如何在远程服务器上使用 gpg 签名密钥？

Question

Is there a way of using gpg key in a remote server for signing by gpg program(command line tool) on linux?

I am using gpg for signing binaries on localhost with test keys. Now I want to use the same type of keys accessed by a server. I am looking for a realization just by changing the gpg tool's arguments.

Answer 1

You can do this with OpenSSH>=6.7 and GnuPG>=2.1.1

OpenSSH 6.7 introduced unix socket forwarding which will used to forward the gpg-agent socket. And GnuPG 2.1 got rid of the secring.gpg delegating private key management to gpg-agent . This avoids having to keep the private key on the remote machine.

First you'll want to set up an extra-socket on the local client. Add this line to your gpg-agent.conf

extra-socket /path/to/extra-socket

Restart your gpg-agent

pkill gpg-agent
gpg-connect-agent /bye

Open an ssh connection to the remote server and forward the servers gpg-agent socket back to the client (make sure gpg-agent isn`t already running on the remote)

ssh -R ${GNUPGHOME:-~/.gnupg}/S.gpg-agent:/path/to/extra-socket remote-server

Note: GNUPGHOME refers to the home folder of gnupg on the remote . If it is different from the local GNUPGHOME , you'll have to adapt this.

You should now be able to sign/encrypt on the remote server, provided it has your public key in the keyring.

Note: You may need to add a graphical pinentry (qt,gtk) to your clients gpg-agent.conf , I'm not sure the curses one will work.

By default, OpenSSH will not remove the the forwarded socket on the server upon closing the connection. This will prevent OpenSSH to create the socket during the next connection. If you have access to the servers sshd_config you may add the following line

StreamLocalBindUnlink yes

or remove it in you logout script ( .zlogout , .bash_logout , ...)

rm ${GNUPGHOME:-~/gnupg}/S.gpg-agent

Further information can be found on this GnuPG wiki page. https://wiki.gnupg.org/AgentForwarding