keybase
How do I use keybase with Yubikey?
How do I log in when my private key isn't on my machine, but my signing key is on a yubikey?
- ERROR Sorry, your account is already established with a PGP public key, but this utility cannot find the corresponding private key on this machine. This is the fingerprint of the PGP key in your account:
Could you describe your YubiKey setup (which private keys are offline, which are on yubi etc.) and what are you trying to do so I can try to reproduce the issue? Thank you
I have subkeys on the yubikey, something like this: https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
It's a while since I made it, but I remember that this was my inspiration: https://alexcabal.com/creating-the-perfect-gpg-keypair/
for my setup: Secret key is available.
pub 2048R/D3DA6FCB created: 2015-11-18 expires: 2017-12-17 usage: SC trust: ultimate validity: ultimate sub 2048R/9113138F created: 2015-11-18 expires: 2017-12-17 usage: E sub 2048R/39812C75 created: 2015-11-18 expires: 2017-12-17 usage: A sub 2048R/D9F2ECC8 created: 2015-11-18 expires: 2017-12-17 usage: S [ultimate] (1). Fredrik Ludvigsen [email protected] [ultimate] (2) Fredrik Ludvigsen (offline master key) [email protected] [ultimate] (3) Fredrik Ludvigsen [email protected]
The sub keys are located on the yubikey.
This is what I see when I do gpg2 --list-secret-keys on my test setup (both primary signing key and encryption subkey have secret keys on yubikey):
sec> rsa2048 2017-03-14 [SC]
BDD071E86CD184E326E4528F7384033FA8BBB1F4
Card serial no. = 0006 05297442
uid [ultimate] Michał Yubi <[email protected]>
ssb> rsa2048 2017-03-14 [E]
do you have something similar? IIRC > indicates that this key has a stub private key to know it's on device.
--------------------------------------------------
sec# 2048R/D3DA6FCB 2015-11-18 [expires: 2016-11-17]
uid Fredrik Ludvigsen (offline master key) <[email protected]>
ssb> 2048R/9113138F 2015-11-18
ssb> 2048R/39812C75 2015-11-18
ssb> 2048R/D9F2ECC8 2015-11-18
OK, I'll try to recreate something like this and see what I can do. Thank you for helping me with that!
Thank you for looking into it. I'm heading home soon, but I'll try to follow up as close as I can.
It looks like a bug in our openpgp library, so I will take it from there for a bit and get back to you once I have anything more. Thanks again!
Would you mind to show output of gpg2 --no-tty --with-colons --fingerprint -K? For some reason Keybase thinks that your keys are expired. Thank you.
I should do this on the same computer then, so it will have to be tomorrow morning.
I'll post to you then.
Den 16.03.2017 18:20, skrev Michał Zochniak:
Would you mind to show output of |gpg2 --no-tty --with-colons --fingerprint -K|? For some reason Keybase thinks that your keys are expired. Thank you.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/keybase/keybase-issues/issues/2909#issuecomment-287129688, or mute the thread https://github.com/notifications/unsubscribe-auth/ABUB1SFHFQhM4LyIdjdu4vQCeAjUJi2Oks5rmW93gaJpZM4MeVsJ.
C:\Users\Fredrik>"c:\Program Files (x86)\GNU\GnuPG\gpg2.exe" --no-tty --with-colons --fingerprint -K
sec::2048:1:25CD263267D392E7:1336034903:1452596400:::::::::
fpr:::::::::4ECFF2B5616BAC8473AB693425CD263267D392E7:
uid:::::::2055D84321705AA23C7C0840CEABE75A2F3DE9AA::Fredrik Ludvigsen (bitcoin) <[email protected]>:
sec::2048:1:623AE6A1D3DA6FCB:1447880481:1479417789::::::::#:
fpr:::::::::BCCB574EBE1ECB5051963E4A623AE6A1D3DA6FCB:
uid:::::::65CE11F6F8070E21CDC5230BD32F0BF9B0BE2152::Fredrik Ludvigsen (offline master key) <[email protected]>:
ssb::2048:1:30ED71E79113138F:1447880481:::::::::D2760001240102000006038117700000:
ssb::2048:1:B575DF1939812C75:1447885988:::::::::D2760001240102000006038117700000:
ssb::2048:1:F63287CCD9F2ECC8:1447886178:::::::::D2760001240102000006038117700000:
Can we also run gpg2 --list-keys? It seems like gpg2 marks your keys as expired, so keybase client treats them as such. But when I downloaded your key from https://keybase.io/fludvigsen, it was fine.
For example:
sec::2048:1:623AE6A1D3DA6FCB:1447880481:1479417789::::::::#:
The 7th value is expiration timestamp, in this case 1479417789, which is Thu Nov 17 22:23:09 CET 2016.
