Using a GnuPG smart card, Yubikey/NitroKey for SSH on Mac

Install GnuPG and a decent PIN entry program #

$ brew install gnupg2 pinentry-mac

Configure GnuPG #

We’ll need to tell GnuPG to use the new PIN entry program as well as enable SSH support for its agent.

In ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/local/bin/pinentry-mac

Start the agent on startup #

GnuPG has its own mechanism to start the agent the first time you use it, so explicitly starting the agent is no longer necessary. SSH however does not support this mechanism, so if we want to use the GPG agent as an SSH agent we’ll need to make sure it’s always running. A quick change to your shell’s startup scripts (~/.zshrc.local in my case) takes care of that.

We’re exporting the location of the SSH agent socket and then checking whether a valid UNIX socket is in that path. If the check is false we launch the GPG-agent. Note that gpgconf is smart enough to not launch a second agent if one is running, so even if somehow the check fails (race condition, etc) it won’t cause any problems.

In ~/.zshrc.local:

# GnuPG

export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh

[ -S "$SSH_AUTH_SOCK" ] || gpgconf --launch gpg-agent

Finally restart your shell (just open a new terminal) and enjoy:

$ ssh-add -L
ssh-rsa AAAAB3NzaC1... cardno:000500002B9C

Now read this

Blockchains for non-cryptocurrency applications don’t make sense

There’s a lot of hype going around about blockchains and pretty much everyone is attempting to put something (including physical assets) on the blockchain. However, most of these use-cases don’t make sense to me and I’d like to explain... Continue →