API tools faq
paste
Guest User

Untitled

a guest
Dec 12th, 2018
137
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.23 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. set -euo pipefail
  4.  
  5. GNUPGHOME=$(mktemp -d)
  6.  
  7. cleanup() {
  8. echo rm -rf "$GNUPGHOME"
  9. killall gpg-agent || :
  10. }
  11.  
  12. trap cleanup EXIT
  13.  
  14. echo "Killing any gpg-agent processes"
  15. killall gpg-agent || :
  16.  
  17. export GNUPGHOME
  18.  
  19. if [ -z "${GIVENNAME:-}" ]; then
  20. echo -n "Enter your given name: "
  21. read -r GIVENNAME
  22. fi
  23. if [ -z "${SURNAME:-}" ]; then
  24. echo -n "Enter your surname: "
  25. read -r SURNAME
  26. fi
  27. if [ -z "${EMAILADDRESS:-}" ]; then
  28. echo -n "Enter your email address: "
  29. read -r EMAILADDRESS
  30. fi
  31. if [ -z "${KEYSIZE:-}" ]; then
  32. echo -n "Enter your desired key size (2048 for Yubikey NEO, 4096 otherwise): "
  33. read -r KEYSIZE
  34. fi
  35. if [ -z "${USER_PIN:-}" ]; then
  36. echo -n "Choose a user PIN (6-127 chars). You will use this a lot: "
  37. read -r USER_PIN
  38. fi
  39. if [ -z "${ADMIN_PIN:-}" ]; then
  40. echo -n "Choose an admin PIN (8-127 chars). Used (hopefully rarely) for unlocking the user PIN: "
  41. read -r ADMIN_PIN
  42. fi
  43.  
  44. KEYCOMMENT="Yubikey $(gdate +%Y%m%d)"
  45.  
  46. cat << EOF > "$GNUPGHOME/gpg.conf"
  47. use-agent
  48. personal-cipher-preferences AES256 AES192 AES CAST5
  49. personal-digest-preferences SHA512 SHA384 SHA256 SHA224
  50. default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
  51. cert-digest-algo SHA512
  52. s2k-digest-algo SHA512
  53. s2k-cipher-algo AES256
  54. charset utf-8
  55. fixed-list-mode
  56. no-comments
  57. no-emit-version
  58. keyid-format 0xlong
  59. list-options show-uid-validity
  60. verify-options show-uid-validity
  61. with-fingerprint
  62. EOF
  63.  
  64. cat << EOF > "$GNUPGHOME/gpg-agent.conf"
  65. pinentry-program /usr/local/bin/pinentry-tty
  66. default-cache-ttl 60
  67. max-cache-ttl 120
  68. EOF
  69.  
  70. echo | REALNAME="$GIVENNAME $SURNAME" EMAILADDRESS=$EMAILADDRESS KEYSIZE=$KEYSIZE KEYCOMMENT=$KEYCOMMENT expect <<"EOF"
  71. set realname $env(REALNAME)
  72. set email $env(EMAILADDRESS)
  73. set comment $env(KEYCOMMENT)
  74. set keysize $env(KEYSIZE)
  75.  
  76. set timeout 1
  77. spawn gpg --full-generate-key
  78. expect "(4) RSA (sign only)"
  79. expect "Your selection?"
  80. send "4\r"
  81. expect "What keysize do you want? (2048)"
  82. send "$keysize\r"
  83. expect "Key is valid for?"
  84. send "0\r"
  85. expect "Is this correct? (y/N)"
  86. send "y\r"
  87. expect "Real name: "
  88. send "$realname\r"
  89. expect "Email address: "
  90. send "$email\r"
  91. expect "Comment: "
  92. send "$comment\r"
  93. expect "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?"
  94. send "O\r"
  95. expect "Please enter the passphrase to"
  96. expect "Passphrase:"
  97. sleep 0.5
  98. send "\r"
  99. expect "Repeat:"
  100. sleep 0.5
  101. send "\r"
  102. expect "You have not entered a passphrase - this is in general a bad idea!"
  103. expect "Please confirm that you do not want to have any protection on your key"
  104. expect "es, protection is not needed"
  105. sleep 0.5
  106. set timeout 20
  107. send "y"
  108. expect "public and secret key created and signed"
  109. expect "pub rsa$keysize"
  110. set timeout 1
  111. wait
  112. EOF
  113.  
  114. echo "Keys generated!"
  115. KEYID=$(gpg --list-keys|sed -ne '/Key fingerprint =/s/Key fingerprint =//p'|tr -d \ )
  116. echo "Key ID is $KEYID"
  117.  
