From c9ea04db2ce0c7e0bbf50bb82a1fe2924d6925ae Mon Sep 17 00:00:00 2001 From: Stefano Figura Date: Thu, 13 Aug 2020 23:45:18 +0200 Subject: [PATCH 1/5] Add notations section --- README.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/README.md b/README.md index 315f843..13fe760 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d * [Setup environment](#setup-environment) * [Renewing sub-keys](#renewing-sub-keys) * [Rotating keys](#rotating-keys-1) +- [Adding notations](#adding-notations) - [SSH](#ssh) * [Create configuration](#create-configuration) * [Replace agents](#replace-agents) @@ -1875,6 +1876,30 @@ $ sudo umount /mnt/public Disconnect the storage device and follow the original steps to transfer new keys (4, 5 and 6) to YubiKey, replacing existing ones. Reboot or securely erase the GPG temporary working directory. +# Adding notations + +Notations can be added to users ID(s) and can be used in conjunction with [Keyoxide](https://keyoxide.org) to create [OpenPGP identity proofs](https://keyoxide.org/guides/openpgp-proofs). + +The setup environment can be created by using this [section](#setup-environment) from this guide. + +After having completed the environment setup, it is possible to follow any of the guides listed under "Adding proofs" from the Keyoxide ["Guides"](https://keyoxide.org/guides/) page __up until the notation is saved using the `save` command`. + +At this point the public key can be exported: + +```console +$ gpg --export $KEYID > pubkey.gpg +``` + +The public key can now be transferred to the computer where the GPG key is used and it is imported with: + +```console +$ gpg --import pubkey.gpg +``` + +N.B.: The `showpref` command can be issued to ensure that the notions were correctly added. + +It is now possible to continue following the Keyoxide guide and upload the key to WKD or to keys.openpgp.org. + # SSH [gpg-agent](https://wiki.archlinux.org/index.php/GnuPG#SSH_agent) supports the OpenSSH ssh-agent protocol (`enable-ssh-support`), as well as Putty's Pageant on Windows (`enable-putty-support`). This means it can be used instead of the traditional ssh-agent / pageant. There are some differences from ssh-agent, notably that gpg-agent does not _cache_ keys rather it converts, encrypts and stores them - persistently - as GPG keys and then makes them available to ssh clients. Any existing ssh private keys that you'd like to keep in `gpg-agent` should be deleted after they've been imported to the GPG agent. From 8a08a8ac151eec600ccd464c219807e79e6371d9 Mon Sep 17 00:00:00 2001 From: Stefano Figura Date: Thu, 13 Aug 2020 23:51:42 +0200 Subject: [PATCH 2/5] Update notation section --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 13fe760..1b1cbd3 100644 --- a/README.md +++ b/README.md @@ -1882,7 +1882,7 @@ Notations can be added to users ID(s) and can be used in conjunction with [Keyox The setup environment can be created by using this [section](#setup-environment) from this guide. -After having completed the environment setup, it is possible to follow any of the guides listed under "Adding proofs" from the Keyoxide ["Guides"](https://keyoxide.org/guides/) page __up until the notation is saved using the `save` command`. +After having completed the environment setup, it is possible to follow any of the guides listed under "Adding proofs" from the Keyoxide ["Guides"](https://keyoxide.org/guides/) page __up until the notation is saved using the `save` command__. At this point the public key can be exported: From a2bc415f84eb73ecd6e280d028f885b84d26905e Mon Sep 17 00:00:00 2001 From: Stefano Figura Date: Fri, 14 Aug 2020 00:06:37 +0200 Subject: [PATCH 3/5] Update wording Ensure that is clear that we do not need to modify keys or even plug the yubikey --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1b1cbd3..e2b650c 100644 --- a/README.md +++ b/README.md @@ -1880,7 +1880,9 @@ Disconnect the storage device and follow the original steps to transfer new keys Notations can be added to users ID(s) and can be used in conjunction with [Keyoxide](https://keyoxide.org) to create [OpenPGP identity proofs](https://keyoxide.org/guides/openpgp-proofs). -The setup environment can be created by using this [section](#setup-environment) from this guide. +Adding notations requires access to the master key, so we can follow these setup instructions taken from this [section](#setup-environment) from this guide. + +Please note that there is no need to connect the Yubikey to the setup environment and that we do not need to generate new keys, move keys to the YubiKey, or update any SSH public keys linked to the GPG key. After having completed the environment setup, it is possible to follow any of the guides listed under "Adding proofs" from the Keyoxide ["Guides"](https://keyoxide.org/guides/) page __up until the notation is saved using the `save` command__. From 8a95de3e3f5dd5be424fac1cf0826570179e8b9d Mon Sep 17 00:00:00 2001 From: Stefano Figura Date: Fri, 14 Aug 2020 00:12:06 +0200 Subject: [PATCH 4/5] Correct spelling --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e2b650c..925b133 100644 --- a/README.md +++ b/README.md @@ -1878,13 +1878,13 @@ Disconnect the storage device and follow the original steps to transfer new keys # Adding notations -Notations can be added to users ID(s) and can be used in conjunction with [Keyoxide](https://keyoxide.org) to create [OpenPGP identity proofs](https://keyoxide.org/guides/openpgp-proofs). +Notations can be added to user ID(s) and can be used in conjunction with [Keyoxide](https://keyoxide.org) to create [OpenPGP identity proofs](https://keyoxide.org/guides/openpgp-proofs). -Adding notations requires access to the master key, so we can follow these setup instructions taken from this [section](#setup-environment) from this guide. +Adding notations requires access to the master key so we can follow the setup instructions taken from this [section](#setup-environment) of this guide. Please note that there is no need to connect the Yubikey to the setup environment and that we do not need to generate new keys, move keys to the YubiKey, or update any SSH public keys linked to the GPG key. -After having completed the environment setup, it is possible to follow any of the guides listed under "Adding proofs" from the Keyoxide ["Guides"](https://keyoxide.org/guides/) page __up until the notation is saved using the `save` command__. +After having completed the environment setup, it is possible to follow any of the guides listed under "Adding proofs" in the Keyoxide ["Guides"](https://keyoxide.org/guides/) page __up until the notation is saved using the `save` command__. At this point the public key can be exported: From 2187610c1df9f9866e0bfeddf4879ddf8491499e Mon Sep 17 00:00:00 2001 From: bengim <68807980+bengim@users.noreply.github.com> Date: Sat, 22 Aug 2020 19:33:38 +0400 Subject: [PATCH 5/5] Update README.md fixing wrong cryptography version by explicitly installing PyOpenSSL --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 315f843..200d1e3 100644 --- a/README.md +++ b/README.md @@ -213,6 +213,8 @@ To install and use the `ykman` utility: ```console $ sudo apt -y install python-pip python-pyscard +$ pip install PyOpenSSL + $ pip install yubikey-manager $ sudo service pcscd start