`C:\Users\Fredrik>"c:\Program Files (x86)\GNU\GnuPG\gpg2.exe" --list-keys C:/Users/Fredrik/AppData/Roaming/gnupg/pubring.gpg
pub 2048R/67D392E7 2012-05-03 [expired: 2016-01-12] uid [ expired] Fredrik Ludvigsen (bitcoin) [email protected]
pub 2048R/9FA3478C 2012-07-26 uid [ full ] Thomas Tyssøy [email protected]
pub 2048R/827498B8 2012-11-20 uid [ unknown] Peter Wingaard Meldahl [email protected]
pub 4096R/7BD0F730 2013-09-16 uid [ unknown] Torbjørn Ludvigsen [email protected] uid [ unknown] [jpeg image of size 14666] sub 4096R/2C7116C9 2013-09-16 sub 4096R/50619F04 2013-09-16
pub 2048R/D9123532 2015-10-20 uid [ unknown] Eduardo Garabito [email protected] sub 2048R/3CD526C4 2015-10-20
pub 2048R/D3DA6FCB 2015-11-18 [expires: 2017-12-17] uid [ultimate] Fredrik Ludvigsen [email protected] uid [ultimate] Fredrik Ludvigsen (offline master key) [email protected] uid [ultimate] Fredrik Ludvigsen [email protected] sub 2048R/9113138F 2015-11-18 [expires: 2017-12-17] sub 2048R/39812C75 2015-11-18 [expires: 2017-12-17] sub 2048R/D9F2ECC8 2015-11-18 [expires: 2017-12-17]
pub 1024D/FEB7C7BC 2007-08-27 uid [ full ] Dominik Reichl [email protected] sub 4096g/F129EEB7 2007-08-27
pub 2048R/B43434E4 2015-08-31 [expires: 2018-08-30] uid [ unknown] PuTTY Releases [email protected]
pub 4096R/58C6F98E 2016-06-08 uid [ full ] Dominik Reichl [email protected] sub 4096R/1E43A881 2016-06-08`
Sorry! Got dragged away by other bugs :(
There is some issue where when you list your secret keys, it looks like D3DA6FCB is expired:
sec# 2048R/D3DA6FCB 2015-11-18 [expires: 2016-11-17] (and that's also shown in the --with-colons output), but public key key is not expired (pub 2048R/D3DA6FCB 2015-11-18 [expires: 2017-12-17]). Is there some obvious PGP thing that I'm missing which would make them be "out of sync" like that?
I did update the expiry date some time ago. I don't know what I might have done wrong at that time.
-K --with-colons is just different formatting for -K (or --list-secret-keys). There should be a way to get that expiry date of offline master key private "stub" (not really a stub) bumped up, but to be honest, I've yet to have one expire on me so I never tried that.
It seems that I have updated my subkeys with new expiry dates, but not my offline master key. I don't really understand the difference in meaning between these expiry dates.
For now, I cannot continue until I've consulted my offline key, so until tomorrow, there's nothing I can do.
I managed to make it work actually. To reproduce my situation, you need to:
- Have secret subkeys located on yubikey
- --export-secret-subkeys (creates a private key without the master key, no actual private keys, since the rest are on the device)
- Move to online machine
- Let the master key expire
- Update the expiration date of the master key and the subkeys (offline machine)
- Export a new public key, import it on the online machines
- On your online machine, your key now has an expired master key stub, even though the signing keys are not expired. Still works in all cases I know of, except this (I don't use gpg that much though.)
Not sure why this still doesn't work though. `C:\Users\Fredrik>AppData\Local\Keybase\keybase.exe pgp sign -m "test"
- ERROR No secret key available`
Signing with plain gpg2 works, and keybase login works, and my device is provisioned by gpg
In
Update the expiration date of the master key and the subkeys (offline machine) Export a new public key, import it on the online machines
do you export updated keys with --export-secret-subkeys again? I will try to experiment again when I find time.
Glad to hear your problem is solved!
Signing through keybase will probably not work, since we use go-crypto to work with pgp keys and do signatures, and it is unlikely to ever support yubikey. For provisioning and importing keys, we shell out to gpg2 (or similar). @oconnor663 should know more and correct me here if I'm wrong.
Doing a second --export-secret-subkeys does the more "proper" update of keys, which is necessary for the keybase login to work.
I'm doing the same thing as the OP, and this is going to get asked for a lot more often as these devices become more popular and available. The expectation that Keybase should select an appropriate signing or encryption subkey when available (whichever one has the longest validity) and prompt for pinentry if that subkey is a stub for a smartcard is the correct one.
Since seamless smartcard operation for the secure storage of private key material is absolutely essential to the goal of popularizing and simplifying the use of cryptography, updated guidance and a commitment from Keybase to support them would be appreciated.
Is it possible to make keybase only work with yubikey? like, git clone, sending messages, etc?
Is it possible to make keybase only work with yubikey? like, git clone, sending messages, etc?
I came here to ask pretty much the same. I'd like to be able to better protect my keybase account from hypothetical attackers who gain physical access to my devices with Keybase installed on them. I've required password login on several devices, but I'd much rather use Yubikeys and/or biometrics.
