"gpg --card-edit" with multiple card readers (Yubikey)

Michael Richardson mcr at sandelman.ca
Fri Jul 7 20:32:15 CEST 2023 

Werner Koch via Gnupg-users <gnupg-users at gnupg.org> wrote:
    > On Fri, 7 Jul 2023 14:22, Juanjo said:

    >> This works fine with a single Yubikey, but we wanted to have more than
    >> one connected at the same time in order to batch-configure them and
    >> even to try to use multiple SSH key authentication in specific target

    > Most of the time I am using several Yubikeys and other smardcards.
    > Some even remotely.  For example I use an SSH connection with socket
    > forwarding to out build server.  Over that connection I provide access
    > to an Authenticode token, my release key and ssh keys on tokens.

    > I should eventually describe the environment.

Yes please.
Could it go into a wiki page or something that people can comment on and/or amend?

The need for more secure, and more reproduceable code-signing environments is
becoming critical.  Today, tcpdump.org, for instance, has a rather old
code-signing key, and we want to replace it with some hardware token, but we
really don't know what exactly to use,and don't want to be on the bleeding
edge here.

    > As a starter:
    > "no-autostart" in common.conf on the build box, gpg-card with "verify"
    > to unlock keys on the desktop for remote use by the build process
    > (Authenticode), and some keywords in the private key files
    > (Use-for-p11, Use-for-ssh).

    > To create keys, use gpg-card which can easily be scripted.  Examples:

    >    $ gpg-card list D2760001240100000006154932830000 \ -- yubikey
    > disable nfc all \ -- yubikey disable usb otp u2f piv oath fido2 \ --
    > yubikey list OTP no no U2F no no OPGP yes no PIV no no OATH no no FIDO2
    > no no

    >    $ gpg-card [...]  gpg/card> help generate GENERATE [--force]
    > [--algo=ALGO{+ALGO2}] KEYREF

    >    Create a new key on a card.  Use --force to overwrite an existing
    > key.  Use "help" for ALGO to get a list of known algorithms.  For
    > OpenPGP cards several algos may be given.  Note that the OpenPGP key
    > generation is done interactively unless a single ALGO or KEYREF are
    > given.  [Supported by: OpenPGP, PIV]

Thank you.
Which model of Yubikey are you using?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230707/fac5ec98/attachment-0001.sig>

More information about the Gnupg-users mailing list