YubiKeys
Created: June 29, 2022
Require a physical button press
ykman openpgp set-touch enc on
ykman openpgp set-touch aut on
ykman openpgp set-touch sig on
Disable OTP for USB
ykman config usb -d OTP
Set the PIN lockouts to 10 each:
ykman openpgp access set-retries 10 10 10
CLI
Set up YubiKey PGP on a new workstation
Import the public key:
gpg --import PUBLIC_KEY
Get the key ID:
gpg --list-keys
Check Git user.signingkey:
git config --list
Set user.signingkey:
git config --global user.signingkey KEY_ID
Ensure there is a line in ~/.gnupg/gpg.conf that matches:
trusted-key KEY_ID
Sometimes you need to pull the YubiKey out of the USB port and put it back in.
Fedora note
If they YubiKey stops working:
$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
Use:
systemctl restart pcscd
kill scdaemon
Source: Fedora forums