Is there a way of using gpg key in a remote server for signing by gpg program(command line tool) on linux?
I am using gpg for signing binaries on localhost with test keys. Now I want to use the same type of keys accessed by a server. I am looking for a realization just by changing the gpg tool's arguments.
gpg --export-ssh-key <key-id> pub file, it can be used like a normal ssh public key (e. g. appended to ~/. ssh/authorized_keys).
Sign Their Key Signing a key tells your software that you trust the key that you have been provided with and that you have verified that it is associated with the person in question. To sign a key that you've imported, simply type: gpg --sign-key [email protected].
To get gpg-agent to handle requests from SSH, you need to enable support by adding the line enable-ssh-support to the ~/. gnupg/gpg-agent. conf. Optionally, you may want to pre-specify the keys to be used for SSH so you won't have to use ssh-add to load the keys.
You can do this with OpenSSH>=6.7
and GnuPG>=2.1.1
OpenSSH 6.7 introduced unix socket forwarding which will used to forward the gpg-agent socket. And GnuPG 2.1 got rid of the secring.gpg
delegating private key management to gpg-agent
. This avoids having to keep the private key on the remote machine.
First you'll want to set up an extra-socket on the local client. Add this line to your gpg-agent.conf
extra-socket /path/to/extra-socket
Restart your gpg-agent
pkill gpg-agent
gpg-connect-agent /bye
Open an ssh connection to the remote server and forward the servers gpg-agent socket back to the client (make sure gpg-agent
isn`t already running on the remote)
ssh -R ${GNUPGHOME:-~/.gnupg}/S.gpg-agent:/path/to/extra-socket remote-server
Note: GNUPGHOME
refers to the home folder of gnupg on the remote. If it is different from the local GNUPGHOME
, you'll have to adapt this.
You should now be able to sign/encrypt on the remote server, provided it has your public key in the keyring.
Note: You may need to add a graphical pinentry (qt,gtk) to your clients gpg-agent.conf
, I'm not sure the curses one will work.
By default, OpenSSH will not remove the the forwarded socket on the server upon closing the connection. This will prevent OpenSSH to create the socket during the next connection. If you have access to the servers sshd_config
you may add the following line
StreamLocalBindUnlink yes
or remove it in you logout script (.zlogout
, .bash_logout
, ...)
rm ${GNUPGHOME:-~/gnupg}/S.gpg-agent
Further information can be found on this GnuPG wiki page. https://wiki.gnupg.org/AgentForwarding
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With