yubikey复制_如何在Windows上使用YubiKey NEO和GPG和Keybase设置Signed Git提交

yubikey复制

This week in obscure blog titles, I bring you the nightmare that is setting up Signed Git Commits with a YubiKey NEO and GPG and Keybase on Windows. This is one of those "it's good for you" things like diet and exercise and setting up 2 Factor Authentication. I just want to be able to sign my code commits to GitHub so I might avoid people impersonating my Git Commits (happens more than you'd think and has happened recently.) However, I also was hoping to make it more secure by using a YubiKey 4 or Yubikey NEO security key. They're happy to tell you that it supports a BUNCH of stuff that you have never heard of like Yubico OTP, OATH-TOTP, OATH-HOTP, FIDO U2F, OpenPGP, Challenge-Response. I am most concerned with it acting like a Smart Card that holds a PGP (Pretty Good Privacy) key since the YubiKey can look like a "PIV (Personal Identity Verification) Smart Card."

本周，晦涩的博客标题为您带来了噩梦，那就是在Windows上使用YubiKey NEO和GPG和Keybase来设置Signed Git Commit。 这是“有益于您”的东西之一，例如饮食和运动以及设置2要素认证。 我只希望能够将我的代码提交签名到GitHub，以便避免有人模仿我的Git Commit(比您想像的多，并且最近发生了这种情况。)但是，我也希望通过使用YubiKey 4或Yubikey NEO安全密钥。 他们很高兴告诉您，它支持许多您从未听说过的东西，例如Yubico OTP，OATH-TOTP，OATH-HOTP，FIDO U2F，OpenPGP，质询响应。 我最关心的是它像拥有PGP(相当好的隐私)密钥的智能卡那样工作，因为YubiKey看起来像是“ PIV(个人身份验证)智能卡”。

NOTE: I am not a security expert. Let me know if something here is wrong (be nice) and I'll update it. Note also that there are a LOT of guides out there. Some are complete and encyclopedic, some include recommendations and details that are "too much," but this one was my experience. This isn't The Bible On The Topic but rather  what happened with me and what I ran into and how I got past it. Until this is Super Easy (TM) on Windows, there's gonna be guides like this.

注意：我不是安全专家。 让我知道这里是否有问题(很好)，我将对其进行更新。 另请注意，那里有很多指南。 有些是完整的百科全书，有些包括“太多”的建议和细节，但这是我的经验。 这不是《圣经》，而是我发生了什么，遇到什么以及如何摆脱它。 在Windows上成为Super Easy(TM)之前，将有这样的指南。

As with all things security, there is a balance between Capital-S Secure with offline air-gapped what-nots, and Ease Of Use with tools like Keybase. It depends on your tolerance, patience, technical ability, and if you trust any online services. I like Keybase and trust them so I'm starting there with a Private Key. You can feel free to get/generate your key from wherever makes you happy and secure.

与所有事物的安全性一样，Capital-S Secure(具有离线空白提示)与Keybase之类的工具的易用性之间处于平衡。 这取决于您的宽容，耐心，技术能力以及是否信任任何在线服务。 我喜欢Keybase并信任他们，所以我从一个私有密钥开始。 您可以随时随地从使您满意和安全的地方获取/生成密钥。

I use Windows and I like it, so if you want to use a Mac or Linux this blog post likely isn't for you. I love and support you and your choice though. ;)

我使用Windows，并且喜欢它，因此，如果您要使用Mac或Linux，则此博客文章可能不适合您。 我爱并支持您以及您的选择。 ;)

确保您拥有一个私人PGP密钥，该密钥具有关联的Git提交电子邮件地址 (Make sure you have a private PGP key that has your Git Commit Email Address associated with it)

I download and installed (and optionally donated) a copy of Gpg4Win here.

我在此处下载并安装了Gpg4Win副本(并选择捐赠了该副本) 。

Take your private key - either the one you got from Keybase or one you generated locally - and make sure that your UID (your email address that you use on GitHub) is a part of it. Here you can see mine is not, yet. That could be the main email or might be an alias or "uid" that you'll add.

