使用 Yubikey 进行 GPG 签名 | Vigorous Pro

前两天入手了一个 yubikey 5 之后，在给几个常用的网站配置了用于两部认证的安全密钥之后，便在想还能拿来做什么，经过一番尝试之后发现了几个比较好玩的玩法。本文便是其中之一。 (其实就是想多水几篇文章

生成 GPG 证书

说到生成证书，请务必要对证书做好备份，不然就会像我一样 QAQ

在立音的诱惑下(其实主要也是我闲着没事干)，我便把笔记本从 Manjaro 换成了 openSUSE ，然后这时我发现我忘记备份我的 SSH 密钥，配置文件，甚至 GPG 密钥，估计这种大傻子 全世界也就只有我一个了吧 ㅠㅠ
言归正传，下面开始说明 GPG 证书的生成过程，当然如果您了解如何生成，可以直接跳过此步骤。

下文中出现的用户名 Edison Jwa， 邮箱 example@uv.uy， 以及 密钥信息 W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP，部分请根据个人情况进行修改

首先，输入 gpg --full-generate-key 开始生成 GPG 证书

edison@edison-pc ~> gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1

输入 1 即选择 (1) RSA and RSA (default)

需要注意的是，如果你的 Yubikey 型号为 NEO 那么请选择 2048 位，Yubikey 4 或 5 的话，选择 4096 位
此处的过期时间随意，此处我将过期时间设置成了1年

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri 08 Jan 2021 08:22:31 AM CST
Is this correct? (y/N) y

输入您的个人信息，输入完成后如果没有问题输入 o 并敲击 Enter 键即可。

GnuPG needs to construct a user ID to identify your key.

Real name: Edison Jwa
Email address: example@uv.uy
Comment: 
You selected this USER-ID:
    "Edison Jwa <example@uv.uy>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

接下来会要求输入密码，请务必记住此密码。

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 1234567890ABCDEF marked as ultimately trusted
gpg: revocation certificate stored as '/home/edison/.gnupg/openpgp-revocs.d/W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP.rev'
public and secret key created and signed.

pub   rsa4096 2020-01-01 [SC] [expires: 2021-01-08]
      W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP
uid                      Edison Jwa <example@uv.uy>
sub   rsa4096 2020-01-01 [E] [expires: 2021-01-08]

至此，主证书已经创建完成，当然接下来我们继续添加子证书
输入 gpg --expert --edit-key W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP 开始对证书进行修改

edison@edison-pc ~> gpg --expert --edit-key W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: E   
[ultimate] (1). Edison Jwa <example@uv.uy>

输入 addkey 开始添加子证书

gpg> addkey 
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 4

这里选择 4, 即 RSA (sign only)

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri 08 Jan 2021 10:29:48 AM CST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: E   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: S   
[ultimate] (1). Edison Jwa <example@uv.uy>

继续创建证书

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 8

这里我们需要先去掉 Sign 和 Encrypt ，所依次输入 S E
接下来 输入 A 启用 Authenticate

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Authenticate 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri 08 Jan 2021 10:30:23 AM CST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: E   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: S   
ssb  rsa4096/7EC20E50EE5ECDD5
     created: 2020-01-01  expires: 2021-01-08  usage: A   
[ultimate] (1). Edison Jwa <example@uv.uy>

gpg> save

查看生成的 GPG 证书

edison@edison-pc ~> gpg --list-keys
/home/edison/.gnupg/pubring.kbx
-------------------------------
pub   rsa4096 2020-01-01 [SC] [expires: 2021-01-08]
      W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP
uid           [ultimate] Edison Jwa <example@uv.uy>
sub   rsa4096 2020-01-01 [E] [expires: 2021-01-08]
sub   rsa4096 2020-01-01 [S] [expires: 2021-01-08]
sub   rsa4096 2020-01-01 [A] [expires: 2021-01-08]

