Using a GnuPG smart card, Yubikey/NitroKey for SSH on Mac
Install GnuPG and a decent PIN entry program #
$ brew install gnupg2 pinentry-mac
Configure GnuPG #
We’ll need to tell GnuPG to use the new PIN entry program as well as enable SSH support for its agent.
pinentry-program /usr/local/bin/pinentry-mac enable-ssh-support
Start the agent on startup #
GnuPG has its own mechanism to start the agent the first time you use it, so explicitly starting the agent is no longer necessary. SSH however does not support this mechanism, so if we want to use the GPG agent as an SSH agent we’ll need to make sure it’s always running. A quick change to your shell’s startup scripts (
~/.zshrc.local in my case) takes care of that.
We’re exporting the location of the SSH agent socket and then checking whether a valid UNIX socket is in that path. If the check is false we launch the GPG-agent. Note that gpgconf is smart enough to not launch a second agent if one is running, so even if somehow the check fails (race condition, etc) it won’t cause any problems.
# GnuPG export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh [ -S "$SSH_AUTH_SOCK" ] || gpgconf --launch gpg-agent
Finally restart your shell (just open a new terminal) and enjoy:
$ ssh-add -L ssh-rsa AAAAB3NzaC1... cardno:000500002B9C