  118. echo | KEYID=$KEYID KEYSIZE=$KEYSIZE expect <<"EOF"
  119. set keyid $env(KEYID)
  120. set keysize $env(KEYSIZE)
  121.  
  122. set timeout 1
  123. spawn gpg --expert --edit-key $keyid
  124. expect "gpg>"
  125. send "addkey\r"
  126. expect "(4) RSA (sign only)"
  127. send "4\r"
  128. expect "What keysize do you want?"
  129. send "$keysize\r"
  130. expect "Key is valid for?"
  131. send "0\r"
  132. expect "Is this correct? (y/N)"
  133. send "y\r"
  134. expect "Really create? (y/N)"
  135. send "y\r"
  136. expect "Please enter the passphrase to"
  137. expect "Passphrase:"
  138. sleep 0.5
  139. send "\r"
  140. expect "Repeat:"
  141. sleep 0.5
  142. send "\r"
  143. expect "You have not entered a passphrase - this is in general a bad idea!"
  144. expect "Please confirm that you do not want to have any protection on your key"
  145. expect "es, protection is not needed"
  146. sleep 0.5
  147. set timeout 20
  148. send "y"
  149. expect "ssb rsa$keysize"
  150. set timeout 1
  151. expect "usage: S"
  152. expect "gpg>"
  153. send "addkey\r"
  154. expect "(6) RSA (encrypt only)"
  155. send "6\r"
  156. expect "What keysize do you want?"
  157. send "$keysize\r"
  158. expect "Key is valid for?"
  159. send "0\r"
  160. expect "Is this correct? (y/N)"
  161. send "y\r"
  162. expect "Really create? (y/N)"
  163. send "y\r"
  164. expect "Please enter the passphrase to"
  165. expect "Passphrase:"
  166. sleep 0.5
  167. send "\r"
  168. expect "Repeat:"
  169. sleep 0.5
  170. send "\r"
  171. expect "You have not entered a passphrase - this is in general a bad idea!"
  172. expect "Please confirm that you do not want to have any protection on your key"
  173. expect "es, protection is not needed"
  174. sleep 0.5
  175. set timeout 20
  176. send "y"
  177. expect "ssb rsa$keysize"
  178. set timeout 1
  179. expect "usage: E"
  180. expect "gpg>"
  181. send "addkey\r"
  182. expect "(8) RSA (set your own capabilities)"
  183. send "8\r"
  184. expect "Current allowed actions: Sign Encrypt"
  185. expect "(S) Toggle the sign capability"
  186. expect "Your selection?"
  187. send "S\r"
  188. expect "Current allowed actions: Encrypt"
  189. expect "(E) Toggle the encrypt capability"
  190. expect "Your selection?"
  191. send "E\r"
  192. expect "Current allowed actions:"
  193. expect "(A) Toggle the authenticate capability"
  194. expect "Your selection?"
  195. send "A\r"
  196. expect "Current allowed actions: Authenticate"
  197. expect "(Q) Finished"
  198. expect "Your selection?"
  199. send "Q\r"
  200. expect "What keysize do you want?"
  201. send "$keysize\r"
  202. expect "Key is valid for?"
  203. send "0\r"
  204. expect "Is this correct? (y/N)"
  205. send "y\r"
  206. expect "Really create? (y/N)"
  207. send "y\r"
  208. expect "Please enter the passphrase to"
  209. expect "Passphrase:"
  210. sleep 0.5
  211. send "\r"
  212. expect "Repeat:"
  213. sleep 0.5
  214. send "\r"
  215. expect "You have not entered a passphrase - this is in general a bad idea!"
  216. expect "Please confirm that you do not want to have any protection on your key"
  217. expect "es, protection is not needed"
  218. sleep 0.5
  219. set timeout 20
  220. send "y"
  221. expect "gpg> "
  222. set timeout 1
  223. send "save\r"
  224. sleep 3
  225. EOF
  226.  
  227. echo
  228. echo "Running hokey against the generated keys to check they are OK"
  229. echo "It won't like the fact that our keys don't expire, but you can ignore that"
  230. echo "It also won't like the lack of cross-certification for the authentication key but this is a false alarm"
  231.  
  232. gpg --export "$KEYID" | hokey lint
  233. echo -n "Does everything look OK? (y/n) "
  234. read -r yesno
  235. [ "$yesno" == y ] || exit 1
  236.  
  237. echo -n "Insert your Yubikey and press enter"
  238. read -r
  239.  
  240. if ! ykman mode | grep -qF 'Current connection mode is: OTP+FIDO+CCID'; then
  241. echo "You will need to say yes to the prompt from ykman"
  242. ykman mode OTP+FIDO+CCID
  243. fi
  244.  