获取您的私钥(从Keybase获得的私钥或在本地生成的私钥)，并确保您的UID(您在GitHub上使用的电子邮件地址)是其中的一部分。 在这里您可以看到我的还没有。 这可能是主要电子邮件，也可能是您要添加的别名或“ uid”。

If not - as in my case since I'm using a key from keybase - you'll need to add a new uid to your private key. You will know you got it right when you run this command and see your email address inside it.

如果不是(就我的情况而言，因为我使用的是来自密钥库的密钥)，您将需要向您的私钥添加一个新的uid 。 当您运行此命令并在其中看到您的电子邮件地址时，您将知道它正确无误。

> gpg --list-secret-keys --keyid-format LONG

------------------------------------------------
sec#  rsa4096/MAINKEY 2015-02-09 [SCEA]

uid                 [ultimate] keybase.io/shanselman <shanselman@keybase.io>

You can adduid in the gpg command line or you can add it in the Kleopatra GUI.

您可以在gpg命令行中添加adduid ，也可以在Kleopatra GUI中添加它。

List them again and you'll see the added uid.

再次列出它们，您将看到添加的uid。

> gpg --list-secret-keys --keyid-format LONG

------------------------------------------------
sec#  rsa4096/MAINKEY 2015-02-09 [SCEA]
uid                 [ultimate] keybase.io/shanselman <shanselman@keybase.io>
uid                 [ unknown] Scott Hanselman <scott@hanselman.com>

When you make changes like this, you can export your public key and update it in Keybase.io (again, if you're using Keybase).

当您进行这样的更改时，您可以导出公钥并在Keybase.io中对其进行更新(同样，如果您使用的是Keybase)。

插入您的YubiKey (Plugin your YubiKey)

When you plug your YubiKey in (assuming it's newer than 2015) it should get auto-detected and show up like this "Yubikey NEO OTP+U2F+CCID." You want it so show up as this kind of "combo" or composite device. If it's older or not in this combo mode, you may need to download the YubiKey NEO Manager and switch modes.

当您插入YubiKey时(假设它比2015年更新)，它应该会被自动检测并显示为“ Yubikey NEO OTP + U2F + CCID”。您希望它以这种“组合”或复合设备的形式显示。 如果它更旧或更不在此组合模式下，则可能需要下载YubiKey NEO Manager并切换模式。

测试您的YubiKey是否可以视为智能卡 (Test that your YubiKey can be seen as a Smart Card)

Go to the command line and run this to confirm that your Yubikey can be see as a smart card by the GPG command line.

转到命令行并运行此命令，以确认您的Yubikey可以被GPG命令行视为智能卡。

> gpg --card-status
Reader ...........: Yubico Yubikey NEO OTP U2F CCID 0
Version ..........: 2.0
....

IMPORTANT: Sometimes Windows machines and Corporate Laptops have multiple smart card readers, especially if they have Windows Hello installed like my SurfaceBook2! If you hit this, you'll want to create a text file at %appdata%\gnupg\scdaemon.conf and include a reader-port that points to your YubiKey. Mine is a NEO, yours might be a 4, etc, so be aware. You may need to reboot or at least restart/kill the GPG services/background apps for it to notice you made a change.If you want to know what string should go in that file, go to Device Manager, then View | Show Hidden Devices and look under Software Devices. THAT is the string you want. Put this in scdaemon.conf:

重要信息：有时Windows机器和企业笔记本电脑具有多个智能卡读卡器，尤其是如果它们像我的SurfaceBook2一样安装了Windows Hello！ 如果遇到此问题，您将需要在％appdata％\ gnupg \ scdaemon.conf中创建一个文本文件，并包括一个指向YubiKey的阅读器端口。 我的是NEO，您的可能是4，等等，所以要注意。 您可能需要重新启动或至少重新启动/杀死GPG服务/后台应用程序才能注意到所做的更改。如果您想知道该文件中应该包含什么字符串，请转到“设备管理器”，然后单击“查看”。 显示“隐藏的设备”，然后在“软件设备”下查看。 那就是你想要的字符串。 将其放在scdaemon.conf中：

reader-port "Yubico Yubikey NEO OTP+U2F+CCID 0"

读取器端口“ Yubico Yubikey NEO OTP + U2F + CCID 0”

Yubikey NEO can hold keys up to 2048 bits and the Yubikey 4 can hold up to 4096 bits - that's MOAR bits! However, you might find yourself with a 4096 bit key that is too big for the Yubikey NEO. Lots of folks believe this is a limitation of the NEO that sucks and is unacceptable. Since I'm using Keybase and starting with a 4096 bit key, one solution is to make separate 2048 bit subkeys for Authentication and Signing, etc.

