Updated GPG guide

Tanny and FC17 posted a guide on using GPG with a YubiKey over a year ago, and uh, while it was sometimes updated, it hasn't been recently, and we thought making a new post to note our changes might be a better idea than editing it yet again. Notably, we moved from Tutanota to Thunderbird (with our own Mailcow instance, besides that, we also have a Croc relay and a Jitsi instance running, as for what changed from last time), so we had to figure a way to make things work in the GUI too, while our original guide used a TUI pinentry app.

We tried using standalone pinentries for this, but couldn't get that working with Thunderbird on macOS, so in the end, we chose GPG Suite. So, replace the brew command from the guide with this:

# If you want to use Apple Mail rather than Thunderbird, try gpg-suite or gpg-suite-nightly instead, note you need to pay to activate the Mail extension, iirc
brew install gpgme ykman gpg-suite-no-mail

Now, Tanny said

also don't make this a literal PIN, use an actual passphrase from your password manager or something

We would like to retract that statement

T.: Blasphemy!!111 :P

, because, uh yeah, of course Tanny, anyway, because the YubiKey limits the amount of tries you have anyway, so low entropy is fine here, and uh, GPG Suite's pinentry doesn't seem to accept autotype from KeePassXC (and using the clipboard is insecure).

With GPG suite, you can also use a much simpler shell rc (e.g. ~/.zshrc):

gpg --card-status > /dev/null
export "SSH_AUTH_SOCK=/Users/artemis/.gnupg/S.gpg-agent.ssh"

And, as for the GPG agent config, the correct file is actually the (autogenerated) ~/.gnupg/gpg-agent.conf, not ~/.gnupg/gnupg-agent.conf (which I guess was cargoculted from somewhere).

T.: -_-

fc17: Sorry…

No, it's alright. Thing is, as it turns out, none of the config in the original guide was even needed in the first place ‒ things like SSH support are already there by default anyway, apparently.

Some more helpful things:

We uh, don't want to encourage things which uh, we consider bad crypto decisions in OpenPGP anymore, so we're removing the setpref step

• While you're adding annotations, you might want to add more UIDs (i.e. more name/email address tuples) with adduid from the gpg --edit-key interface. Useful for, oh, plural systems maybe? Hehe.
• In that same interface, if you want to express an explicit preference for more secure ciphers/hashes as well as no compression (note, unfortunately, having a preference for 3DES and SHA1 is mandatory and will be added to the end of your preference list if you don't specify, which is why), you might run something like setpref AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 SHA512 SHA384 SHA256 SHA224 Uncompressed ZLIB BZIP2 ZIP. Select individual UIDs with uid (yes, apparently this is per-UID and can't be set globally). Note this step actually probably doesn't matter that much because GPG itself supposedly doesn't select ciphers or hashes based on this, but uh, maybe other implementations (like the one in Thunderbird, or Sequoia PGP) might. Don't know, really.
• As for GPG's own cipher preferences, among other things, you can use a config file like this in ~/.gnupg/gpg.conf:

# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
no-emit-version
#keyserver # Commented out because uh, something, we forgot, but it's uh, not so important, I guess
personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512

# https://tutonics.com/2012/11/gpg-encryption-guide-part-4-symmetric.html
cipher-algo AES256
force-mdc
default-key CE6696CE96B00747B91326724EDC4EF429A9FFF9 # This is our key's fingerprint, change this to your own

We procrastinated quite a while on this post, so I hope we didn't forget something, now. Hope it helps, anyway. Also, as for the original post, I added another note there linking to this post.