The env.sh script stops here for me, which means git.sh doesn't do anything:

When doing a git rebase you have to touch your key for every single commit being replayed this can take quite some time if you rebase a bunch of them

I wanted to set up gpg using your script, but I was greeted with this somewhat disappointing message:

Sorry, but we do not support your YubiKey version: 5Ci

Are there any significant differences between 5C and 5Ci (other than the physical plugs)? Any reason the script would not work on a 5Ci?

The first time I ran the script to set up my backup Yubikey, the script exited after I answered No to the prompt "do you want to ssh to your yubikey". However, running the script a second time was successful and I didn't encounter this issue.

❯ ./gpg.sh
OS detected is macos
Is it correct ? (y|N)y
env.sh: line 34: ${OS,,}: bad substitution

Running in BigSur

sh --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin20)
Copyright (C) 2007 Free Software Foundation, Inc.

tl; dr does not work (yet)

Currently stuck at /dev/hidraw devices being hidden by ChromeOS (nothing will show up via lsusb or udevadm control --reload.

Self-explanatory, I think, and would make key generation a lot easier and faster. Would remove quite a few steps.

Only real thing that needs to be investigated is where the backup copy of the keys would be kept, so that we know where to make encrypted backup image from.

Any takers, please?

Please do not assume homebrew is at /usr/local, $(brew --prefix) will provide you with the location.

https://github.com/DataDog/yubikey/blob/master/gpg.sh#L146

https://github.com/DataDog/yubikey/blob/master/gpg.sh#L100

Unfortunately, #42 won't work for everyone, especially those with the FIPS key model. Therefore, we should default to the on touch policy after trying cached and it fails.

Cc @HadrienPatte

Modern yubikeys support sk-* type SSH keys which allow storing the SSH private key in the yubikey itself so that it's not possible to export / steal it, even in case of a laptop compromise. The UX is great in some aspects (I have to touch the yubikey when SSHing, giving me high confidence that I'm taking the correct action) and poor in others (setup & configuration, compatibility, lack of UI indications when waiting for the touch).

It would be great to look into supporting these key types. This would probably encompass a few tasks:

1. Identify which parts of our infra do or do not support this key type (ex: Github does, older Ubuntu versions don't)
2. Identify possible fallbacks workaround or how to coexist when accessing supported/unsupported infra
3. Create documentation for end users, do user testing
4. Do automation to set it up automatically / in a guided way
5. Mandate it as the primary/exclusive option (similar to notifying users about unprotected private keys)

Trishank noted that there were possibly other options related to key storage but the main thing I appreciate about this mechanism is that it requires a physical touch for usage of the SSH key. I think there may be some other ways to achieve the same thing (e.g. with secure enclave on macOS (1, 2). The main advantage of these types of mechanism is the "2fa-like" requirement to do a physical confirmation touch when signing in with the key. This provides strong security and protection against unintentional exposure. For example, the new workspaces dev environments set up SSH agent forwarding by default and this would mean that keys wouldn't be straightforwardly stolen/used if a workspace is a compromised.

Right now, the script stops unexpectedly here when we try to killall ssh-agent and ssh-agent isn't running. Be more robust.

https://www.yubico.com/support/security-advisories/ysa-2017-01/

exactly what it sounds like

Use the full keyid instead of the short one.

https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-openssh-82-just-works/

Hello, since the "lib-ification" of the git setup script, the local mode is not working because it "cd"s into the repo directory before sourcing the lib script with the actual setup.

Since the sourcing is done with a relative path, the target file cannot be found.

One solution would be to use the OLD_PWD variable that is saved before the switch case.

I ran the git.sh script from the repo directory and received the following error when it attempted to setup the notifications: ./git.sh: line 47: notifications.sh: No such file or directory

Full log:

> ./git.sh ~/go/src/github.com/DataDog/datadog-agent
OS detected is macos
What is the real name you use on GitHub?
Real name (press Enter to accept 'Bryce Kahle'):
Using given user.name: Bryce Kahle

What is an email address you have registered with GitHub?
Email (press Enter to accept 'REDACTED'):
Using given user.email: REDACTED

Signing git commits & tags LOCALLY: /Users/bryce.kahle/go/src/github.com/DataDog/datadog-agent
Setting your git-config user.name...
Setting your git-config user.email...
Setting git to use this GPG key.
Also, turning on signing of all commits and tags by default.

Exporting your GPG public key to GitHub.
It has been copied to your clipboard.
You may now add it to GitHub: https://github.com/settings/gpg/new
Opening GitHub...

./git.sh: line 47: notifications.sh: No such file or directory

Right now, we blindly overwrite any existing gpg-agent.conf. Back it up if it exists.

TODO from #77:

• Trigger notifications only for gpg signing, not also verification, in git.
• The notification boxes need an X close button.
• The notification boxes should not be clickable to open the AppleScript editor.
• Turn on notifications for using authentication subkey during SSH.

It would be excellent to add support for Apple Secure Enclave instead of Yubikey if developers so desire. Combined with TouchID, this would be an excellent, native way to support cryptography using trusted hardware.

Cc: @pietdaniel @rishabh

For some people, especially those with GPG already installed on their computer, brew has a difficult time upgrading our required packages without complaining about a whole bunch of things that must be resolved manually.

For example, here is what one user reported:

I ran the brew command outside the script, since I was pretty sure that I had a bunch of old stuff installed

• i needed to run brew update before running this to get the latest version of git (git commands failed with 2.17.1, didn't like --default option)
• I needed to run xcode-select --install (python@2 failed before I ran this, succeeded after)
• I already had gpg 2.2.8 installed (gpg (GnuPG/MacGPG2) 2.2.8). This means I either need to run with gpg 2.2.8 instead of 2.2.10, or I need to force overwriting the gpg symlink (brew link --overwrite gnupg). I chose to leave the MacGPG 2.2.8 link but ran into an error exporting ssh key for the first run.

Try to make this as easy as possible to handle for existing users (e.g., suggest what to do).

Cc: @dcoleman17

I had to make these changes to get it to work:

diff --git a/expect.sh b/expect.sh
index de83a2b..a2594bc 100755
--- a/expect.sh
+++ b/expect.sh
@@ -215,7 +215,7 @@ expect -exact "Enter Admin PIN: "
 stty -echo
 send -- "$ADMIN_PIN\r"
 
-expect -exact "Set touch policy of signature key to $TOUCH_POLICY? \[y/N\]: "
+expect -exact "Set touch policy of SIG key to $TOUCH_POLICY? \[y/N\]: "
 send -- "y\r"
 expect eof
 
@@ -228,7 +228,7 @@ expect -exact "Enter Admin PIN: "
 stty -echo
 send -- "$ADMIN_PIN\r"
 
-expect -exact "Set touch policy of authentication key to on? \[y/N\]: "
+expect -exact "Set touch policy of AUT key to on? \[y/N\]: "
 send -- "y\r"
 expect eof
 
@@ -241,7 +241,7 @@ expect -exact "Enter Admin PIN: "
 stty -echo
 send -- "$ADMIN_PIN\r"
 
-expect -exact "Set touch policy of encryption key to on? \[y/N\]: "
+expect -exact "Set touch policy of ENC key to on? \[y/N\]: "
 send -- "y\r"
 expect eof
 

I do not know why the strings don't match for me -- a regex may be appropriate here or something.

Sounds like what it says: this is so that we can fully automate everything

On MacOS, the GPG User PIN cache is set with a TTL of 24 hours, but it is not being respected, and I am being asked for User PIN every few hours.

MacOS version: Big Sur 11.3.1
GPG Agent Conf:

nick.davis@COMP-C02CD0TCLVDN ~ > cat ~/.gnupg/gpg-agent.conf
# https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
pinentry-program /usr/local/bin/pinentry-mac
# For usability while balancing security, cache User PIN for at most a day.
default-cache-ttl 86400
max-cache-ttl 86400

@Thomren, @arbll, and @alxch- report that the PIN is being asked on every commit, instead of every 24 hours as intended. This is annoying in terms of usability, and threatens security.

@platinummonkey knows a fix, but he's out of town, and will send fix as soon as he gets back

If anyone else knows a fix, or has figured it out, please let us know!

For some reason, as @FlorianVeaux saw today, the ~/.bash_profile or ~/.zshrc are not being updated with the GPG socket export. Need to investigate why.

I'm trying to get this awesome setup working but when running ./gpg.sh it hangs when trying to change the PIN. It correctly selects the option 1 but then it never types the pin, after it timesout I can see the 123456.

Eg:

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. <redacted> detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
Please enter the PIN
PIN:
Error changing the PIN: Timeout

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 123456

I tried bumping the sleep in expect.sh to 1, switching from zsh to bash, but I can't seem to figure out what is going on, I can't get it to type it at the right time.

Any help would be greatly appreciated.

the utility scripts overwrites existing files and configuration as it executes each instruction.
In case the script fails for some reason, all the modified files are left as it is, which sometimes corrupts the existing configuration.

It will be useful if the script backup relevant files and restore them in case of error.

My yubikey seems to suddenly have no GPG key on it so i tried to run git.sh and got this

Setting your git-config global user.name...
Setting your git-config global user.email...
Setting git to use this GPG key globally.
Also, turning on signing of all commits and tags by default.

Exporting your GPG public key to GitHub.
gpg: WARNING: nothing exported
It has been copied to your clipboard.
You may now add it to GitHub: https://github.com/settings/gpg/new
Opening GitHub...

and sure enough, nothing was exported!