修改主密钥有效期

这里我们修改主密钥有效期为永久，这样每年只需要更新子密钥即可以了～

edison@edison-pc ~> gpg --expert --edit-key W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: E   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: S   
ssb  rsa4096/7EC20E50EE5ECDD5
     created: 2020-01-01  expires: 2021-01-08  usage: A   
[ultimate] (1). Edison Jwa <example@uv.uy>

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

sec  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: E   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: S   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-01  expires: 2021-01-08  usage: A   
[ultimate] (1). Edison Jwa <example@uv.uy>

gpg> save

此时可以发现有效期已经修改成功，以后只需要每年更新子密钥即可。

备份 GPG 证书

请务必执行备份的操作，首先导入至 Yubikey 的密钥是无法提取出来的，其次也可以不会像我一样丢失之前的 GPG 密钥

导出公钥

edison@edison-pc ~/gpg-backup> 
gpg --armor --output public.asc  --export W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP

导出密钥

edison@edison-pc ~/gpg-backup> 
gpg --armor --output private.asc --export-secret-keys W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP

导出子证书密钥

edison@edison-pc ~/gpg-backup> 
gpg --armor --output private-subkeys.asc --export-secret-subkeys W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP

上传 GPG 证书公钥

edison@edison-pc ~/gpg-backup> 
gpg --keyserver hkp://pgp.mit.edu --send-keys W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP
gpg: sending key W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP to hkp://pgp.mit.edu
edison@edison-pc ~/gpg-backup> 

设置 OpenPGP 卡

修改 Yubikey 默认 PIN 码

首先，我们修改掉 Yubikey 的默认 PIN 码，（PIN 和 Admin PIN）

输入 gpg --card-edit 开始进行修改

edison@edison-pc ~> gpg --card-edit

×××××

此处会输出 Yubikey 的信息

输入 admin 启用管理员指令

gpg/card> admin
Admin commands are allowed

输入 passwd 开始修改 PIN 码

Yubikey 的 默认 PIN 码为 123456
默认 Admin PIN 码为 12345678

gpg/card> passwd
gpg: OpenPGP card no. ××××× detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1

输入 1 ，修改 PIN 码，此处会要求输入默认 PIN 码，和新 PIN 码两次

PIN 码的长度要求不低于 6 位

PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3

接下来，输入 3 开始修改 Admin PIN 码

Admin PIN 码的长度要求不低于8位

PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

gpg/card> q

导入到 Yubikey

输入 gpg --expert --edit-key

edison@edison-pc ~> gpg --expert --edit-key W4IJICKJLQPX8CMB9IYZMVPSMCCJIHOTGSM2QFGP
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: 2021-01-08  usage: E   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: 2021-01-08  usage: S   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: 2021-01-08  usage: A   
[ultimate] (1). Edison Jwa <example@uv.uy>

gpg> key 1

选中 key 1

sec  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb* rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: 2021-01-08  usage: E   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: 2021-01-08  usage: S   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: 2021-01-08  usage: A   
[ultimate] (1). Edison Jwa <example@uv.uy>

此处的 * 表示该证书已被选中

然后输入 keytocard 将 GPG 证书导入至 Yubikey 中

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2

sec  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb* rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: 2021-01-08  usage: E   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: 2021-01-08  usage: S   
ssb  rsa4096/1234567890ABCDEF
     created: 2020-01-09  expires: 2021-01-08  usage: A   
[ultimate] (1). Edison Jwa <example@uv.uy>
gpg> key 1

再次输入 key 1 取消选中，接下来重复此动作，分别导入 key 2 和 key 3

检查 Yubikey 上存储的密钥

输入 gpg --card-status 即可查看 Yubikey 上存储的信息

后面进行签名的操作就都一样啦～

参考链接

Using Your YubiKey with OpenPGP

YubiKey for SSH, Login, 2FA, GPG and Git Signing

Use A YubiKey For PGP Signing, Encryption, And Authentication

How to setup Signed Git Commits with a YubiKey NEO and GPG and Keybase on Windows

Yubikeys for Signed Git Commits