I am still obsessed with the OpenPGP smartcard. I know, it is definitely far inferior to YubiKey. It has far, far less features and it's GnuPG implementation is even riddled with serious bugs that can take days to work around. It definitely has it's peak years behind. But no matter how bad it is, I simply like it's form-factor.

I cannot state this enough. I like how it fits to my wallet, along other items with similar taxonomy, like credit cards or an electronic ID card. It also sticks much less intrusively out of the laptop, neatly and quite subtly. It is not occupying any USB ports, which is what I hate the most about YubiKeys. There are million form-factors of YubiKeys and all have to go to some USB port. When my laptop is in the dock, I have to reach out to touch it (this is important, we get to this in a moment). When not docked, it is easy to touch, but sticks out awkwardly and it can result it accidents.

Git rebase and automatic signing

So I still use both, trying to figure out all the good, bad and ugly parts of them. Since I invested so much time in setting up GnuPG, I like to have the automatic commit signing turned on globally. For me personally, it is a great feeling.

git config --global commit.gpgSign true
git config --global user.signingkey 0xA44B03E642BB42236780FEA43A1381FCF2738E75

Remember: Using long, 32-bit key ID might be preferred to potentially avoid spoofing, collisions or other possible problems with the key. More details here.

With the above in place, rebasing (which can be very common in some git workflows) can result in a situation, where one is asked for a PIN for every successive operation. This is a default configuration for a GnuPG smartcard.

GnuPG and forcesig option

The reason why the PIN is asked every time is the forcesig option, that is set up on the smartcard/device itself, forcing a PIN to be asked every time when a signature pin in requested, invalidating any cache options in the agent. Insert a GnuPG compatible device and run:

gpg --edit-card

This should show Signature PIN ....: forced. Now, you may already know I use KeePassXC extensively. Take a look at the keepass tag if you are interested in some other related or semi-related articles. I make KeePassXC and (KeePassDX with Syncthing for that matter) an integral part of mostly anything passwords, passphrases, authentication and security related.

Setting up auto-type for any kind of windows, prompts and dialogs with KeePassXC is very easy. Just pressing a global keyboard shortcut once in a while and having the right PIN filled in is not such a big deal. But when one have to do it many many times repeatedly, it is annoying. It can be changed, though.

In the card edit interface, type admin, followed by forcesig. Insert the admin PIN and type list. You should now see Signature PIN ....: not forced instead. Suppose I did this change. Now I've traded security for a convenience. Security in a sense that a malicious process could now in theory sign something with our signature key, showing that given piece of code, or even a whole package was released by me, tricking people into a false trust and thus possibly even running a malicious code. Or at least this is how I currently understand it. Doing some more research here would not hurt.

gpg-agent and PIN caching

Once the PIN is cached via gpg-agent, it is apparently hard to get it out of the cache, with the best current solution to unplug the device. Note there is a ignore-cache-for-signing agent option but I did not find out how or when to use it. And I know there are default-cache-ttl and max-cache-ttl agent options, that should go to ~/.gnupg/gpg-agent.conf, but given the sheer amount of raised issues, they probably do not work as most people would expect. Take a look into the links section for some threads.

This problem affects OpenPGP smartcard and similar items, even GNUK flash sticks, the devices without any user input outside of USB communication. The situation is different with the YubiKey, especially the YubiKey NEO that has a capacitive touch area.

Signing with YubiKey and touch

With YubiKey and it's touch capability, the problem can be or mitigated with a right configuration. This is by design. First install yubikey-manager package, take a look at the docs and consider running the following:

ykman openpgp keys set-touch sig cached

Warning: Do not use fixed or cached-fixed policy as it it by design impossible to revert this setting without a full reset, which is in case of safe GnuPG application quite a lengthy process. Always start experimenting with less permanent policy like on or aforementioned cached. You can always step it up to the fixed policy later when you are absolutely sure you know what you are doing.

What this does is that when a signature key is required, PIN is inserted and YubiKey is flashing it's LED, waiting for a touch. Now every rebase for the next 15 seconds won't require any user interaction. After 15 seconds, just another touch is required.

Should a malicious program tried to sign something with our credentials, it would make me very suspicious and would have hard time getting that touch out of the blue from me (unless it would run within that 15 second window).

We see, the touch feature is a welcome addition. But it brings another problem with itself: how to reliably know the device is requesting our attention and waiting for the touch? Sure, the LED on it is flashing. But what if the YubiKey is plugged somewhere not readily in the sight, for instance, in a dock? This is getting us to the situation with referenced at the beginning of this post.

YubiKey touch notification in Gnome

Yes, there is a YubiKey touch detector project aiming at providing the UI with the signal, that the YubiKey requires a touch. It specifically mentions Arch on it installation guide, which is nice. In short:

sudo pacman -S yubikey-touch-detector
export yubipath="$HOME/.config/yubikey-touch-detector"
mkdir -p "$yubipath"
echo "YUBIKEY_TOUCH_DETECTOR_LIBNOTIFY=true" > "$yubipath/service.conf"
systemctl --user daemon-reload
systemctl --user enable yubikey-touch-detector.service --now

There are some nice features revolving around UNIX socket too, go check it out. The notification in Gnome looks like the following:

YubiKey is waiting for a touch libnotify notification on Gnome

And now the best part: the side effect of the above is that not only the notification is displayed when the YubiKey really waits for a touch, the notification shows itself even when signing with the OpenPGP smartcard. The card does obviously not wait for any kind of touch, but it is intrinsic how the yubikey-touch-detector was created, utilizing gpg --card-status.

This way I could see that something awry is happening with my card if this suddenly started popping up, even without the touch area. This was unexpected but I like it as it is. Enjoy!