh_gpg.sh
 mkdir -m 0700 -p ~/.gnupg
 brew install gnupg

 # install pinentry-mac
 brew install pinentry-mac
 echo "pinentry-program ${$(which pinentry-mac)}" >> ~/.gnupg/gpg-agent.conf

 # Run for the first time
 gpgconf --launch gpg-agent
 export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh

 # Test SSH keys (Insert Yubikey)
 ssh-add -l

 cat << EOF >> ~/.zprofile
 gpgconf --launch gpg-agent
 export SSH_AUTH_SOCK=\$HOME/.gnupg/S.gpg-agent.ssh
 # Fix sign_and_send_pubkey: signing failed for RSA "card:XXX" from agent: agent refused operation
 # Ref: https://support.nitrokey.com/t/nitrokey-ssh-git-sign-and-send-pubkey-signing-failed-agent-refused-operation/1886/3
 export GPG_TTY=\$(tty)
 EOF

 # Setup gpg agent for apps without a terminal
 cat << EOF > ~/Library/LaunchAgents/homebrew.gpg.gpg-agent.plist
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
  <!-- Sets a name for a task -->
  <key>Label</key>
  <string>homebrew.gpg.gpg-agent</string>
  <!-- Sets a command to run and its options -->
  <key>ProgramArguments</key>
  <array>
    <string>/usr/local/bin/gpgconf</string>
    <string>--launch</string>
    <string>gpg-agent</string>
  </array>
  <!-- Tells it to run the task once the XML is loaded -->
  <key>RunAtLoad</key>
  <true/>
 </dict>
 </plist>
 EOF

 # Load plist
 launchctl load -F ~/Library/LaunchAgents/homebrew.gpg.gpg-agent.plist

 # Verify (should return a zero)
 launchctl list | grep gpg-agent
 pgrep -fl gpg-agent

 # Map Mac's default SSH agent socket to gpg socket
 cat << EOF > ~/Library/LaunchAgents/link-ssh-auth-sock.plist
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
  <key>Label</key>
  <string>link-ssh-auth-sock</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/sh</string>
    <string>-c</string>
    <string>/bin/ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
 </dict>
 </plist>
 EOF

 # Verify
 launchctl load -F ~/Library/LaunchAgents/link-ssh-auth-sock.plist

 # Connect Yubikey and fetch keys
 gpg --card-edit
 > fetch
 > quit

 # get secret key
 gpg --list-secret-keys

 # configure git to use gpg
 git config --global user.signingkey YOUR_PGP_KEY
 git config --global commit.gpgsign true

 # verify your git config
 cat ~/.gitconfig
 # or
 git config --list --global
	mkdir -m 0700 -p ~/.gnupg
	brew install gnupg

	# install pinentry-mac
	brew install pinentry-mac
	echo "pinentry-program ${$(which pinentry-mac)}" >> ~/.gnupg/gpg-agent.conf

	# Run for the first time
	gpgconf --launch gpg-agent
	export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh

	# Test SSH keys (Insert Yubikey)
	ssh-add -l

	cat << EOF >> ~/.zprofile
	gpgconf --launch gpg-agent
	export SSH_AUTH_SOCK=\$HOME/.gnupg/S.gpg-agent.ssh
	# Fix sign_and_send_pubkey: signing failed for RSA "card:XXX" from agent: agent refused operation
	# Ref: https://support.nitrokey.com/t/nitrokey-ssh-git-sign-and-send-pubkey-signing-failed-agent-refused-operation/1886/3
	export GPG_TTY=\$(tty)
	EOF

	# Setup gpg agent for apps without a terminal
	cat << EOF > ~/Library/LaunchAgents/homebrew.gpg.gpg-agent.plist
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<!-- Sets a name for a task -->
	<key>Label</key>
	<string>homebrew.gpg.gpg-agent</string>
	<!-- Sets a command to run and its options -->
	<key>ProgramArguments</key>
	<array>
	<string>/usr/local/bin/gpgconf</string>
	<string>--launch</string>
	<string>gpg-agent</string>
	</array>
	<!-- Tells it to run the task once the XML is loaded -->
	<key>RunAtLoad</key>
	<true/>
	</dict>
	</plist>
	EOF

	# Load plist
	launchctl load -F ~/Library/LaunchAgents/homebrew.gpg.gpg-agent.plist

	# Verify (should return a zero)
	launchctl list \| grep gpg-agent
	pgrep -fl gpg-agent

	# Map Mac's default SSH agent socket to gpg socket
	cat << EOF > ~/Library/LaunchAgents/link-ssh-auth-sock.plist
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>Label</key>
	<string>link-ssh-auth-sock</string>
	<key>ProgramArguments</key>
	<array>
	<string>/bin/sh</string>
	<string>-c</string>
	<string>/bin/ln -sf $HOME/.gnupg/S.gpg-agent.ssh $SSH_AUTH_SOCK</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	</dict>
	</plist>
	EOF

	# Verify
	launchctl load -F ~/Library/LaunchAgents/link-ssh-auth-sock.plist

	# Connect Yubikey and fetch keys
	gpg --card-edit
	> fetch
	> quit

	# get secret key
	gpg --list-secret-keys

	# configure git to use gpg
	git config --global user.signingkey YOUR_PGP_KEY
	git config --global commit.gpgsign true

	# verify your git config
	cat ~/.gitconfig
	# or
	git config --list --global