First install gpg suite

Download from https://gpgtools.org/

Check signature

• Open terminal
• Go to folder with download and type:

$ shasum -a 256 <GPG-Suite-download-filename>

In my case filename: GPG_Suite-2018.3.dmg

This results in an signature:

00a6d0c69dd050acd2df4a34bf8502d4e0de3af9b4f7523a0003af14b60006be  GPG_Suite-2018.3.dmg

• Compare this with the signature on the website

• Install the GPG Suite

This will also install the app gpg keychain.

Get gpg key from yubikey

You need a Yubikey with gpg keys on it. How to setup your Yubikey?

• Open terminal
• Insert yubikey
• Typ in terminal:

$ gpg --card-status

You should get the info on the yubikey

• Get your gpg key id. In my case F6868133B81EF682 :

sec#  rsa4096/F6868133B81EF682

• Now export your public key:

$ gpg --armor --export <your key id> ~/mypublickey.pub

• Get your key into the gpg keychain
• Go to finder and open your public key.

Right click or double click the file. In my case I had to specify gpg keychain as the application to open this file.

In GPG keychain it will now show up with type pub/sec. But in the details overview you can see ‘card: #’. This means the key is on a smartcard.

Click ‘Details’ to check the keys details. There you can see the private key is on a card. ‘Card: #’

Test your Yubikey

• Go to finder
• Right click a random file
• Go to Services and choose encrypt file

• Now you can choose your key in the dropdown in the list below the box
• To test ‘sign’ check also the sign checkbox

If you later decrypt the file, it will show you the signature.

• After click ‘Ok’ it will ask to insert your Yubikey

• Typ your PIN and the encryption starts

You can open the just created file in finder and ‘decrypt’ to test decryption and signature.