#!/bin/bash set -eu USER_ID="${1}" DEVICE=${DEVICE:="trezor"} # or "ledger" CURVE=${CURVE:="nist256p1"} # or "ed25519" TIMESTAMP=${TIMESTAMP:=`date +%s`} # key creation timestamp HOMEDIR=~/.gnupg/${DEVICE} # NOTE: starting from GnuPG 2.2, gpg2 -> gpg GPG_BINARY=$(python -c "import libagent.gpg.keyring as k; print(k.get_gnupg_binary())") ${GPG_BINARY} --version # verify that GnuPG 2.1+ is installed # Prepare new GPG home directory for hardware-based identity rm -rf "${HOMEDIR}" mkdir -p "${HOMEDIR}" chmod 700 "${HOMEDIR}" # Generate new GPG identity and import into GPG keyring $DEVICE-gpg create -v "${USER_ID}" -t "${TIMESTAMP}" -e "${CURVE}" > "${HOMEDIR}/pubkey.asc" ${GPG_BINARY} --homedir "${HOMEDIR}" --import < "${HOMEDIR}/pubkey.asc" 2> /dev/null rm -f "${HOMEDIR}/S.gpg-agent" # (otherwise, our agent won't be started automatically) # Make new GPG identity with "ultimate" trust (via its fingerprint) FINGERPRINT=$(${GPG_BINARY} --homedir "${HOMEDIR}" --list-public-keys --with-fingerprint --with-colons | sed -n -E 's/^fpr:::::::::([0-9A-F]+):$/\1/p' | head -n1) echo "${FINGERPRINT}:6" | ${GPG_BINARY} --homedir "${HOMEDIR}" --import-ownertrust 2> /dev/null AGENT_PATH="$(which ${DEVICE}-gpg-agent)" # Prepare GPG configuration file echo "# Hardware-based GPG configuration agent-program ${AGENT_PATH} personal-digest-preferences SHA512 default-key \"${USER_ID}\" " > "${HOMEDIR}/gpg.conf" # Prepare GPG agent configuration file echo "# Hardware-based GPG agent emulator log-file ${HOMEDIR}/gpg-agent.log verbosity 2 " > "${HOMEDIR}/gpg-agent.conf" # Prepare a helper script for setting up the new identity echo "#!/bin/bash set -eu export GNUPGHOME=${HOMEDIR} COMMAND=\$* if [ -z \"\${COMMAND}\" ] then \${SHELL} else \${COMMAND} fi " > "${HOMEDIR}/env" chmod u+x "${HOMEDIR}/env" echo "Starting ${DEVICE}-gpg-agent at ${HOMEDIR}..." # Load agent and make sure it responds with the new identity GNUPGHOME="${HOMEDIR}" ${GPG_BINARY} -K 2> /dev/null