felschr/pgp2ssh
1
0
Fork 0
mirror of https://github.com/pinpox/pgp2ssh.git synced 2025-02-05 10:59:19 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
pgp2ssh/README.md
Pablo Ovelleiro Corral 197559a92c
Update README.md
2024-06-01 13:19:56 +02:00

89 lines
3.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# pgp2ssh
Derive private ed25519 SSH key from private PGP key.
GPG itself only supports exporting _public_ SSH keys and other tools don't work for ed25519 keys.
##### Notes:
- A tool exists to do this for RSA keys: [openpgp2ssh](https://manpages.ubuntu.com/manpages/xenial/man1/openpgp2ssh.1.html) but it does not seem to support `ed25519` keys
- Work on `gnupg` was started for this feature, but never finished see this
issue and commit: https://dev.gnupg.org/T6647
## Instructions
First you need to export your PGP key from GPG:
```sh
gpg2 --export-secret-keys --armor test@test.test >priv-gpg
```
Then identify the public SSH key that was used to encrypt your secret.
You can search for your GitHub username in: https://fluence-dao.s3.eu-west-1.amazonaws.com/metadata.json
If you have multiple subkeys, usually it is the authenticate key highlighted with `[A]` in the output of:
```sh
gpg --list-secret-keys --with-keygrip
```
### Derive private SSH key
```sh
go build
./pgp2ssh
```
**Nix/NixOS Users**
A flake is provided for Nix users. Just use `nix run` instead of building and
running manually.
It'll ask you for the path to your private PGP key, followed by choosing the key/subkey and if your PGP key is encrypted it'll ask for the passphrase.
In the output, verify that the public SSH key printed matches the one in `metadata.json`.
If it matches, the last part of the output it will print the matching private SSH key.
You can save the key to a file and use how you want.
### Example: Decrypt age files
If you want to decrypt a file that was encryptd by `age` with your public SSH key, you can just use `age` as normal to decrypt the file using the SSH private key that we've got in the previous step:
```sh
age --decrypt --identity ./ssh-secret-key --output decrypted ./testfile.txt.age
```
## Troubleshooting
If the conversion fails with the error:
```
2024/03/27 22:09:09 openpgp: invalid data: user ID signature with wrong type
```
You might be missing the private key of your subkeys. When running `gpg -K` you
should **NOT** see a `>` infront of the keys like this:
```
ssb> ed25519/0xB68746238E59B548 2018-07-09 [S] [expires: 2026-01-02]
Keygrip = C89E5AABCBF7142DBC26E68FB3121DE12DCBF4FF
ssb> cv25519/0x65CD5E0200C56C17 2018-07-09 [E] [expires: 2026-01-02]
Keygrip = 867EA9F6ADBEBE18ED98253B884F53CBD53C526B
ssb> ed25519/0xF36CF32DF9B09855 2018-07-09 [A] [expires: 2026-01-02]
Keygrip = 553D56865642B05AB3C5B62DC68795691702B960
```
The `>` (corner of a card) indicates, that the private part is on a smart card
or not available. This may also be caused by expired keys. For possible
solutions see https://github.com/pinpox/pgp2ssh/issues/6
### Support & Donations
This project was built with lots of headaches by [pinpox](https://github.com/pinpox/) & [felschr](https://github.com/felschr/). If you need help, feel free to contact us.
And if you want to thank us, you can send us any crypto or token to our Ethereum / Polygon wallets 😊:
pinpox: `0xde031f16976AFcaC613087B6213Eb521F63d3A49`
felschr: `0xD66753D737603E18018281E298Df86DE402d313E`
<a href="https://www.buymeacoffee.com/pinpox"><img src="https://img.buymeacoffee.com/button-api/?text=Buy me a coffee&emoji=😎&slug=pinpox&button_colour=82aaff&font_colour=000000&font_family=Inter&outline_colour=000000&coffee_colour=FFDD00"></a>
Reference in a new issue View git blame Copy permalink