Yubikey and macOS GPG Suite

First install gpg suite

Download from https://gpgtools.org/

Check signature

  • Open terminal
  • Go to folder with download and type:
$ shasum -a 256 <GPG-Suite-download-filename>

In my case filename: GPG_Suite-2018.3.dmg

This results in an signature:

00a6d0c69dd050acd2df4a34bf8502d4e0de3af9b4f7523a0003af14b60006be  GPG_Suite-2018.3.dmg
  • Compare this with the signature on the website

  • Install the GPG Suite

This will also install the app gpg keychain.

Get gpg key from yubikey

You need a Yubikey with gpg keys on it. How to setup your Yubikey?

  • Open terminal
  • Insert yubikey
  • Typ in terminal:
$ gpg --card-status

You should get the info on the yubikey

  • Get your gpg key id. In my case F6868133B81EF682 :
sec#  rsa4096/F6868133B81EF682
  • Now export your public key:
$ gpg --armor --export <your key id> ~/mypublickey.pub
  • Get your key into the gpg keychain
  • Go to finder and open your public key.

Right click or double click the file. In my case I had to specify gpg keychain as the application to open this file.

In GPG keychain it will now show up with type pub/sec. But in the details overview you can see ‘card: #’. This means the key is on a smartcard.

Click ‘Details’ to check the keys details. There you can see the private key is on a card. ‘Card: #’

Test your Yubikey

  • Go to finder
  • Right click a random file
  • Go to Services and choose encrypt file

  • Now you can choose your key in the dropdown in the list below the box
  • To test ‘sign’ check also the sign checkbox

If you later decrypt the file, it will show you the signature.

  • After click ‘Ok’ it will ask to insert your Yubikey

  • Typ your PIN and the encryption starts

You can open the just created file in finder and ‘decrypt’ to test decryption and signature.