
Show HN: GPG on macOS and YubiKey - trishankdatadog
https://github.com/DataDog/yubikey
======
dkanejs
Nice repo.

For those starting from scratch with a YubiKey I always recommend this guide:

[https://github.com/drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-
Guide)

Then they know how this stuff works and how to fix it when it breaks.

~~~
QualityReboot
I just got a yubikey and found this guide today. It's quite good.

One thing that I still haven't found a good answer for that's not mentioned in
the guide: what's KDF for?

The new yubikey firmware has release notes here:
[https://support.yubico.com/support/solutions/articles/150000...](https://support.yubico.com/support/solutions/articles/15000027139-yubikey-5-2-3-enhancements-
to-openpgp-3-4-support)

This is the bit that has me lost:

> To remove the transmission and on-card storage of OpenPGP PINs in plain
> text, the YubiKey supports the Key Derived Function (KDF) functionality.
> With the KDF function enabled, the PIN is stored as a hash on the YubiKey.
> When entering the PIN to the OpenPGP Smart Card, the OpenPGP client will
> only pass the hashed value, never passing the PIN directly. KDF
> functionality is set on the card itself, and communicated to the client; it
> is transparent to the user. Should the KDF functionality not be enabled, the
> PIN function will work as previously. The KDF function is listed in section
> 4.3.2 of the OpenPGP Smart Card 3.4 spec.

Can someone explain to me how KDF matters at all here?

It seems like the keys are encrypted on the yubikey via pin, or at least
protected in hardware via pin, and that the pin is stored on the device. KDF
seems to take that plain text pin and replace it with a hashed pin. If you
steal my yubikey, it looks like KDF would prevent you from... dumping the PIN?
But if you could dump the pin, wouldn't you just dump the key instead? I can't
seem to figure out the threat model for this feature.

~~~
LIV2
I'm guessing it's to protect against MITM of the USB interface

~~~
QualityReboot
How would that help though? If you have a compromised USB interface, and
you're entering your pin on that machine, you could just capture the keyboard
input anyway.

~~~
LIV2
That's a good point!, it has to be for another reason.

Interested to hear what it's for

~~~
Leace
Nope, you were right. It's for USB MITM. I guess the assumption is that the
keyboard is wired in a different way (a laptop?) or in wireless scenarios (NFC
Yubikey).

~~~
trishankdatadog
Quality discussion, both of you, thanks!

------
eximius
I've been very pleasantly surprised by how easy it was to get everything set
up on NixOS:

``` programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

services.udev.packages = [ pkgs.yubikey-personalization pkgs.libu2f-host ];
services.pcscd.enable = true;

environment.shellInit = '' export GPG_TTY="$(tty)" gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" ''; ```

The only surprise I had was that I forgot to tell gpg to trust the imported
key after I imported it.

Combine this with GoPass... its the start of something good :)

~~~
equalunique
Are you using Gnome? I remember when this was impossible to get working on
Gnome for a couple of releases. Hoping that's fixed now.

~~~
eximius
I'm using awesome wm.

What was the problem with gnome? I vaguely recall a problem with polkit or
something.

------
Leace
> Optional: verify public key on Keybase.

For organizations publishing employee keys via Web Key Directory can also be
an additional signal that the key is trustworthy.

It's also quite simple: for example exporting the key 5C090ED7318B6C1E
(binary, _not_ armored) and putting it on this exact URL:
[https://datadoghq.com/.well-
known/openpgpkey/hu/964aj6q73iat...](https://datadoghq.com/.well-
known/openpgpkey/hu/964aj6q73iatngoya1q7qs4r6utpmb4g) is enough to discover
the key using e-mail address.

This post goes into more detail: [https://spacekookie.de/blog/usable-gpg-with-
wkd/](https://spacekookie.de/blog/usable-gpg-with-wkd/)

WKD is used by Linux distros (ArchLinux, Gentoo, Debian...) and kernel.org
itself: [https://www.kernel.org/category/signatures.html#using-the-
we...](https://www.kernel.org/category/signatures.html#using-the-web-key-
directory) as well as some OpenPGP sites (e.g. ProtonMail).

~~~
trishankdatadog
Good idea, will make a note, thanks!

------
oil25
> For usability while balancing security, cache PIN for at most a day.