  245. echo | USER_PIN=$USER_PIN ADMIN_PIN=$ADMIN_PIN GIVENNAME=$GIVENNAME SURNAME=$SURNAME EMAILADDRESS=$EMAILADDRESS expect <<"EOF"
  246. set user_pin $env(USER_PIN)
  247. set admin_pin $env(ADMIN_PIN)
  248. set givenname $env(GIVENNAME)
  249. set surname $env(SURNAME)
  250. set email $env(EMAILADDRESS)
  251.  
  252. set timeout 1
  253. spawn gpg --card-edit
  254. expect "gpg/card> "
  255. send "admin\r"
  256. expect "Admin commands are allowed"
  257. expect "gpg/card> "
  258. send "passwd\r"
  259. expect "3 - change Admin PIN"
  260. expect "Your selection? "
  261. send "3\r"
  262. expect "Please enter the Admin PIN"
  263. expect "Admin PIN: "
  264. sleep 0.5
  265. send "12345678\r"
  266. expect "New Admin PIN"
  267. expect "Admin PIN: "
  268. sleep 0.5
  269. send "$admin_pin\r"
  270. expect "Repeat this PIN"
  271. expect "Admin PIN: "
  272. sleep 0.5
  273. send "$admin_pin\r"
  274. expect "PIN changed."
  275. expect "1 - change PIN"
  276. expect "Your selection? "
  277. send "1\r"
  278. expect "Please enter the PIN"
  279. expect "PIN: "
  280. sleep 0.5
  281. send "123456\r"
  282. expect "New PIN"
  283. expect "PIN: "
  284. sleep 0.5
  285. send "$user_pin\r"
  286. expect "Repeat this PIN"
  287. expect "PIN: "
  288. sleep 0.5
  289. send "$user_pin\r"
  290. expect "PIN changed."
  291. expect "Q - quit"
  292. expect "Your selection? "
  293. send "Q\r"
  294. expect "gpg/card> "
  295. send "name\r"
  296. expect "Cardholder's surname:"
  297. send "$surname\r"
  298. expect "Cardholder's given name:"
  299. send "$givenname\r"
  300. expect "Please enter the Admin PIN"
  301. expect "Admin PIN: "
  302. sleep 0.5
  303. send "$admin_pin\r"
  304. expect "gpg/card>"
  305. send "lang\r"
  306. expect "Language preferences:"
  307. send "en\r"
  308. expect "gpg/card>"
  309. send "login\r"
  310. expect "Login data (account name):"
  311. send "$email\r"
  312. expect "gpg/card>"
  313. send "\r"
  314. expect "General key info"
  315. expect "gpg/card>"
  316. send "quit\r"
  317. sleep 3
  318. EOF
  319.  
  320. echo | KEYSIZE=$KEYSIZE KEYID=$KEYID ADMIN_PIN=$ADMIN_PIN expect <<"EOF"
  321. set keysize $env(KEYSIZE)
  322. set keyid $env(KEYID)
  323. set admin_pin $env(ADMIN_PIN)
  324.  
  325. set timeout 1
  326. spawn gpg --edit-key $keyid
  327. expect "ssb rsa$keysize"
  328. expect "gpg>"
  329. send "key 1\r"
  330. expect "ssb* rsa$keysize"
  331. expect "ssb rsa$keysize"
  332. expect "ssb rsa$keysize"
  333. expect "gpg>"
  334. send "keytocard\r"
  335. expect "Please select where to store the key:"
  336. expect "(1) Signature key"
  337. expect "Your selection?"
  338. send "1\r"
  339. expect "Please enter the Admin PIN"
  340. expect "Admin PIN: "
  341. sleep 0.5
  342. send "$admin_pin\r"
  343. expect "ssb* rsa$keysize"
  344. expect "ssb rsa$keysize"
  345. expect "ssb rsa$keysize"
  346. expect "gpg>"
  347. send "key 1\r"
  348. expect "ssb rsa$keysize"
  349. expect "ssb rsa$keysize"
  350. expect "ssb rsa$keysize"
  351. expect "gpg>"
  352. send "key 2\r"
  353. expect "ssb rsa$keysize"
  354. expect "ssb* rsa$keysize"
  355. expect "ssb rsa$keysize"
  356. expect "gpg>"
  357. send "keytocard\r"
  358. expect "Please select where to store the key:"
  359. expect "(2) Encryption key"
  360. expect "Your selection?"
