Table of Contents

gpg-agent forwarding

Search tags: pgp gpg remote gpg-agent gpg-agent forwarding.

Source:

local machine

Ensure gpg-agent is running:

~/.bashrc
# Launch gpg-agent if not started
export GPG_TTY="$(tty)"
gpgconf --launch gpg-agent

Public and secret key must be present on local machine

gpg --import usert@example.com-public.asc
gpg --import usert@example.com-secret.asc

Get gpg-agent socket paths on local and remote machines:

$ gpgconf --list-dirs agent-extra-socket
/run/user/1000/gnupg/S.gpg-agent.extra
$ ssh remote gpgconf --list-dirs agent-socket
/run/user/1000/gnupg/S.gpg-agent

Edit SSH user configuration and add sockets forwarding for remote host:

~/.ssh/config
Host remote
  RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra

remote machine

Public key must be imported on remote machine:

gpg --import usert@example.com-public.asc
 
gpg: key XXXXXXXXXXXXX: public key "User <user@example.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Modify ssh server configuration to enable automatic removal of stale sockets when connecting to the remote machine:

/etc/ssh/sshd_config
StreamLocalBindUnlink yes

and restart sshd:

systemctl restart ssh

usage

On remote machine:

gpg --list-secret-keys

Sign message:

echo TEXT | gpg -s

Issues

gpg: signing failed: Inappropriate ioctl for device

gpg-agent[2022]: command 'SCD' failed: Forbidden
gpg-agent[2022]: command 'KEYINFO' failed: Forbidden
gpg-agent[3881]: No $DBUS_SESSION_BUS_ADDRESS found, falling back to curses
gpg-agent[3881]: Failed to lookup password for key n/63B10EA3FEB8F818AEC11B943DFF4F7A33E4624D with secret service: Cannot autolaunch D-Bus without X11 $DISPLAY
gpg-agent[2022]: failed to unprotect the secret key: Inappropriate ioctl for device
gpg-agent[2022]: failed to read the secret key
gpg-agent[2022]: command 'PKSIGN' failed: Inappropriate ioctl for device <Pinentry>

Problem with displaying password prompt. Solution (exec on host)

echo "UPDATESTARTUPTTY" | gpg-connect-agent > /dev/null 2>&1