Werner Koch via Gnupg-users <gnupg-users@gnupg.org> wrote: > On Fri, 7 Jul 2023 14:22, Juanjo said:
>> This works fine with a single Yubikey, but we wanted to have more than >> one connected at the same time in order to batch-configure them and >> even to try to use multiple SSH key authentication in specific target > Most of the time I am using several Yubikeys and other smardcards. > Some even remotely. For example I use an SSH connection with socket > forwarding to out build server. Over that connection I provide access > to an Authenticode token, my release key and ssh keys on tokens. > I should eventually describe the environment. Yes please. Could it go into a wiki page or something that people can comment on and/or amend? The need for more secure, and more reproduceable code-signing environments is becoming critical. Today, tcpdump.org, for instance, has a rather old code-signing key, and we want to replace it with some hardware token, but we really don't know what exactly to use,and don't want to be on the bleeding edge here. > As a starter: > "no-autostart" in common.conf on the build box, gpg-card with "verify" > to unlock keys on the desktop for remote use by the build process > (Authenticode), and some keywords in the private key files > (Use-for-p11, Use-for-ssh). > To create keys, use gpg-card which can easily be scripted. Examples: > $ gpg-card list D2760001240100000006154932830000 \ -- yubikey > disable nfc all \ -- yubikey disable usb otp u2f piv oath fido2 \ -- > yubikey list OTP no no U2F no no OPGP yes no PIV no no OATH no no FIDO2 > no no > $ gpg-card [...] gpg/card> help generate GENERATE [--force] > [--algo=ALGO{+ALGO2}] KEYREF > Create a new key on a card. Use --force to overwrite an existing > key. Use "help" for ALGO to get a list of known algorithms. For > OpenPGP cards several algos may be given. Note that the OpenPGP key > generation is done interactively unless a single ALGO or KEYREF are > given. [Supported by: OpenPGP, PIV] Thank you. Which model of Yubikey are you using?
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users