Using gpg-agent

From Sidiprojects Wiki
Revision as of 22:32, 14 June 2017 by David (talk | contribs) (added gnuk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Why do this? First, it limits the number of projects responsible for your keys; and second. it works well with smartcards / things like Gnuk!

There are several key things missing from all extant guides for using gpg-agent rather than ssh-agent. The main ones are: double check permissions, specification of the pinentry program, and setting SSH_AUTH_SOCK. You'll also need to add your key using ssh-add, and set nice timeouts.

generate your keys

Use the guide on secure secure shell in PrivacyGroup#other tools to install GPG from signed source with a verified hash, and to generate strong keys. I installed the latest stable version.

getting gpg-agent to run on startup with ssh support

Copy this to .gnupg/gpg-agent.conf: 

 enable-ssh-support

setting good timeouts

Copy this to .gnupg/gpg-agent.conf: 

 default-cache-ttl-ssh 28800
 max-cache-ttl-ssh 43200

setting pinentry and other options for gpg-agent

Copy this to .gnupg/gpg-agent.conf: 

 pinentry-program /usr/bin/pinentry-gtk-2

modifying .xsessionrc

There's an environment file (which I've called gpg-agent.env) which holds some environment variables that need to be set. If it doesn't exist, it is generated and subsequently reused. There's also some logging done for debugging which parts of the script ran, which you can disable once things work by commenting out.

Add this to $HOME/.xsessionrc (some may not be necessary; I will update this): 

  GPGAGENT=/usr/local/bin/gpg\-agent
  envfile="$HOME/.gnupg/gpg-agent.env"
  if [[ -e "$envfile" ]] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
    eval "$(cat "$envfile")"
    echo ran $(cat "$envfile") >> $HOME/gpgagent_debug
  else
    eval "$($GPGAGENT --daemon --enable-ssh-support --write-env-file "$envfile")"
    #echo did $GPGAGENT --daemon --enable-ssh-support --write-env-file "$envfile" >> $HOME/gpgagent_debug
  fi
  export GPG_AGENT_INFO  # the env file does not contain the export statement
  unset SSH_AGENT_PID
  if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
    export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
    #echo did export SSH_AUTH_SOCK=$SSH_AUTH_SOCK >> $HOME/gpgagent_debug
  fi

stop gnome-keyring and ssh-agent from running

In Ubuntu you'll need to move to a temporary location the files gnome-keyring-* from /usr/share/upstart/sessions (these can be removed once everything works, if desired).

check the permissions on your .gnupg and .ssh directories

gpg-agent will silently fail with SSH_AGENT_FAILED (if I remember right) if the permissions for your directories are not correct. Ensure for .gnupg and .ssh, you do chmod 700 ~/.{.gnupg,.ssh}, and also chmod 600 ./* ~/.gnupg && chmod 600 ~/.ssh. Then do chmod 700 ~/.gnupg/{private-keys-v1.d,crls.d}, and chmod 644 ~/.ssh/*.pub && chmod 600 $(ls ~/.ssh | grep -v pub).

restart and check that things worked

After restarting (or just restarting X, e.g. on Ubuntu, switching to another terminal with ctl-alt-F1, logging in and doing 'sudo service lightdm restart'), do 

 gpg-agent

on its own to tell if the agent is running, then

env | grep -Ei "(ssh)|(gpg)"

to check the environment variables that have been set. You should see GPG_AGENT_INFO with a string like /tmp/gpg-p5FAuH/S.gpg-agent:1611:1 . If the path in the first field isn't in tmp like that, you may have ssh-agent or gnome-keyring running, which you'll need to stop. You should also see GPG_TTY=/dev/pts/19 . This should be your tty (check by doing 'tty'). Finally, you should see the socket location, which should look like SSH_AUTH_SOCK=/tmp/gpg-Ry2jg5/S.gpg-agent.ssh.

Retrieved from "https://sidiprojects.us/w/index.php?title=Using_gpg-agent&oldid=513"