This post is more than a year old and might not reflect our current knowledge and opinions anymore.

Updated GPG guide

Tanny and FC17 posted a guide on using GPG with a YubiKey over a year ago, and uh, while it was sometimes updated, it hasn't been recently, and we thought making a new post to note our changes might be a better idea than editing it yet again. Notably, we moved from Tutanota to Thunderbird (with our own Mailcow instance, besides that, we also have a Croc relay and a Jitsi instance running, as for what changed from last time), so we had to figure a way to make things work in the GUI too, while our original guide used a TUI pinentry app.

We tried using standalone pinentries for this, but couldn't get that working with Thunderbird on macOS, so in the end, we chose GPG Suite. So, replace the brew command from the guide with this:

# If you want to use Apple Mail rather than Thunderbird, try gpg-suite or gpg-suite-nightly instead, note you need to pay to activate the Mail extension, iirc
brew install gpgme ykman gpg-suite-no-mail

Now, Tanny said

also don't make this a literal PIN, use an actual passphrase from your password manager or something

We would like to retract that statement

T.: Blasphemy!!111 :P

, because, uh yeah, of course Tanny, anyway, because the YubiKey limits the amount of tries you have anyway, so low entropy is fine here, and uh, GPG Suite's pinentry doesn't seem to accept autotype from KeePassXC (and using the clipboard is insecure).

With GPG suite, you can also use a much simpler shell rc (e.g. ~/.zshrc):

gpg --card-status > /dev/null
export "SSH_AUTH_SOCK=/Users/artemis/.gnupg/S.gpg-agent.ssh"

And, as for the GPG agent config, the correct file is actually the (autogenerated) ~/.gnupg/gpg-agent.conf, not ~/.gnupg/gnupg-agent.conf (which I guess was cargoculted from somewhere).

T.: -_-

fc17: Sorry…

No, it's alright. Thing is, as it turns out, none of the config in the original guide was even needed in the first place ‒ things like SSH support are already there by default anyway, apparently.

Some more helpful things:

We uh, don't want to encourage things which uh, we consider bad crypto decisions in OpenPGP anymore, so we're removing the setpref step

#keyserver # Commented out because uh, something, we forgot, but it's uh, not so important, I guess
personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512

cipher-algo AES256
default-key CE6696CE96B00747B91326724EDC4EF429A9FFF9 # This is our key's fingerprint, change this to your own

We procrastinated quite a while on this post, so I hope we didn't forget something, now. Hope it helps, anyway. Also, as for the original post, I added another note there linking to this post.