feat: Yubikey smartcard setup

dot_gitconfig.tmpl

@@ -1,7 +1,7 @@
 [user]
 	email = {{ .email }}
 	name = {{ .name }}
-	signingkey = {{ .chezmoi.homeDir }}/.ssh/id_ed25519
+	signingkey = 1A80DDB584AF7DA7
 [core]
 	autocrlf = input
         pager = delta
@@ -42,8 +42,6 @@
 	helper = keepassxc
 [push]
 	autoSetupRemote = true
-[gpg]
-	format = ssh
 [filter "lfs"]
 	clean = git-lfs clean -- %f
 	smudge = git-lfs smudge -- %f

dot_zshrc.tmpl

@@ -19,6 +19,11 @@ export PATH="$PATH:/opt/homebrew/bin"
 # scripts from ~/bin
 export PATH="$PATH:$HOME/.local/bin"
 
+# export PINENTRY_USER_DATA="USE_CURSES=1"
+export GPG_TTY="$(tty)"
+export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+gpgconf --launch gpg-agent
+
 macchina
 
 # Cargo env

private_dot_gnupg/gpg-agent.conf

@@ -0,0 +1,14 @@
+# https://github.com/drduh/config/blob/master/gpg-agent.conf
+# https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
+enable-ssh-support
+ttyname $GPG_TTY
+default-cache-ttl 60
+max-cache-ttl 120
+#pinentry-program /usr/bin/pinentry-curses
+#pinentry-program /usr/bin/pinentry-tty
+#pinentry-program /usr/bin/pinentry-gtk-2
+#pinentry-program /usr/bin/pinentry-x11
+#pinentry-program /usr/bin/pinentry-qt
+#pinentry-program /usr/local/bin/pinentry-curses
+#pinentry-program /usr/local/bin/pinentry-mac
+pinentry-program /opt/homebrew/bin/pinentry-mac

private_dot_gnupg/gpg.conf

@@ -0,0 +1,62 @@
+# https://github.com/drduh/config/blob/master/gpg.conf
+# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
+# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html
+# 'gpg --version' to get capabilities
+# Use AES256, 192, or 128 as cipher
+personal-cipher-preferences AES256 AES192 AES
+# Use SHA512, 384, or 256 as digest
+personal-digest-preferences SHA512 SHA384 SHA256
+# Use ZLIB, BZIP2, ZIP, or no compression
+personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
+# Default preferences for new keys
+default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
+# SHA512 as digest to sign keys
+cert-digest-algo SHA512
+# SHA512 as digest for symmetric ops
+s2k-digest-algo SHA512
+# AES256 as cipher for symmetric ops
+s2k-cipher-algo AES256
+# UTF-8 support for compatibility
+charset utf-8
+# Show Unix timestamps
+fixed-list-mode
+# No comments in signature
+no-comments
+# No version in output
+no-emit-version
+# Disable banner
+no-greeting
+# Long hexidecimal key format
+keyid-format 0xlong
+# Display UID validity
+list-options show-uid-validity
+verify-options show-uid-validity
+# Display all keys and their fingerprints
+with-fingerprint
+# Display key origins and updates
+#with-key-origin
+# Cross-certify subkeys are present and valid
+require-cross-certification
+# Disable caching of passphrase for symmetrical ops
+no-symkey-cache
+# Enable smartcard
+use-agent
+# Disable recipient key ID in messages
+throw-keyids
+# Default/trusted key ID to use (helpful with throw-keyids)
+#default-key 0xFF3E7D88647EBCDB
+#trusted-key 0xFF3E7D88647EBCDB
+# Group recipient keys (preferred ID last)
+#group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
+# Keyserver URL
+#keyserver hkps://keys.openpgp.org
+#keyserver hkps://keyserver.ubuntu.com:443
+#keyserver hkps://hkps.pool.sks-keyservers.net
+#keyserver hkps://pgp.ocf.berkeley.edu
+# Proxy to use for keyservers
+#keyserver-options http-proxy=http://127.0.0.1:8118
+#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
+# Verbose output
+#verbose
+# Show expired subkeys
+#list-options show-unusable-subkeys