Yubikey NEO最多可以容纳2048位密钥，而Yubikey 4最多可以容纳4096位-这就是MOAR位！ 但是，您可能会发现自己的4096位密钥对于Yubikey NEO来说太大了。 许多人认为，这是NEO的局限性，令人讨厌，这是不可接受的。 由于我使用的是Keybase并以4096位密钥开头，因此一种解决方案是为身份验证和签名等创建单独的2048位子密钥。

From the command line, edit your keys then "addkey"

在命令行中，编辑密钥，然后单击“ addkey”

> gpg --edit-key <scott@hanselman.com>

You'll make a 2048 bit Signing key and you'll want to decide if it ever expires. If it never does, also make a revocation certificate so you can revoke it at some future point.

您将创建一个2048位的签名密钥，然后确定它是否过期。 如果从未成功过，还请制作吊销证书，以便将来可以吊销它。

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all

Save your changes, and then export the keys. You can do that with Kleopatra or with the command line:

保存所做的更改，然后导出密钥。 您可以使用Kleopatra或命令行执行此操作：

--export-secret-keys --armor KEYID

Here's a GUI view. I have my main 4096 bit key and some 2048 bit subkeys for Signing or Encryption, etc. Make as many as you like

这是一个GUI视图。 我有我的主要4096位密钥和一些2048位子密钥用于签名或加密，等等。

LEVEL SET - It will be the public version of the 2048 bit Signing Key that we'll tell GitHub about and we'll put the private part on the YubiKey, acting as a Smart Card.

水平集-这将是2048位签名密钥的公开版本，我们将告诉GitHub，并将私有部分作为智能卡放在YubiKey上。

将签名子项移到YubiKey (Move the signing subkey over to the YubiKey)

Now I'm going to take my keychain here, select the signing one (note the ASTERISK after I type "key 1" then "keytocard" to move/store it on the YubyKey's SmartCard Signature slot. I'm using my email as a way to get to my key, but if your email is used in multiple keys you'll want to use the unique Key Id/Signature. BACK UP YOUR KEYS.

现在，我将带上我的钥匙串，选择一个签名(请在输入“ key 1”然后输入“ keytocard”后将ASTERISK移至YubyKey的SmartCard Signature插槽中进行移动/存储。我将电子邮件用作获取我的密钥的方法，但是如果您的电子邮件用于多个密钥，则需要使用唯一的密钥ID /签名。

> gpg --edit-key scott@hanselman.com

gpg (GnuPG) 2.2.6; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

sec  rsa4096/MAINKEY
     created: 2015-02-09  expires: never       usage: SCEA
     trust: ultimate      validity: ultimate
ssb  rsa2048/THEKEYIDFORTHE2048BITSIGNINGKEY
     created: 2015-02-09  expires: 2023-02-07  usage: S
     card-no: 0006 
ssb  rsa2048/KEY2
     created: 2015-02-09  expires: 2023-02-07  usage: E
[ultimate] (1). keybase.io/shanselman <shanselman@keybase.io>
[ultimate] (2)  Scott Hanselman <scott@hanselman.com>
gpg> toggle
gpg> key 1

sec  rsa4096/MAINKEY
     created: 2015-02-09  expires: never       usage: SCEA
     trust: ultimate      validity: ultimate
ssb* rsa2048/THEKEYIDFORTHE2048BITSIGNINGKEY
     created: 2015-02-09  expires: 2023-02-07  usage: S
     card-no: 0006 
ssb  rsa2048/KEY2
     created: 2015-02-09  expires: 2023-02-07  usage: E
[ultimate] (1). keybase.io/shanselman <shanselman@keybase.io>
[ultimate] (2)  Scott Hanselman <scott@hanselman.com>

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg> save

If you're storing thing on your Smart Card, it should have a pin to protect it. Also, make sure you have a backup of your primary key (if you like) because keytocard is a destructive action.

如果您要在智能卡上存储东西，它应该有一个保护它的销子。 另外，请确保您已经备份了主键(如果愿意)，因为keytocard是一种破坏性操作。

您是否为智能卡设置了PIN码？ (Have you set up PIN numbers for your Smart Card?)

