From 8c0a752934ff58a773aab7fb54baddfe9941994d Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 15 Jun 2025 13:01:56 -0700 Subject: [PATCH 1/5] implement fail function --- scripts/generate.sh | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/scripts/generate.sh b/scripts/generate.sh index faf857f..0ec7cbd 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -11,14 +11,20 @@ umask 077 export LC_ALL="C" +fail() { + # Print an error string in red and exit. + tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0 + exit 1 +} + print_cred () { - # Print a credential string in red. - tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0 + # Print a credential string in red. + tput setaf 1 ; printf "%s\n" "${1}" ; tput sgr0 } print_id () { - # Print an identity string in yellow. - tput setaf 3 ; printf "%s\n" "${1}" ; tput sgr0 + # Print an identity string in yellow. + tput setaf 3 ; printf "%s\n" "${1}" ; tput sgr0 } get_id_label () { @@ -28,12 +34,13 @@ get_id_label () { get_key_type () { # Returns key type and size. + #printf "default" printf "rsa4096" } get_key_expiration () { # Returns key expiration date. - printf "2027-05-01" + printf "2027-07-01" } get_temp_dir () { @@ -87,6 +94,9 @@ set_fingerprint () { key_list=$(gpg --list-secret-keys --with-colons) export KEY_ID=$(printf "$key_list" | awk -F: '/^sec/ { print $5; exit }') export KEY_FP=$(printf "$key_list" | awk -F: '/^fpr/ { print $10; exit }') + if [[ -z "$KEY_FP" || -z "$KEY_ID" ]]; then + fail "could not set key fingerprint" + fi printf "got identity (fp='%s', id='%s')\n" "$KEY_FP" "$KEY_ID" } From d8ad5c469b11275a1c6dfba6740803a994c2f4da Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 15 Jun 2025 13:22:45 -0700 Subject: [PATCH 2/5] split subkey gen command, note ed25519 auth --- README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 51f9009..638b4f9 100644 --- a/README.md +++ b/README.md @@ -490,13 +490,22 @@ EOF Generate Signature, Encryption and Authentication Subkeys using the previously configured key type, passphrase and expiration: ```console -for SUBKEY in sign encrypt auth ; do \ - echo "$CERTIFY_PASS" | \ +echo "$CERTIFY_PASS" | \ gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ - --quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$EXPIRATION" -done + --quick-add-key "$KEYFP" "$KEY_TYPE" sign "$EXPIRATION" + +echo "$CERTIFY_PASS" | \ + gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ + --quick-add-key "$KEYFP" "$KEY_TYPE" encrypt "$EXPIRATION" + +echo "$CERTIFY_PASS" | \ + gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ + --quick-add-key "$KEYFP" "$KEY_TYPE" auth "$EXPIRATION" ``` +> [!NOTE] +> Some systems no longer accept RSA keys for SSH authentication; set the `KEY_TYPE` variable to `ed25519` before generating the last `auth` subkey. + # Verify keys List available secret keys: From d446832705be6b8ea6665396be19858398a6dce6 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 15 Jun 2025 13:29:08 -0700 Subject: [PATCH 3/5] explicit note on ed25519 auth subkeys to fix #507 --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 638b4f9..83ab8d9 100644 --- a/README.md +++ b/README.md @@ -438,7 +438,7 @@ export KEYID=$(gpg -k --with-colons "$IDENTITY" | \ export KEYFP=$(gpg -k --with-colons "$IDENTITY" | \ awk -F: '/^fpr:/ { print $10; exit }') -printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" +printf "\nKey ID/Fingerprint: %20s\n%s\n\n" "$KEYID" "$KEYFP" ```
@@ -487,7 +487,7 @@ EOF # Create Subkeys -Generate Signature, Encryption and Authentication Subkeys using the previously configured key type, passphrase and expiration: +Generate Signature and Encryption Subkeys using the previously configured key type, passphrase and expiration: ```console echo "$CERTIFY_PASS" | \ @@ -497,15 +497,19 @@ echo "$CERTIFY_PASS" | \ echo "$CERTIFY_PASS" | \ gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ --quick-add-key "$KEYFP" "$KEY_TYPE" encrypt "$EXPIRATION" +``` +Followed by the Authentication Subkey: + +> [!NOTE] +> Some systems no longer accept RSA for SSH authentication; set the `KEY_TYPE` variable to `ed25519` before generating Authentication Subkey. + +``` echo "$CERTIFY_PASS" | \ gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ --quick-add-key "$KEYFP" "$KEY_TYPE" auth "$EXPIRATION" ``` -> [!NOTE] -> Some systems no longer accept RSA keys for SSH authentication; set the `KEY_TYPE` variable to `ed25519` before generating the last `auth` subkey. - # Verify keys List available secret keys: From e974dbb95cb6727cce3f0e61971f36085e0e0567 Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 15 Jun 2025 13:36:09 -0700 Subject: [PATCH 4/5] create scripts dir before creating keygrips --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 83ab8d9..f46e943 100644 --- a/README.md +++ b/README.md @@ -1806,7 +1806,7 @@ gpg-connect-agent "scd serialno" "learn --force" /bye Alternatively, use a script to delete the GnuPG shadowed key, where the serial number is stored (see [GnuPG #T2291](https://dev.gnupg.org/T2291)): ```console -cat >> ~/scripts/remove-keygrips.sh <> ~/scripts/remove-keygrips.sh <&2; exit 1; } KEYGRIPS=$(gpg --with-keygrip --list-secret-keys "$@" | awk '/Keygrip/ { print $3 }') From 76d557b0f6e6a5c5b5d80569b749d4db3aabaeef Mon Sep 17 00:00:00 2001 From: drduh Date: Sun, 15 Jun 2025 14:08:13 -0700 Subject: [PATCH 5/5] set individual key types default to ed25519 for auth --- README.md | 2 +- scripts/generate.sh | 44 ++++++++++++++++++++++++++++++-------------- 2 files changed, 31 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index f46e943..1e8af57 100644 --- a/README.md +++ b/README.md @@ -367,7 +367,7 @@ Subkeys must be renewed or rotated using the Certify key - see [Updating keys](# Set Subkeys to expire on a planned date: ```console -export EXPIRATION=2027-05-01 +export EXPIRATION=2027-07-01 ``` The expiration date may also be relative, for example set to two years from today: diff --git a/scripts/generate.sh b/scripts/generate.sh index 0ec7cbd..a054585 100755 --- a/scripts/generate.sh +++ b/scripts/generate.sh @@ -32,12 +32,25 @@ get_id_label () { printf "YubiKey User " } -get_key_type () { - # Returns key type and size. +get_key_type_sign () { + # Returns key type for signature subkey. #printf "default" printf "rsa4096" } +get_key_type_enc () { + # Returns key type for encryption subkey. + #printf "default" + printf "rsa4096" +} + +get_key_type_auth () { + # Returns key type for authentication subkey. + #printf "default" + #printf "rsa4096" + printf "ed25519" +} + get_key_expiration () { # Returns key expiration date. printf "2027-07-01" @@ -58,10 +71,12 @@ set_temp_dir () { set_attrs () { # Sets identity and key attributes. export IDENTITY="$(get_id_label)" - export KEY_TYPE="$(get_key_type)" + export KEY_TYPE_SIGN="$(get_key_type_sign)" + export KEY_TYPE_ENC="$(get_key_type_enc)" + export KEY_TYPE_AUTH="$(get_key_type_auth)" export KEY_EXPIRATION="$(get_key_expiration)" - printf "set attributes (label='%s', type='%s', expire='%s')\n" \ - "$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION" + printf "set attributes (label='%s', sign='%s', enc='%s', auth='%s', expire='%s')\n" \ + "$IDENTITY" "$KEY_TYPE_SIGN" "$KEY_TYPE_ENC" "$KEY_TYPE_AUTH" "$KEY_EXPIRATION" } get_pass () { @@ -85,8 +100,7 @@ gen_key_certify () { # Generates Certify key with no expiration. echo "$CERTIFY_PASS" | \ gpg --batch --passphrase-fd 0 \ - --quick-generate-key "$IDENTITY" \ - "$KEY_TYPE" "cert" "never" + --quick-generate-key "$IDENTITY" "$KEY_TYPE_SIGN" "cert" "never" } set_fingerprint () { @@ -102,13 +116,15 @@ set_fingerprint () { gen_key_subs () { # Generates Subkeys with specified expiration. - for SUBKEY in sign encrypt auth ; do \ - echo "$CERTIFY_PASS" | \ - gpg --batch --passphrase-fd 0 \ - --pinentry-mode=loopback \ - --quick-add-key "$KEY_FP" \ - "$KEY_TYPE" "$SUBKEY" "$KEY_EXPIRATION" - done + echo "$CERTIFY_PASS" | \ + gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \ + --quick-add-key "$KEY_FP" "$KEY_TYPE_SIGN" sign "$KEY_EXPIRATION" + echo "$CERTIFY_PASS" | \ + gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \ + --quick-add-key "$KEY_FP" "$KEY_TYPE_ENC" encrypt "$KEY_EXPIRATION" + echo "$CERTIFY_PASS" | \ + gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \ + --quick-add-key "$KEY_FP" "$KEY_TYPE_AUTH" auth "$KEY_EXPIRATION" } save_secrets () {