I am still obsessed with the OpenPGP smartcard. I know, it is definitely far inferior to YubiKey. It has far, far less features and it's GnuPG implementation is even riddled with serious bugs that can take days to work around. It definitely has it's peak years behind. But no matter how bad it is, I simply like it's form-factor.
I cannot state this enough. I like how it fits to my wallet, along other items with similar taxonomy, like credit cards or an electronic ID card. It also sticks much less intrusively out of the laptop, neatly and quite subtly. It is not occupying any USB ports, which is what I hate the most about YubiKeys. There are million form-factors of YubiKeys and all have to go to some USB port. When my laptop is in the dock, I have to reach out to touch it (this is important, we get to this in a moment). When not docked, it is easy to touch, but sticks out awkwardly and it can result it accidents.
Git rebase and automatic signing
So I still use both, trying to figure out all the good, bad and ugly parts of them. Since I invested so much time in setting up GnuPG, I like to have the automatic commit signing turned on globally. For me personally, it is a great feeling.
git config --global commit.gpgSign true git config --global user.signingkey 0xA44B03E642BB42236780FEA43A1381FCF2738E75
Remember: Using long, 32-bit key ID might be preferred to potentially avoid spoofing, collisions or other possible problems with the key. More details here.
With the above in place, rebasing (which can be very common in some git workflows) can result in a situation, where one is asked for a PIN for every successive operation. This is a default configuration for a GnuPG smartcard.
GnuPG and forcesig option
The reason why the PIN is asked every time is the
forcesig option, that
is set up on the smartcard/device itself, forcing a PIN to be asked every
time when a signature pin in requested, invalidating any cache options in
the agent. Insert a GnuPG compatible device and run:
This should show
Signature PIN ....: forced. Now, you may already know I
use KeePassXC extensively. Take a look at the keepass tag
if you are interested in some other related or semi-related articles. I
make KeePassXC and (KeePassDX with Syncthing for that matter) an integral
part of mostly anything passwords, passphrases, authentication and security
Setting up auto-type for any kind of windows, prompts and dialogs with KeePassXC is very easy. Just pressing a global keyboard shortcut once in a while and having the right PIN filled in is not such a big deal. But when one have to do it many many times repeatedly, it is annoying. It can be changed, though.
In the card edit interface, type
admin, followed by
the admin PIN and type
list. You should now see
Signature PIN ....: not forced instead. Suppose I did this change. Now
I've traded security for a convenience. Security in a sense that a
malicious process could now in theory sign something with our signature
key, showing that given piece of code, or even a whole package was released
by me, tricking people into a false trust and thus possibly even running a
malicious code. Or at least this is how I currently understand it. Doing
some more research here would not hurt.
gpg-agent and PIN caching
Once the PIN is cached via
gpg-agent, it is apparently
hard to get it out of the cache,
with the best current solution to unplug the device. Note there is a
ignore-cache-for-signing agent option but I did not find out how or when
to use it. And I know there are
that should go to
~/.gnupg/gpg-agent.conf, but given the sheer amount of
raised issues, they probably do not work as most people would expect. Take
a look into the links section for some threads.
This problem affects OpenPGP smartcard and similar items, even GNUK flash sticks, the devices without any user input outside of USB communication. The situation is different with the YubiKey, especially the YubiKey NEO that has a capacitive touch area.
Signing with YubiKey and touch
With YubiKey and it's touch capability, the problem can be or mitigated
with a right configuration. This is by design. First install
yubikey-manager package, take a look at the
and consider running the following:
ykman openpgp keys set-touch sig cached
Warning: Do not use
cached-fixedpolicy as it it by design impossible to revert this setting without a full reset, which is in case of safe GnuPG application quite a lengthy process. Always start experimenting with less permanent policy like
cached. You can always step it up to the fixed policy later when you are absolutely sure you know what you are doing.
What this does is that when a signature key is required, PIN is inserted and YubiKey is flashing it's LED, waiting for a touch. Now every rebase for the next 15 seconds won't require any user interaction. After 15 seconds, just another touch is required.
Should a malicious program tried to sign something with our credentials, it would make me very suspicious and would have hard time getting that touch out of the blue from me (unless it would run within that 15 second window).
We see, the touch feature is a welcome addition. But it brings another problem with itself: how to reliably know the device is requesting our attention and waiting for the touch? Sure, the LED on it is flashing. But what if the YubiKey is plugged somewhere not readily in the sight, for instance, in a dock? This is getting us to the situation with referenced at the beginning of this post.
YubiKey touch notification in Gnome
Yes, there is a YubiKey touch detector project aiming at providing the UI with the signal, that the YubiKey requires a touch. It specifically mentions Arch on it installation guide, which is nice. In short:
sudo pacman -S yubikey-touch-detector export yubipath="$HOME/.config/yubikey-touch-detector" mkdir -p "$yubipath" echo "YUBIKEY_TOUCH_DETECTOR_LIBNOTIFY=true" > "$yubipath/service.conf" systemctl --user daemon-reload systemctl --user enable yubikey-touch-detector.service --now
There are some nice features revolving around UNIX socket too, go check it out. The notification in Gnome looks like the following:
And now the best part: the side effect of the above is that not only the
notification is displayed when the YubiKey really waits for a touch, the
notification shows itself even when signing with the OpenPGP smartcard. The
card does obviously not wait for any kind of touch, but it is intrinsic how
yubikey-touch-detector was created, utilizing
This way I could see that something awry is happening with my card if this suddenly started popping up, even without the touch area. This was unexpected but I like it as it is. Enjoy!