There's a PIN and an Admin PIN. The Admin PIN is the longer one. The default admin PIN is usually ‘12345678’ and the default PIN is usually ‘123456’. You'll want to set these up with either the Kleopatra GUI "Tools | Manage Smart Cards" or the gpg command line:

有一个PIN和一个管理员PIN。 管理员PIN较长。 默认管理员PIN通常为“ 12345678”，默认PIN通常为“ 123456”。 您需要使用Kleopatra GUI“工具|管理智能卡”或gpg命令行进行设置：

>gpg --card-edit
gpg/card> admin
Admin commands are allowed
gpg/card> passwd
*FOLLOW THE PROMPTS TO SET PINS, BOTH ADMIN AND STANDARD*

告诉Git全球您的签名密钥 (Tell Git about your Signing Key Globally)

Be sure to tell Git on your machine some important configuration info like your signing key, but also WHERE the gpg.exe is. This is important because git ships its own older local copy of gpg.exe and you installed a newer one!

确保在您的计算机上告诉Git一些重要的配置信息，例如您的签名密钥，以及gpg.exe在哪里。 这很重要，因为git附带了它自己的gpg.exe本地副本，而您安装了更新的副本！

git config --global gpg.program "c:\Program Files (x86)\GnuPG\bin\gpg.exe"
git config --global commit.gpgsign true
git config --global user.signingkey THEKEYIDFORTHE2048BITSIGNINGKEY

If you don't want to set ALL commits to signed, you can skip the commit.gpgsign=true and just include -S as you commit your code:

如果您不想将所有提交都设置为已签名，则可以跳过commit.gpgsign = true并在提交代码时仅包含-S：

git commit -S -m your commit message

测试您可以签署事物 (Test that you can sign things)

if you are running Kleopatra (the noob Windows GUI) when you run gpg --card-status you'll notice the cert will turn boldface and get marked as certified.

如果您在运行gpg --card-status时正在运行Kleopatra(noob Windows GUI)，您会注意到该证书将变为粗体并被标记为认证。

The goal here is for you to make sure GPG for Windows knows that there's a private key on the smart card, and associates a signing Key ID with that private key so when Git wants to sign a commit, you'll get a Smart Card PIN Prompt.

这里的目标是确保Windows的GPG知道智能卡上有一个私钥，并将签名密钥ID与该私钥相关联，以便当Git想要签署提交时，您将获得智能卡PIN。提示。

Advanced: If you make SubKeys for individual things so that they might also be later revoked without torching your main private key. Using the Kleopatra tool from GPG for Windows you can explore the keys and get their IDs. You'll use those Subkey IDs in your git config to remove to your signingkey.

进阶：如果您为个别事物创建SubKey，以便以后也可以撤销它们而不会破坏您的主私钥。 使用Windows版GPG的Kleopatra工具，您可以浏览密钥并获取其ID。 您将在git配置中使用这些子项ID删除您的签名密钥。

At this point things should look kinda like this in the Kleopatra GUI:

此时，在Kleopatra GUI中应该看起来像这样：

Make sure to prove you can sign something by making a text file and signing it. If you get a Smart Card prompt (assuming a YubiKey) and a larger .gpg file appears, you're cool.

确保通过制作文本文件并签名来证明可以签名。 如果出现智能卡提示(假定为YubiKey)，并且出现了较大的.gpg文件，那么您很酷。

> gpg --sign .\quicktest.txt
> dir quic*

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/18/2018   3:29 PM              9 quicktest.txt
-a----        4/18/2018   3:38 PM            360 quicktest.txt.gpg

Now, go up into GitHub to https://github.com/settings/keys at the bottom. Remember that's GPG Keys, not SSH Keys. Make a new one and paste in your public signing key or subkey.

现在，进入GitHub底部的https://github.com/settings/keys 。 请记住，这是GPG密钥，而不是SSH密钥。 新建一个并粘贴您的公共签名密钥或子密钥。

Note the KeyID (or the SubKey ID) and remember that one of them (either the signing one or the primary one) should be the ID you used when you set up user.signingkey in git above.

