====== gpg-agent forwarding ======

Search tags: ''pgp'' ''gpg'' ''remote'' ''gpg-agent'' ''gpg-agent forwarding''.

Source:
  * [[https://mlohr.com/gpg-agent-forwarding/|GPG Agent Forwarding by Matthias Lohr]]
  * [[https://wiki.gnupg.org/AgentForwarding|Forwarding gpg-agent to a remote system over SSH]]

===== local machine =====

Ensure ''gpg-agent'' is running:
<file bash ~/.bashrc>
# Launch gpg-agent if not started
export GPG_TTY="$(tty)"
gpgconf --launch gpg-agent
</file>

Public and secret key must be present on local machine
<code bash>
gpg --import usert@example.com-public.asc
gpg --import usert@example.com-secret.asc
</code>

Get ''gpg-agent'' socket paths on local and **remote** machines:
<code bash>
$ gpgconf --list-dirs agent-extra-socket
/run/user/1000/gnupg/S.gpg-agent.extra
</code>

<code bash>
$ ssh remote gpgconf --list-dirs agent-socket
/run/user/1000/gnupg/S.gpg-agent
</code>

Edit SSH user configuration and add sockets forwarding for remote host:
<file config ~/.ssh/config>
Host remote
  RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra
</file>

===== remote machine =====

Public key must be imported on remote machine:

<code bash>
gpg --import usert@example.com-public.asc

gpg: key XXXXXXXXXXXXX: public key "User <user@example.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
</code>


Modify ssh server configuration to enable automatic removal of stale sockets when connecting to the remote machine:
<file config /etc/ssh/sshd_config>
StreamLocalBindUnlink yes
</file>

and restart sshd: <code bash>systemctl restart ssh</code>


===== usage =====

On remote machine:
<code bash>
gpg --list-secret-keys
</code>

Sign message:
<code bash>
echo TEXT | gpg -s
</code>

===== Issues =====

''gpg: signing failed: Inappropriate ioctl for device''

<code bash>
gpg-agent[2022]: command 'SCD' failed: Forbidden
gpg-agent[2022]: command 'KEYINFO' failed: Forbidden
gpg-agent[3881]: No $DBUS_SESSION_BUS_ADDRESS found, falling back to curses
gpg-agent[3881]: Failed to lookup password for key n/63B10EA3FEB8F818AEC11B943DFF4F7A33E4624D with secret service: Cannot autolaunch D-Bus without X11 $DISPLAY
gpg-agent[2022]: failed to unprotect the secret key: Inappropriate ioctl for device
gpg-agent[2022]: failed to read the secret key
gpg-agent[2022]: command 'PKSIGN' failed: Inappropriate ioctl for device <Pinentry>
</code>

Problem with displaying password prompt.
Solution (exec on host)
<code bash>
echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1
</code>