Show HN: GPG on macOS and YubiKey

Nice repo.<p>For those starting from scratch with a YubiKey I always recommend this guide:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;drduh&#x2F;YubiKey-Guide" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;drduh&#x2F;YubiKey-Guide</a><p>Then they know how this stuff works and how to fix it when it breaks.

I&#x27;ve been very pleasantly surprised by how easy it was to get everything set up on NixOS:<p>``` programs.gnupg.agent = { enable = true; enableSSHSupport = true; };<p>services.udev.packages = [ pkgs.yubikey-personalization pkgs.libu2f-host ]; services.pcscd.enable = true;<p>environment.shellInit = &#x27;&#x27; export GPG_TTY=&quot;$(tty)&quot; gpg-connect-agent &#x2F;bye export SSH_AUTH_SOCK=&quot;&#x2F;run&#x2F;user&#x2F;$UID&#x2F;gnupg&#x2F;S.gpg-agent.ssh&quot; &#x27;&#x27;; ```<p>The only surprise I had was that I forgot to tell gpg to trust the imported key after I imported it.<p>Combine this with GoPass... its the start of something good :)

&gt; Optional: verify public key on Keybase.<p>For organizations publishing employee keys via Web Key Directory can also be an additional signal that the key is trustworthy.<p>It&#x27;s also quite simple: for example exporting the key 5C090ED7318B6C1E (binary, <i>not</i> armored) and putting it on this exact URL: <a href="https:&#x2F;&#x2F;datadoghq.com&#x2F;.well-known&#x2F;openpgpkey&#x2F;hu&#x2F;964aj6q73iatngoya1q7qs4r6utpmb4g" rel="nofollow">https:&#x2F;&#x2F;datadoghq.com&#x2F;.well-known&#x2F;openpgpkey&#x2F;hu&#x2F;964aj6q73iat...</a> is enough to discover the key using e-mail address.<p>This post goes into more detail: <a href="https:&#x2F;&#x2F;spacekookie.de&#x2F;blog&#x2F;usable-gpg-with-wkd&#x2F;" rel="nofollow">https:&#x2F;&#x2F;spacekookie.de&#x2F;blog&#x2F;usable-gpg-with-wkd&#x2F;</a><p>WKD is used by Linux distros (ArchLinux, Gentoo, Debian...) and kernel.org itself: <a href="https:&#x2F;&#x2F;www.kernel.org&#x2F;category&#x2F;signatures.html#using-the-web-key-directory" rel="nofollow">https:&#x2F;&#x2F;www.kernel.org&#x2F;category&#x2F;signatures.html#using-the-we...</a> as well as some OpenPGP sites (e.g. ProtonMail).

&gt; For usability while balancing security, cache PIN for at most a day.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;DataDog&#x2F;yubikey&#x2F;blob&#x2F;master&#x2F;gpg.sh#147" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;DataDog&#x2F;yubikey&#x2F;blob&#x2F;master&#x2F;gpg.sh#147</a><p>This statement has no effect when using Yubikey - the PIN is cached by the key itself and it will remain unlocked indefinitely until it&#x27;s physically unplugged. See <a href="https:&#x2F;&#x2F;dev.gnupg.org&#x2F;T3362" rel="nofollow">https:&#x2F;&#x2F;dev.gnupg.org&#x2F;T3362</a>

It&#x27;s not polished, but here&#x27;s a vagrant box which can provision Yubikey&#x27;s PGP and PIV applications. Additional hardening can be performed.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;justintaft&#x2F;yubikey-gpg-piv-provision" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;justintaft&#x2F;yubikey-gpg-piv-provision</a>

Main contributor here! Let me know if you have questions.

Using a hardware token to protect the subkeys is important but it is also necessary to protect the primary key by keeping it offline.<p>The best method I know is to store it on paper with the help of paperkey:<p><a href="http:&#x2F;&#x2F;www.jabberwocky.com&#x2F;software&#x2F;paperkey&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.jabberwocky.com&#x2F;software&#x2F;paperkey&#x2F;</a><p>The tool also supports a raw output mode which can be piped to a QR encoder. 4096 bit RSA secret keys fit in binary QR codes and they are much easier to use compared to manual data entry.<p>Current versions of zbar can&#x27;t decode binary data in QR codes properly. I&#x27;ve sent some patches that fix the problem but they haven&#x27;t been reviewed yet. Hopefully it will be possible to automate this process with zbarcam soon.

Personally I mostly use it for SSH via PKCS11. I found that simpler than GPG because it&#x27;s already integrated with SSH.<p>Still looking forward to SSH supporting U2F (some day).

Yubikey as a second factor for macOS login is still not possible, right?

Is signing every commit really that useful?

Is there a similar guide for TouchID?

Slightly related: Anyone know why Google Chrome (not upstream Chromium, nor any derivative) is the only browser on Android that implements WebAuthn as intended? Do they implement it as a proprietary component?