注意KeyID(或SubKey ID)，并记住其中一个(签名一个或主要的一个)应该是您在上面的git中设置user.signingkey时使用的ID。

The most important thing is that:

最重要的是：

• the email address associated with the GPG Key
  与GPG密钥关联的电子邮件地址

• is the same as the email address GitHub has verified for you

  与GitHub为您验证的电子邮件地址相同

• is the same as the email in the Git Commit

  与Git提交中的电子邮件相同

  • git config --global user.email "email@example.com"

    git config --global user.email“ email@example.com”

If not, double check your email addresses and make sure they are the same everywhere.

如果没有，请仔细检查您的电子邮件地址，并确保每个地方的电子邮件地址都相同。

尝试签名提交 (Try a signed commit)

If pressing enter pops a PIN Dialog then you're getting somewhere!

如果按Enter会弹出PIN对话框，那么您将到达某个地方！

Commit and push and go over to GitHub and see if your commit is Verified or Unverified. Unverified means that the commit was signed but either had an email GitHub had never seen OR that you forgot to tell GitHub about your signing public key.

提交并推送到GitHub，查看您的提交是否已通过验证。 未验证表示提交已签名，但是要么没有收到GitHub从未收到的电子邮件，要么忘记了告诉GitHub您的签名公共密钥。

Yay!

好极了！

设置第二台(或第三台)计算机 (Setting up to a second (or third) machine)

Once you've told Git about your signing key and you've got your signing key stored in your YubiKey, you'll likely want to set up on another machine.

在告诉Git您的签名密钥并将签名密钥存储在YubiKey中之后，您可能希望在另一台机器上进行设置。

• Install GPG for Windows

  安装Windows版GPG

  • gpg --card-status

    gpg --card-status

    gpg --card-status

    gpg --card-status

  • Import your public key. If I'm setting up signing on another machine, I'll can import my PUBLIC certificates like this or graphically in Kleopatra.

    导入您的公钥。 如果要在另一台计算机上设置签名，则可以像这样或在Kleopatra中以图形方式导入我的PUBLIC证书。

    >gpg --import "keybase public key.asc"
    gpg: key *KEYID*: "keybase.io/shanselman <shanselman@keybase.io>" not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    

    You may also want to run gpg --expert --edit-key *KEYID* and type "trust" to certify your key as someone (yourself) that you trust.

    您可能还需要运行gpg --expert --edit-key * KEYID *，然后键入“ trust”以证明您的密钥是您信任的某人(您自己)。

  Install GPG for Windows

  安装Windows版GPG

• Install Git (I assume you did this) and configure GPG

  安装Git (假设您已这样做)并配置GPG

  • git config --global gpg.program "c:\Program Files (x86)\GnuPG\bin\gpg.exe"

    git config --global gpg.program“ c：\ Program Files(x86)\ GnuPG \ bin \ gpg.exe”

  • git config --global commit.gpgsign true

    git config --global commit.gpgsign是

  • git config --global user.signingkey THEKEYIDFORTHE2048BITSIGNINGKEY

    git config --global user.signingkey THEKEYIDFORTHE2048BITSIGNINGKEY

  Install Git (I assume you did this) and configure GPG

  安装Git (假设您已这样做)并配置GPG

• Sign something with "gpg --sign" to test

  用“ gpg --sign ”签名来测试

• Do a test commit.
  做一个测试提交。

Finally, feel superior for 8 minutes, then realize you're really just lucky because you just followed the blog post of someone who ALSO has no clue, then go help a co-worker because this is TOO HARD.

最后，享受8分钟的优越感，然后意识到您真的很幸运，因为您只是关注了一个也没有线索的人的博客文章，然后去帮助同事，因为这太难了。

Sponsor: Check out JetBrains Rider: a cross-platform .NET IDE. Edit, refactor, test and debug ASP.NET, .NET Framework, .NET Core, Xamarin or Unity applications. Learn more and download a 30-day trial!

赞助商：查看JetBrains Rider：一个跨平台的.NET IDE 。 编辑，重构，测试和调试ASP.NET，.NET Framework，.NET Core，Xamarin或Unity应用程序。 了解更多信息并下载30天试用版！

翻译自: https://www.hanselman.com/blog/how-to-setup-signed-git-commits-with-a-yubikey-neo-and-gpg-and-keybase-on-windows

yubikey复制