[https://github.com/DataDog/yubikey/blob/master/gpg.sh#147](https://github.com/DataDog/yubikey/blob/master/gpg.sh#147)

This statement has no effect when using Yubikey - the PIN is cached by the key
itself and it will remain unlocked indefinitely until it's physically
unplugged. See [https://dev.gnupg.org/T3362](https://dev.gnupg.org/T3362)

~~~
trishankdatadog
Interesting. This hasn't been my experience, so not sure what's going on
yet...

------
jtaft
It's not polished, but here's a vagrant box which can provision Yubikey's PGP
and PIV applications. Additional hardening can be performed.

[https://github.com/justintaft/yubikey-gpg-piv-
provision](https://github.com/justintaft/yubikey-gpg-piv-provision)

------
matheusmoreira
Using a hardware token to protect the subkeys is important but it is also
necessary to protect the primary key by keeping it offline.

The best method I know is to store it on paper with the help of paperkey:

[http://www.jabberwocky.com/software/paperkey/](http://www.jabberwocky.com/software/paperkey/)

The tool also supports a raw output mode which can be piped to a QR encoder.
4096 bit RSA secret keys fit in binary QR codes and they are much easier to
use compared to manual data entry.

Current versions of zbar can't decode binary data in QR codes properly. I've
sent some patches that fix the problem but they haven't been reviewed yet.
Hopefully it will be possible to automate this process with zbarcam soon.

------
trishankdatadog
Main contributor here! Let me know if you have questions.

~~~
fabioyy
Any issues using Catalina? mine shows Error: No YubiKey detected!

~~~
trishankdatadog
No, but try unplugging the YubiKey and trying again. Also, the script
officially supports only YubiKey 5, but I've heard that 4 works if you remove
the code that checks the version.

------
microcolonel
Slightly related: Anyone know why Google Chrome (not upstream Chromium, nor
any derivative) is the only browser on Android that implements WebAuthn as
intended? Do they implement it as a proprietary component?

~~~
trishankdatadog
No, sorry.

------
m3nu
Personally I mostly use it for SSH via PKCS11. I found that simpler than GPG
because it's already integrated with SSH.

Still looking forward to SSH supporting U2F (some day).

~~~
ecesena
It's here: [https://marc.info/?l=openssh-unix-
dev&m=157259802529972&w=2](https://marc.info/?l=openssh-unix-
dev&m=157259802529972&w=2)

------
rmoriz
Yubikey as a second factor for macOS login is still not possible, right?

~~~
trishankdatadog
I don't think so. That's what TouchID is for, and we are thinking of storing
signing keys in that secure enclave in the future.

------
samwestdev
Is signing every commit really that useful?

~~~
trishankdatadog
If you care about who produced your source code, yes.

~~~
rgoulter
I think "sign every commit useful?" is less about whether signing is useful,
and more about the trade-off of signing every commit vs just signing a tag on
a commit.

Signing every commit is going to make it a mindless task. It's easier to be
vigilant when signing if you sign less frequently.

What trade-offs should be considered?

~~~
philsnow

        git config --global commit.gpgsign true
    

this turns commit signing on for every commit, you don't have to explicitly
sign commits as a separate step.

the criticism I've always heard of this practice is, what do you do with those
signatures? github displays a little widget showing that the commits are
signed, but beyond that I don't think it cares which public key they were
signed with, so it's not really helping anything.

~~~
sixstringtheory
It is simply an audit trail to trace back to the origin, since anyone can set
any email address as the author of a commit. GitHub will show the signature
fingerprint I think when you hover over that widget, so you can at least
distinguish between your key and an impostor’s.

I use this but it causes weird usability issues for me when using multiple
iTerm tabs or git GUIs when the GPG daemon’s unlock timeout expires and I need
to input my passphrase in again. I wish it could just be tied to the mac’s
keychain, so when I unlock my computer it is ready to go. Or at least tie it
into TouchID or Watch like unlocking the mac does.

~~~
trishankdatadog
Yes, it's so easy with this YK setup that there's no reason not to do it. The
only exception is during rebase, but there's an option in GPG to disable
signing then.

I sign all my commits so that everyone knows it was most likely me. You can
even turn on branch protection in GitHub these days that rejects unsigned
commits.

With all due respect, Mr. Torvalds isn't exactly famous for having designed
the most secure kernel.

------
new_realist
Is there a similar guide for TouchID?

