diff --git a/README.md b/README.md index 51f9009..1e8af57 100644 --- a/README.md +++ b/README.md @@ -367,7 +367,7 @@ Subkeys must be renewed or rotated using the Certify key - see [Updating keys](# Set Subkeys to expire on a planned date: ```console -export EXPIRATION=2027-05-01 +export EXPIRATION=2027-07-01 ``` The expiration date may also be relative, for example set to two years from today: @@ -438,7 +438,7 @@ export KEYID=$(gpg -k --with-colons "$IDENTITY" | \ export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \ awk -F: '/^fpr:/ { print $10; exit }') -printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" +printf "\nKey ID/Fingerprint: %20s\n%s\n\n" "$KEYID" "$KEYFP" ```
@@ -487,14 +487,27 @@ EOF # Create Subkeys -Generate Signature, Encryption and Authentication Subkeys using the previously configured key type, passphrase and expiration: +Generate Signature and Encryption Subkeys using the previously configured key type, passphrase and expiration: ```console -for SUBKEY in sign encrypt auth ; do \ - echo "$CERTIFY_PASS" | \ +echo "$CERTIFY_PASS" | \ gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ - --quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$EXPIRATION" -done + --quick-add-key "$KEYFP" "$KEY_TYPE" sign "$EXPIRATION" + +echo "$CERTIFY_PASS" | \ + gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ + --quick-add-key "$KEYFP" "$KEY_TYPE" encrypt "$EXPIRATION" +``` + +Followed by the Authentication Subkey: + +> [!NOTE] +> Some systems no longer accept RSA for SSH authentication; set the `KEY_TYPE` variable to `ed25519` before generating Authentication Subkey. + +``` +echo "$CERTIFY_PASS" | \ + gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ + --quick-add-key "$KEYFP" "$KEY_TYPE" auth "$EXPIRATION" ``` # Verify keys @@ -1793,7 +1806,7 @@ gpg-connect-agent "scd serialno" "learn --force" /bye Alternatively, use a script to delete the GnuPG shadowed key, where the serial number is stored (see [GnuPG #T2291](https://dev.gnupg.org/T2291)): ```console -cat >> ~/scripts/remove-keygrips.sh <> ~/scripts/remove-keygrips.sh <&2; exit 1; } KEYGRIPS=$(gpg --with-keygrip --list-secret-keys "$@" | awk '/Keygrip/ { print $3 }') diff --git a/scripts/generate.sh b/scripts/generate.sh index faf857f..a054585 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -11,14 +11,20 @@ umask 077 export LC_ALL="C" +fail() { + # Print an error string in red and exit. + tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0 + exit 1 +} + print_cred () { - # Print a credential string in red. - tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0 + # Print a credential string in red. + tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0 } print_id () { - # Print an identity string in yellow. - tput setaf 3 ; printf "%s\n" "${1}" ; tput sgr0 + # Print an identity string in yellow. + tput setaf 3 ; printf "%s\n" "${1}" ; tput sgr0 } get_id_label () { @@ -26,14 +32,28 @@ get_id_label () { printf "YubiKey User " } -get_key_type () { - # Returns key type and size. +get_key_type_sign () { + # Returns key type for signature subkey. + #printf "default" printf "rsa4096" } +get_key_type_enc () { + # Returns key type for encryption subkey. + #printf "default" + printf "rsa4096" +} + +get_key_type_auth () { + # Returns key type for authentication subkey. + #printf "default" + #printf "rsa4096" + printf "ed25519" +} + get_key_expiration () { # Returns key expiration date. - printf "2027-05-01" + printf "2027-07-01" } get_temp_dir () { @@ -51,10 +71,12 @@ set_temp_dir () { set_attrs () { # Sets identity and key attributes. export IDENTITY="$(get_id_label)" - export KEY_TYPE="$(get_key_type)" + export KEY_TYPE_SIGN="$(get_key_type_sign)" + export KEY_TYPE_ENC="$(get_key_type_enc)" + export KEY_TYPE_AUTH="$(get_key_type_auth)" export KEY_EXPIRATION="$(get_key_expiration)" - printf "set attributes (label='%s', type='%s', expire='%s')\n" \ - "$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION" + printf "set attributes (label='%s', sign='%s', enc='%s', auth='%s', expire='%s')\n" \ + "$IDENTITY" "$KEY_TYPE_SIGN" "$KEY_TYPE_ENC" "$KEY_TYPE_AUTH" "$KEY_EXPIRATION" } get_pass () { @@ -78,8 +100,7 @@ gen_key_certify () { # Generates Certify key with no expiration. echo "$CERTIFY_PASS" | \ gpg --batch --passphrase-fd 0 \ - --quick-generate-key "$IDENTITY" \ - "$KEY_TYPE" "cert" "never" + --quick-generate-key "$IDENTITY" "$KEY_TYPE_SIGN" "cert" "never" } set_fingerprint () { @@ -87,18 +108,23 @@ set_fingerprint () { key_list=$(gpg --list-secret-keys --with-colons) export KEY_ID=$(printf "$key_list" | awk -F: '/^sec/ { print $5; exit }') export KEY_FP=$(printf "$key_list" | awk -F: '/^fpr/ { print $10; exit }') + if [[ -z "$KEY_FP" || -z "$KEY_ID" ]]; then + fail "could not set key fingerprint" + fi printf "got identity (fp='%s', id='%s')\n" "$KEY_FP" "$KEY_ID" } gen_key_subs () { # Generates Subkeys with specified expiration. - for SUBKEY in sign encrypt auth ; do \ - echo "$CERTIFY_PASS" | \ - gpg --batch --passphrase-fd 0 \ - --pinentry-mode=loopback \ - --quick-add-key "$KEY_FP" \ - "$KEY_TYPE" "$SUBKEY" "$KEY_EXPIRATION" - done + echo "$CERTIFY_PASS" | \ + gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \ + --quick-add-key "$KEY_FP" "$KEY_TYPE_SIGN" sign "$KEY_EXPIRATION" + echo "$CERTIFY_PASS" | \ + gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \ + --quick-add-key "$KEY_FP" "$KEY_TYPE_ENC" encrypt "$KEY_EXPIRATION" + echo "$CERTIFY_PASS" | \ + gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \ + --quick-add-key "$KEY_FP" "$KEY_TYPE_AUTH" auth "$KEY_EXPIRATION" } save_secrets () {