So I tried to run reset.sh and ...

1) all
2) 10350924
3) cancel
#? 2
You chose 10350924
Are you sure you want to reset 10350924 ? yes/no

Reset 10350924
./reset.sh: line 27: serial: command not found
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try "ykman -h" for help.

Error: Invalid value for "-d" / "--device":  is not a valid integer
./reset.sh: line 28: serial: command not found
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try "ykman -h" for help.

Error: Invalid value for "-d" / "--device":  is not a valid integer
./reset.sh: line 29: serial: command not found
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try "ykman -h" for help.

Error: Invalid value for "-d" / "--device":  is not a valid integer
./reset.sh: line 30: serial: command not found
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try "ykman -h" for help.

Error: Invalid value for "-d" / "--device":  is not a valid integer
./reset.sh: line 31: serial: command not found
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try "ykman -h" for help.

Error: Invalid value for "-d" / "--device":  is not a valid integer
./reset.sh: line 32: serial: command not found
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try "ykman -h" for help.

Error: Invalid value for "-d" / "--device":  is not a valid integer```

Hey!

I'm running gpg.sh and my setup is breaking on this step:

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <[email protected]>"

Real name: Ivo Anjo
E-mail address: (HANGS HERE)

I did not know a lot about what the script was doing, but poking at it I found this step...

...and the problem is that my ykman outputs "E-mail" and not "Email".

I fixed that one and it broke again for a similar reason in

You selected this USER-ID:
    "Ivo Anjo (GPG on YubiKey for Datadog) <[email protected]>"

Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? 

Which is in

Here's some of the versions I'm using:

ivo.anjo@rubyshade:~/datadog/yubikey$ ykman -v
YubiKey Manager (ykman) version: 5.0.0
ivo.anjo@rubyshade:~/datadog/yubikey$ env | grep LANG
LANGUAGE=en_GB:en
LANG=en_GB.UTF-8
ivo.anjo@rubyshade:~/datadog/yubikey$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.1 LTS
Release:	22.04
Codename:	jammy

For some users, these particular steps tend to fail. Here is what one user reported:

Exporting your SSH public key to $keyid.ssh.pub. is the last message that was printed.
ssh-add -L | grep -iF 'cardno' > $keyid.ssh.pub seems to have "succeeded" but created an empty file.
ssh-add -L | grep -iF 'cardno' | pbcopy seems to have failed, returning 1, and exiting the script.

At least two users, including the one mentioned above, reported seeing this. What they share in common is that both had GPG already installed on their computer.

Cc: @dcoleman17

https://github.com/koalaman/shellcheck

Look into changing the management key and protecting it with the PIN.

Right now, there is a bug in our expect script that breaks the automated workflow when using either Yubikey 4 or 5. I'm not sure how to fix this right now, as I'm too tired, but I hope someone can help me with this simple issue in the near future.

Was trying to setup my Yubikey on Ubuntu, and noticed it was hanging forever when it reached the step:

GnuPG needs to construct a user ID to identify your key.                                                                                                                                                           
                                                                                                         
Real name: Eduardo Ferreira                                                                              
Email address: 

Inspecting the script expects/expect-ubuntu.sh I noticed that the string it is expecting is expect -exact "E-mail address: ".

Noticed that there were 2 more steps where it was hanging forever:

diff --git a/expects/expect-ubuntu.sh b/expects/expect-ubuntu.sh
index 39c280e..be470ef 100755
--- a/expects/expect-ubuntu.sh
+++ b/expects/expect-ubuntu.sh
@@ -179,13 +179,13 @@ send -- "y\r"
 expect -exact "Real name: "
 send -- "$REALNAME\r"
 
-expect -exact "E-mail address: "
+expect -exact "Email address: "
 send -- "$EMAIL\r"
 
 expect -exact "Comment: "
 send -- "$COMMENT\r"
 
-expect -exact "Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? "
+expect -exact "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? "
 send -- "O\r"
 
 # Send new Admin PIN
@@ -241,7 +241,7 @@ expect -exact "Enter Admin PIN: "
 stty -echo
 send -- "$ADMIN_PIN\r"
 
-expect -exact "Set touch policy of ENC key to on? \[y/N\]: "
+expect -exact "Set touch policy of DEC key to on? \[y/N\]: "
 send -- "y\r"
 expect eof
 

I routinely can't find my Yubikey pin in the 10 seconds that are the current timeout in the pinentry program. I tried adding the following to my gpg-agent.conf but no luck:

pinentry-timeout 300 # 5 mins

Do you know of another way to do this?

This is a question and not an issue 😃

I was wondering how can I set this up for multiple machines? I have two personal machines and looking at the code it will setup new gpg keys, reset yubikey, etc.

What if I want to setup this once on one machine but then setup everything on a second machine without recreating keys / reseting yubikey?

I understand if this is not a supported behavior.