From 33f572768bf1b1d57fa9e489ed68434bacc803ba Mon Sep 17 00:00:00 2001 From: forbytten <108727302+forbytten@users.noreply.github.com> Date: Thu, 21 Nov 2024 05:21:59 +0000 Subject: [PATCH 1/2] Addresses [Missing section for adding uids](https://github.com/drduh/YubiKey-Guide/issues/445) --- README.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/README.md b/README.md index b3f7541..443edb6 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ To suggest an improvement, send a pull request or open an [issue](https://github * [Expiration](#expiration) * [Passphrase](#passphrase) - [Create Certify key](#create-certify-key) +- [Add additional uids (optional)](#add-additional-uids-optional) - [Create Subkeys](#create-subkeys) - [Verify keys](#verify-keys) - [Backup keys](#backup-keys) @@ -407,6 +408,50 @@ export KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; printf "\nKey ID: %40s\nKey FP: %40s\n\n" "$KEYID" "$KEYFP" ``` +# Add additional uids (optional) + +## Rationale + +This is an optional step if you have a use case which requires [additional identities](https://github.com/drduh/YubiKey-Guide/issues/445). Some non-exhaustive example use cases are: + +- different email addresses for different languages +- different email addresses for professional versus personal but please see alternative reason below for not tying these addresses together +- anonymized email addresses for different git providers + +An alternative would be to have distinct keys but you would then require multiple YubiKeys, as each can only hold a single key for each type (signing, encryption, authentication). Nevertheless, there can be good reasons to have multiple YubiKeys: + +- if you have different email addresses for professional versus personal use cases, having distinct keys allow you to disassociate the identities +- if you are also using the YubiKey as a U2F or FIDO2 device, having multiple YubiKeys is generally recommended as a backup measure + +## Steps + +Define an array containing additional uids. As this is bash syntax, each array element should be surrounded by quotes and each element should be separated by a space: + +``` +declare -a additional_uids +additional_uids=("Super Cool YubiKey 2024" "uid 1 ") +``` + +Add the additional uids to the key: + +``` +for uid in "${additional_uids[@]}" ; do \ + echo "$CERTIFY_PASS" | gpg --batch --passphrase-fd 0 --pinentry-mode=loopback --quick-add-uid "$KEYFP" "$uid" +done +``` + +Adjust the trust of the additional uids to be ultimate: + +``` +gpg --command-fd=0 --pinentry-mode=loopback --edit-key "$KEYID" < Date: Thu, 21 Nov 2024 08:10:18 +0000 Subject: [PATCH 2/2] Fixed formatting to conform to existing conventions --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 443edb6..dd58fb9 100644 --- a/README.md +++ b/README.md @@ -427,14 +427,14 @@ An alternative would be to have distinct keys but you would then require multipl Define an array containing additional uids. As this is bash syntax, each array element should be surrounded by quotes and each element should be separated by a space: -``` +```console declare -a additional_uids additional_uids=("Super Cool YubiKey 2024" "uid 1 ") ``` Add the additional uids to the key: -``` +```console for uid in "${additional_uids[@]}" ; do \ echo "$CERTIFY_PASS" | gpg --batch --passphrase-fd 0 --pinentry-mode=loopback --quick-add-uid "$KEYFP" "$uid" done @@ -442,7 +442,7 @@ done Adjust the trust of the additional uids to be ultimate: -``` +```console gpg --command-fd=0 --pinentry-mode=loopback --edit-key "$KEYID" <