Yarmo - gpgBlog of an Open Source developerZola2022-05-03T09:00:12+00:00https://yarmo.eu/tags/gpg/atom.xmlGPG import public key from smartcard2022-05-03T09:00:12+00:002022-05-03T09:00:12+00:00
Unknown
https://yarmo.eu/blog/gpg-import-from-smartcard/<h2 id="TLDR">TLDR</h2>
<p>On a new computer, insert your USB OpenPGP smartcard and run:</p>
<pre data-lang="bash" style="background-color:#212733;color:#ccc9c2;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#ffd580;">gpg</span><span style="color:#ffcc66;"> --card-edit
</span><span style="color:#ffd580;">fetch
</span><span style="color:#ffd580;">quit
</span></code></pre>
<h2 id="Explanation">Explanation</h2>
<p>I have a <a href="https://www.yubico.com/products/yubikey-5-overview/">YubiKey 5</a> (still waiting on my <a href="https://www.indiegogo.com/projects/solo-v2-safety-net-against-phishing#/">Solo v2</a>) on which I store my OpenPGP secret key.</p>
<p>However, if I boot into a new system, insert my USB OpenPGP smartcard, import my public key from a keyserver:</p>
<pre data-lang="bash" style="background-color:#212733;color:#ccc9c2;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#ffd580;">gpg</span><span style="color:#ffcc66;"> --keyserver</span><span> hkps://keys.openpgp.org</span><span style="color:#ffcc66;"> --recv-keys</span><span> ABCD1234
</span></code></pre>
<p><a href="https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work">configure git</a>:</p>
<pre data-lang="bash" style="background-color:#212733;color:#ccc9c2;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#ffd580;">git</span><span> config</span><span style="color:#ffcc66;"> --global</span><span> user.signingkey ABCD1234
</span></code></pre>
<p>and attempt to sign a commit, I'll get an error message:</p>
<pre data-lang="bash" style="background-color:#212733;color:#ccc9c2;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#ffd580;">git</span><span> commit</span><span style="color:#ffcc66;"> -S -m </span><span style="color:#bae67e;">"Signed commit"
</span><span style="font-style:italic;color:#5c6773;"># error: gpg failed to sign the data
</span><span style="font-style:italic;color:#5c6773;"># fatal: failed to write commit object
</span></code></pre>
<p>GPG doesn't know yet it can interact with the private key stored on the USB OpenPGP smartcard!</p>
<p>So, instead of importing the public key from a keyserver, fetch it from the smartcard with the following commands:</p>
<pre data-lang="bash" style="background-color:#212733;color:#ccc9c2;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#ffd580;">gpg</span><span style="color:#ffcc66;"> --card-edit
</span><span style="color:#ffd580;">fetch
</span><span style="color:#ffd580;">quit
</span></code></pre>