Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/etsy/yubigpgkeyer

Script to make RSA authentication key generation on Yubikeys differently painful
https://github.com/etsy/yubigpgkeyer

non-sox

Last synced: about 2 months ago
JSON representation

Script to make RSA authentication key generation on Yubikeys differently painful

Host: GitHub
URL: https://github.com/etsy/yubigpgkeyer
Owner: etsy
License: mit
Created: 2015-09-23T12:21:15.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2015-09-23T12:21:57.000Z (over 9 years ago)
Last Synced: 2023-03-11T00:19:13.625Z (almost 2 years ago)
Topics: non-sox
Language: Python
Size: 89.8 KB
Stars: 26
Watchers: 26
Forks: 4
Open Issues: 0
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

README

# YubiGPGKeyer

[Generating RSA keys on Yubikeys is a delight](https://www.yubico.com/2012/12/yubikey-neo-openpgp/) many of us have enjoyed, and it's fine for a single key. Once you start doing more than key, say an organisation's worth, it quickly gets less enjoyable.

Being able to programmatically generate keys with as little human interaction as possible (there remains some, due to fragility and the real world). It even has JSON output if need be, so you can feed use it as part of another script.

## Requirements

* Python 3.
* pinentry-hax from [pinentry-hax](https://gist.github.com/barn/e3ff508c3032da3ff905) in the same directory. Needed for setting the PIN unattended.
* [ykneomgr](https://developers.yubico.com/libykneomgr/) "brew install ykneomgr"
* [ykpers](https://yubico.github.io/yubikey-personalization/) "brew install ykpers"
* [gnupg2](https://www.gnupg.org/) version 2.0.27 only tested. "brew install gnupg2"
* Some [Yubikey Neo Nanos](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/)

## Notes

Firmware version of the Yubikey is *very* important. The versions that have worked with this are 3.3.7. Earlier have had different PIN requirements, later, well, who knows. This isn't the most reliable or rugged process.

There's a lot of unplugging and plugging back in involved.

Also running `gpg2 --card-status` can help kick it, if it can't find the card. Also waiting until the light turns off.

See also [Ben Hughes' blog on the subject](https://mumble.org.uk/blog/2015/03/17/pining-for-gpg-to-try/).

## Usage.

```
usage: gpg_gener8.py [-h] --name "Mr. Etsy" --email "[email protected]"
[--json] [--overwrite] [--pin 1234] [--adminpin 12345]
[--newpin 4321] [--newadminpin 54321] [--randomnewpin]
[--randomnewadminpin] [--forcecard neo-nano]
gpg_gener8.py: error: the following arguments are required: --name/-n, --email/-e
```

## Example

Run the simple, not unwieldly at all:

```
localtoast% python3 gpg_gener8.py --name 'Isabel Tate' --email '[email protected]' --pin 123456 --adminpin 123456 --randomnewpin --randomnewadminpin
```

Which, after some prompting, will output:

```
For name "Isabel Tate", email: [email protected]
Yubikey serial: 3281265
PIN set to: 793574
Admin PIN set to: 23457830
Public key:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== cardno:000202925496
```

There's the JSON output too, if you wish to feed to it in to something else.

# Contributing

Please do! See [Contributing](CONTRIBUTING.md)

# Bugs

Almost certainly, see the [issue tracker](https://github.com/etsy/yubigpgkeyer/issues) on github.

# Credits

Thanks to [ecraven](https://github.com/ecraven) for pinentry-emacs.

Thanks to [@antifuchs](https://twitter.com/antifuchs) for assisting with battling pinentry and GPG.