sudo apt-get install texinfo transfig bison flex libbz2-dev libsqlite3-dev libgnutls28-dev pkg-config libusb-1.0-0-dev

# GIT
scripts/prepare.sh
scripts/compile.sh

# Production
scripts/build.sh

Notes
=====
Same Problems: No remote pinentry, Socket does not get deleted
https://www.isi.edu/~calvin/gpgagent.htm

Make yubikey recognized
=======================
echo 'SUBSYSTEMS=="usb" ATTRS{idVendor}=="1050" MODE:="0666"' > /etc/udev/rules.d/yubikey.rules

Yubikey Setup
=============

# Copy Backup file
cp .gnupg.backup/* .gnupg/

# Set Retries to 5. Braucht ADMIN PIN 12345678
gpg-connect-agent --hex "scd apdu 00 20 00 83 08 31 32 33 34 35 36 37 38" \
"scd apdu 00 f2 00 00 03 05 05 05" /bye

# Change PIN
gpg2 --card-edit
admin
# 123456\npin\npin\n
1 - Change PIN
# 12345678\nadminpin\nadminpin\n
3 - Change Admin PIN
# adminpin\nresetcode\nresetcode\n
4 - set the Reset Code

# Set Metdata
url
sex
name
lang
login

quit

Move private keys
-----------------

# Dort merkt sich gpg-agent wo die Keys liegen bzw. legt alle keys ab deswegen
# vorsichtig mit dem Lschen.
rm private-keys-v1.d/*
rm .gpg-v21-migrated
cp .gnupg.backup/* .gnupg/
gpg2 --edit-key 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
toogle
key 0
keytocard
# Signature Key
key 1
keytocard
# Encryption Key
# key 2 ist revoked da es ein aus Versehen generierter Authentication Key war
key 3
keytocard
save

Forget passpharase
------------------
gpg-connect-agent "SCD RESET" /bye

Encrypted root filesystem
-------------------------
http://digitalbrains.com/2014/gpgcryptroot

Forward GPG socket
------------------
# On the server
echo 'StreamLocalBindUnlink yes' >> /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart

# On the client
ssh -R /home/sithglan/.gnupg/S.gpg-agent:/home/sithglan/.gnupg/S.gpg-agent-extra gmvl.de

Forward ssh socket
------------------
(infra) [~] cat bin/attach_screen
#!/bin/bash

if test "$SSH_AUTH_SOCK" ; then
        ln -sf $SSH_AUTH_SOCK ~/.gnupg/S.gpg-agent.ssh
fi

export LC_CTYPE=de_DE@euro
exec screen -D -r main

screen start
============
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
screen -c .screenrc-main -S main

List secret keys
----------------
gpg-connect-agent "keyinfo --list" /bye

GPG Agent Configuration
-----------------------
.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry
extra-socket /home/sithglan/.gnupg/S.gpg-agent-extra
enable-ssh-support
default-cache-ttl 600
max-cache-ttl 7200
keep-tty
keep-display
# debug-level guru
# debug-all
# log-file /tmp/gpg-agent.log

Remote GPG Setup
----------------
# Achtung vorher Backup machen
rm .gnupg/secring* .gnupg/pubring* .gnupg/private-keys-v1.d/*
# Fuer jeden Public Key
gpg2 --recv-key 0x9D106472D6D50DBA
gpg2 --recv-key 0x03BF970657E19B02

# Danach sollten die Private Keys gelistet werden
gpg2 -K

cat <<EOF > .gnupg/gpg.conf
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options no-honor-keyserver-url
cert-digest-algo SHA512
no-greeting
lock-once
default-key 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
encrypt-to 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
keyid-format 0xlong
use-agent
with-fingerprint
quiet
default-recipient-self
no-secmem-warning
keyserver-options auto-key-retrieve
no-auto-check-trustdb
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
EOF

In case you get an error: Please remove the current card and insert the one with serial number
----------------------------------------------------------------------------------------------
Go to %APPDATA% and delete all files in the private-keys-v1.d/ directory.

GNUPG Interaction
-----------------

Here are steps and the interaction.

(1) here are the processes
 [gpgme]----[gpg]====[gpg-agent]----[scdaemon]
                  ^--- possibly by forwarded socket

(2) A client program (Mutt, in your case) asks decryption through gpgme
       decrypt
 [gpgme]--->[gpg]----[gpg-agent]----[scdaemon]

(3) it goes to scdaemon
               decrypt
 [gpgme]----[gpg]--->[gpg-agent]----[scdaemon]

                              decrypt
 [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]

(4) if the token is not authenticated yet,
    scdaemon asks a user PIN back through gpg-agent
                               "PIN please"
 [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]


(5) Then, gpg-agent invokes pinentry.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
            [pinentry]<---/

(6) pinentry pops up GUI dialog window to user.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
  User <----[pinentry]----/

(7) User inputs PIN by the dialog.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
  User ---->[pinentry]----/
        PIN

 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          ^
            [pinentry]----/
                      PIN

                                PIN
 [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]

(8) scdaemon sends the pin to the token to authenticate.
                                              PIN
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]

(9) Token is ready to decrypt, now.
    scdaemon sends encrypted message to the token.
                                              decrypt
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]

(10) token replies back by decrypted message.... to gpgme.
                                            decrypted
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]<--[token]

                                decrypted
 [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]

                 decrypted
 [gpgme]----[gpg]<---[gpg-agent]----[scdaemon]

       decrypted
 [gpgme]<---[gpg]----[gpg-agent]----[scdaemon]

ssh agent pam
=============
sudo apt-get install libssl-dev libpam0g-dev checkinstall
./configure --libexecdir=/lib/security --with-mantype=man
make
sudo checkinstall
dpkg -i /home/sithglan/Downloads/pam_ssh_agent_auth-0.10.2/pam-ssh-agent-auth_0.10.2-1_amd64.deb

/etc/pam.d/sudo:
#%PAM-1.0

auth [success=2 default=ignore] pam_ssh_agent_auth.so file=/etc/ssh/sudo_authorized_keys
@include common-auth
@include common-account
@include common-session-noninteractive

reload agent
============
gpg-connect-agent reloadagent /bye

scdaemon.conf
=============
debug-level guru
debug-all
log-file /tmp/scd.log

Check Version of gpg applet
===========================
gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
Source: https://developers.yubico.com/ykneo-openpgp/PinRetries.html

Reset Applet
============
Source: https://developers.yubico.com/ykneo-openpgp/ResetApplet.html
gpg-connect-agent -r scripts/reset.txt

Yubikey
=======
https://developers.yubico.com/yubico-pam/
apt-get install yubikey-server-c

Hints about agent forwarding with gnupg
=======================================
http://www.gossamer-threads.com/lists/gnupg/users/71038

Yubitouch.sh
============
https://gist.github.com/a-dma/797e4fa2ac4b5c9024cc

OTP
===
https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html
https://developers.yubico.com/OTP/OTPs_Explained.html
https://developers.yubico.com/OTP/

Windows
-------

Download and Install gpg4win.exe

%appdata%\gnupg\gpg-agent.conf
enable-putty-support

gpg-connect-agent killagent /bye
gpg-connect-agent /bye
<Karte stecken>

Tripwire: GPG kann nur einen Smartcard Reader. In dem Fall war noch Safenet installiert, das musste runter
