-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accept GPG-based ssh keys #48
Comments
It's also impossible to use this when a key is on a yubikey. |
to do that, you usually use gpg-agent which means: |
@boneyard93501 this gives me a secret key in openpgp format, which can't be read by age or openssh. I tried monkeysphere's openpgp2ssh, but it only supports rsa keys and not the ed25519 format I used. |
indeed |
you'll have to fiddle a little. i'd look at python's cryptography lib or similar. |
I can confirm that A bit of a pain, but doable. |
|
I also have my private key on a hardware device which I use as a GnuPG smart card. What should I do? |
This is also what I do but I have an offline backup in case the smart card crashes. Don't you? |
Nope. If I lose the smart card I'd create a new auth subkey on a new smart key (and revoke the old one); and upload the new ssh pubkey to my github profile. |
@DamienCassou I have my master key in a non-digital form to renew the sub-keys. But would that help here? 🤔 I saw there is this age plugin- for yubikeys. Could such a mechanism work to write my own script to generate the proof? I just looks roughly at the Python code to get a feeling what it does. Not sure about the details. Wondering if it is worth the hassle... |
@weilbith make sure to read over this first: str4d/age-plugin-yubikey#39 |
@boneyard93501 thanks for sharing. Seems pretty hopeless. 😑 |
I am getting this when trying to do
|
@lana-shanghai you can use I'd recommend doing that on a Live USB stick without persistance or network access to make sure that the unencrypted key doesn't touch your harddrive or the internet. |
Here is what i got when i'm trying to change password. I think it doesn't work for hardware keys.
|
@phryneas - tried your suggestion, getting this message: |
It only works with keys you have on disk, not with keys in your Yubikey. If you don't have a backup, you're out of luck. |
@boneyard93501 please don't tell me that you excluded people who signed commits with Yubikey from the airdrop! Whyyy :'( |
the yubico device users we sampled, including myself, all follow the best practices suggested by yubico, https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP with respect to gpg. so no, we didn't exclude yubikey users. |
I’m sorry. But how does this link help to solve problem with exporting ssh secret key(and feeding secret key to age is the only way to decript message) from yubikey? There is no any steps for that in the info through the link. |
why are you talking about gpg? Only SSH keys are stored in the metadata file and the SSH keys are required to decrypt the message. Everything I've read so far indicates that people using a smartcard (yubico, nitrokey or any other) and I think the process would have been much simpler for everyone if GPG was used to encrypt the message instead (or alongside) of SSH. |
Yes, the SSH secret key is not available to decrypt the data that was encrypted with the public SSH key. I tried to export the GPG secret key to decrypt the message, and it didn't work. The Yubikey encrypts the SSH secret key afaiu, and it's not possible to export it at all. We can only prove that we own the SSH secret key by signing some other message, but we cannot decrypt anything. |
@boneyard93501
Yubikey generates and stores gpg secret keys internally. Moreover, when you configure Yubikey to use with gpg, it generates 3 separate keys: ed25519 secret key used for signatures; cv25519 secret key used for encryption; ed25519 used for authentication. Here is part of my card status output to demonstrate: Example:
So there is no way we use our signature keys to decrypt your age-encrypted messages from So yes, you did exclude yubikey users after all. |
Did anyone find out how to use GPG keys that are in ed25519 format? I have those as backup (normally use a yubi only), but openpgp2ssh only does RSA. The output of
I have found no way to access my tokens. Let me know how to proceed to access it. |
If you have your plain keyfile somewhere you should be able to export it using gpgs +1 for also encrypting the secret with the users pgp keys like hs did |
I can export the secret subkey with
@mawalu Am I doing it wrong? any ideas? |
I came across this as well. There exists |
I tried this and got some keygrip and I tried them all, I only got:
I used |
The feature seems to never have been merged, see the messages at https://dev.gnupg.org/rGafe5fcda52e88438c7a7278117b2e03f510a9c1c I'm trying to build gnupg from source based on that commit, but havn't had any luck yet. Any C/C++ people here that could help? |
There is an open issue about finishing the implementation of Generally the keygrip/userid needs to be prefixed by > gpg2 --export-secret-ssh-key "&AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
gpg: export as ssh key failed: Invalid public key algorithm This might even work for RSA keys already, but for Ed25519 it will give the above error. |
I've been trying to implement my own tool to do this for EDIT: As said on the discord, I offer 10% of my FLT as reward for anyone who can help me get it to work and claim the tokens. |
@pinbox I've tried to extend your code, but I also haven't got it to work. Still, I made some improvements that might be helpful: |
Guys, we did it! 🥳 This was only possible due to the close collaboration between @pinpox & me. And f you want to thank us, you can send us any crypto or token to our Ethereum / Polygon wallets 😊: |
So to recap the current status here:
Did I get that right? |
IIUC the private key on the Yubikey cannot be exported, and the Yubikey hardware does not support chacha20poly1305 decryption. Alas, I too am unable to claim because there is no way to prove GitHub ownership with Yubikey setup. 😢 |
Crap :( my key also refers to one generated on Yubikey. Why can't we just sign some message with the yubikey generated key to proof ownership? Did the devs ditch the unencrypted blobs? How will they reduce the rewards if not in possession of the keys for the temporary eth account? |
Yeah that would be great, we sign a freshly generated messag |
@dvdplm if the passphrase itself is problem, you can remove this requirement for sure. |
Well, if the process of getting proof involves decryption, then yeah, sorry, but GPG is using various keys for authentication and encryption unfortunately. |
My key is on Yubikey, so I can't claim. But thanks, now I know I forgot backup subkeys huh |
Hi,
the SSH key associated to my GitHub account is handled by GnuPG's
enable-ssh-support
feature. As a result, I don't have any ssh key file to look for and scripts in this project fail.The text was updated successfully, but these errors were encountered: