[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-users
Subject: Re: "gpg --card-edit" with multiple card readers (Yubikey)
From: Michael Richardson <mcr () sandelman ! ca>
Date: 2023-07-07 18:32:15
Message-ID: 2133.1688754735 () localhost
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Werner Koch via Gnupg-users <gnupg-users@gnupg.org> wrote:
> On Fri, 7 Jul 2023 14:22, Juanjo said:
>> This works fine with a single Yubikey, but we wanted to have more than
>> one connected at the same time in order to batch-configure them and
>> even to try to use multiple SSH key authentication in specific target
> Most of the time I am using several Yubikeys and other smardcards.
> Some even remotely. For example I use an SSH connection with socket
> forwarding to out build server. Over that connection I provide access
> to an Authenticode token, my release key and ssh keys on tokens.
> I should eventually describe the environment.
Yes please.
Could it go into a wiki page or something that people can comment on and/or amend?
The need for more secure, and more reproduceable code-signing environments is
becoming critical. Today, tcpdump.org, for instance, has a rather old
code-signing key, and we want to replace it with some hardware token, but we
really don't know what exactly to use,and don't want to be on the bleeding
edge here.
> As a starter:
> "no-autostart" in common.conf on the build box, gpg-card with "verify"
> to unlock keys on the desktop for remote use by the build process
> (Authenticode), and some keywords in the private key files
> (Use-for-p11, Use-for-ssh).
> To create keys, use gpg-card which can easily be scripted. Examples:
> $ gpg-card list D2760001240100000006154932830000 \ -- yubikey
> disable nfc all \ -- yubikey disable usb otp u2f piv oath fido2 \ --
> yubikey list OTP no no U2F no no OPGP yes no PIV no no OATH no no FIDO2
> no no
> $ gpg-card [...] gpg/card> help generate GENERATE [--force]
> [--algo=ALGO{+ALGO2}] KEYREF
> Create a new key on a card. Use --force to overwrite an existing
> key. Use "help" for ALGO to get a list of known algorithms. For
> OpenPGP cards several algos may be given. Note that the OpenPGP key
> generation is done interactively unless a single ALGO or KEYREF are
> given. [Supported by: OpenPGP, PIV]
Thank you.
Which model of Yubikey are you using?
["signature.asc" (application/pgp-signature)]
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic