I wanna sign my git commits with yubikeys. For backup reasons I have two with a different key on each one. Now I want to sign my commits with the keys on the yubikey. Adding multiple keys to the web gui does not seem to be a problem, but I have issues adding multiple signingkeys to my git config.
Is it possible to assign one profile two or more possible signingkeys? Therefore if yubikey A is attached, it will sign with this key, but with the other if yubikey B is attached?
I use gpg.ssh.defaultKeyCommand. As per man git-config:
gpg.ssh.defaultKeyCommand
This command will be run when user.signingkey is not set and a ssh
signature is requested. On successful exit a valid ssh public key
prefixed with key:: is expected in the first line of its output.
This allows for a script doing a dynamic lookup of the correct
public key when it is impractical to statically configure
user.signingKey. For example when keys or SSH Certificates are
rotated frequently or selection of the right key depends on
external factors unknown to git.
My script looks something like this:
for serial in `ykman list -s`; do
if [ "$serial" == "<serial_A>" ]; then
echo key::`cat ~/.ssh/id_key_A.pub`
exit 0
elif [ "$serial" == "<serial_B>" ]; then
echo key::`cat ~/.ssh/id_key_B.pub`
exit 0
fi
done
echo "error: couldn't find available Yubikey!" 1>&2
exit 1
Note that it requires two things:
error: Couldn't get agent socket?ssh-add) to the agent, otherwise it fails with error: Couldn't find key in agent?