Using a GnuPG smart card, Yubikey/NitroKey for SSH on Mac

 Install GnuPG and a decent PIN entry program

$ brew install gnupg2 pinentry-mac

 Configure GnuPG

We’ll need to tell GnuPG to use the new PIN entry program as well as enable SSH support for its agent.

In ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/local/bin/pinentry-mac

 Start the agent on startup

GnuPG has its own mechanism to start the agent the first time you use it, so explicitly starting the agent is no longer necessary. SSH however does not support this mechanism, so if we want to use the GPG agent as an SSH agent we’ll need to make sure it’s always running. A quick change to your shell’s startup scripts (~/.zshrc.local in my case) takes care of that.

We’re exporting the location of the SSH agent socket and then checking whether a valid UNIX socket is in that path. If the check is false we launch the GPG-agent. Note that gpgconf is smart enough to not launch a second agent if one is running, so even if somehow the check fails (race condition, etc) it won’t cause any problems.

In ~/.zshrc.local:

# GnuPG

export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh

[ -S "$SSH_AUTH_SOCK" ] || gpgconf --launch gpg-agent

Finally restart your shell (just open a new terminal) and enjoy:

$ ssh-add -L
ssh-rsa AAAAB3NzaC1... cardno:000500002B9C

Now read this

Three phone number leakage vulnerability

TLDR: a vulnerability in the Three network allows any app on your phone to get your mobile number without your consent - switch to the 3internet APN to defend against this. Today I noticed a quite worrying vulnerability that would allow... Continue →