Using a GnuPG smart card, Yubikey/NitroKey for SSH on Mac

Install GnuPG and a decent PIN entry program #

$ brew install gnupg2 pinentry-mac

Configure GnuPG #

We’ll need to tell GnuPG to use the new PIN entry program as well as enable SSH support for its agent.

In ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/local/bin/pinentry-mac

Start the agent on startup #

GnuPG has its own mechanism to start the agent the first time you use it, so explicitly starting the agent is no longer necessary. SSH however does not support this mechanism, so if we want to use the GPG agent as an SSH agent we’ll need to make sure it’s always running. A quick change to your shell’s startup scripts (~/.zshrc.local in my case) takes care of that.

We’re exporting the location of the SSH agent socket and then checking whether a valid UNIX socket is in that path. If the check is false we launch the GPG-agent. Note that gpgconf is smart enough to not launch a second agent if one is running, so even if somehow the check fails (race condition, etc) it won’t cause any problems.

In ~/.zshrc.local:

# GnuPG

export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh

[ -S "$SSH_AUTH_SOCK" ] || gpgconf --launch gpg-agent

Finally restart your shell (just open a new terminal) and enjoy:

$ ssh-add -L
ssh-rsa AAAAB3NzaC1... cardno:000500002B9C

Now read this

Setting an alternative shell in macOS Terminal

After switching to Zsh on my new Mac I noticed a little issue with the built-in Terminal. When using the default Bash shell, the app could tell whether a process (besides the shell) was running in it and present a confirmation if you... Continue →