  361. send "2\r"
  362. expect "Please enter the Admin PIN"
  363. expect "Admin PIN: "
  364. sleep 0.5
  365. send "$admin_pin\r"
  366. expect "ssb rsa$keysize"
  367. expect "ssb* rsa$keysize"
  368. expect "ssb rsa$keysize"
  369. expect "gpg>"
  370. send "key 2\r"
  371. expect "ssb rsa$keysize"
  372. expect "ssb rsa$keysize"
  373. expect "ssb rsa$keysize"
  374. expect "gpg>"
  375. send "key 3\r"
  376. expect "ssb rsa$keysize"
  377. expect "ssb rsa$keysize"
  378. expect "ssb* rsa$keysize"
  379. expect "gpg>"
  380. send "keytocard\r"
  381. expect "Please select where to store the key:"
  382. expect "(3) Authentication key"
  383. expect "Your selection?"
  384. send "3\r"
  385. expect "Please enter the Admin PIN"
  386. expect "Admin PIN: "
  387. sleep 0.5
  388. send "$admin_pin\r"
  389. expect "ssb rsa$keysize"
  390. expect "ssb rsa$keysize"
  391. expect "ssb* rsa$keysize"
  392. expect "gpg>"
  393. send "save\r"
  394. sleep 3
  395. EOF
  396.  
  397. if [ "$(gpg --list-secret-keys | grep -c '^ssb>')" -ne 3 ]; then
  398. echo "Unexpected output from 'gpg --list-secret-keys':"
  399. gpg --list-secret-keys
  400. exit 1
  401. fi
  402.  
  403. gpg --armor --export "$KEYID" > ~/"gpg-$KEYID.txt"
  404. echo "Exported public key to ~/gpg-$KEYID.txt"
  405. echo "Sending key to keyserver"
  406. if ! gpg --send-key "$KEYID"; then
  407. echo "WARNING: Failed to send key to keyserver - run gpg --send-key $KEYID manually" >&2
  408. fi
  409.  
  410. GNUPGHOME= gpg --import ~/"gpg-$KEYID.txt"
  411. echo "Killing any gpg-agent processes"
  412. killall gpg-agent || :
  413.  
  414. echo -n "Unplug your Yubkey, re-insert it and press Enter"
  415. read -r
  416.  
  417. [ ! -f ~/.gnupg/gpg.conf ] || mv -v ~/.gnupg/gpg.conf ~/.gnupg/gpg.conf.$(gdate +%s)
  418.  
  419. echo "Generating new ~/.gnupg/gpg.conf"
  420.  
  421. restore_umask=$(umask -p)
  422. umask=077
  423. cat << EOF > ~/.gnupg/gpg.conf
  424. auto-key-locate keyserver
  425. keyserver hkps://hkps.pool.sks-keyservers.net
  426. keyserver-options no-honor-keyserver-url
  427. personal-cipher-preferences AES256 AES192 AES CAST5
  428. personal-digest-preferences SHA512 SHA384 SHA256 SHA224
  429. default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
  430. cert-digest-algo SHA512
  431. s2k-cipher-algo AES256
  432. s2k-digest-algo SHA512
  433. charset utf-8
  434. fixed-list-mode
  435. no-comments
  436. no-emit-version
  437. keyid-format 0xlong
  438. list-options show-uid-validity
  439. verify-options show-uid-validity
  440. with-fingerprint
  441. use-agent
  442. require-cross-certification
  443. EOF
  444. $restore_umask
  445.  
  446. [ ! -f ~/.gnupg/gpg-agent.conf ] || mv -v ~/.gnupg/gpg-agent.conf ~/.gnupg/gpg-agent.conf.$(gdate +%s)
  447.  
  448. echo "Generating new ~/.gnupg/gpg-agent.conf"
  449.  
  450. cat << EOF > ~/.gnupg/gpg-agent.conf
  451. enable-ssh-support
  452. pinentry-program /usr/local/bin/pinentry-mac
  453. default-cache-ttl 60
  454. max-cache-ttl 120
  455. EOF
  456.  
  457. GNUPGHOME= gpg --card-status
  458. GNUPGHOME= gpg --list-secret-keys
  459.  
  460. echo | KEYID=$KEYID expect <<"EOF"
  461. set keyid $env(KEYID)
  462.  
  463. set timeout 1
  464. spawn gpg --edit-key $keyid
  465. expect "Secret key is available."
  466. expect "gpg>"
  467. send "trust\r"
  468. expect "Please decide how far you trust this user"
  469. expect "5 = I trust ultimately"
  470. expect "Your decision? "
  471. send "5\r"
  472. expect "Do you really want to set this key to ultimate trust? (y/N) "
  473. send "y\r"
  474. expect "trust: ultimate"
  475. expect "gpg>"
  476. send "quit\r"
  477. sleep 3
  478. EOF
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!