passforios
passforios copied to clipboard
Support for yubikeys?
Would it be possible to use a yubikey (in pgp/ccid mode) with this app? I take it there currently isn't any support - as I see no mention of it on the wiki.. but it would be neat if there was :D
Hi, Pass for iOS doesn't support PGP/ccid currently. Please stay tuned. More features will be added. Our main goal now is to implement/polish basic functions. Thanks for your suggestion.
On Mon, 27 Feb 2017 at 1:28 AM, Aaron Bieber [email protected] wrote:
Would it be possible to use a yubikey (in pgp/ccid mode) with this app? I take it there currently isn't any support - as I see no mention of it on the wiki.. but it would be neat if there was :D
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mssun/passforios/issues/42, or mute the thread https://github.com/notifications/unsubscribe-auth/ABNieF-VMoh3nW1f6766IrTYUjI5sL0Pks5rgbYcgaJpZM4MMc3E .
-- Best, Mingshen www.cse.cuhk.edu.hk/~mssun
@posix4e Hi, I didn't get your point. Can you elaborate? Thanks.
For Yubikey thing, I didn't use it personally, and not sure how does it related to our app.
@qbit Can you talk about how to integrate it with the app? Thanks.
Yea ignore me actually
@mssun Sure - I can give it a crack.
So on Android using OpenKeychain you do the following:
- connect usb OTG cable, then yubikey
- OpenKeychain prompt for a PIN to unlock the yubikey
- once unlocked gpg-agent sees the yubikey as a regular gpg key
- decryption / signing can happen
- user disconnects yubikey - gpg key is no longer available.
I don't know enough about the iOS frameworks to know if the smartcard protocol is usable. Hopefully it is though :D
https://www.yubico.com/2017/10/iphone-support-yubikey-otp-via-nfc/
Still pre-release, but a couple of weeks back Yubico announced Yubikey for Lightning. It gives no info about which protocols will be supported, but the approval from Apple means Yubico will be creating an iOS library; I'd bet PGP will be on it. @qbit @mssun @posix4e
What would be necessary to get CCID/smart card stuff working for this app with a similar workflow to the android equivalent? Say I were to have a nitrokey or similar, is there any support in iOS at all at the hardware level?
https://www.yubico.com/lightning-project/
It looks like people can sign up to start developing using the iOS SDK / Yubikey for Lightning now in private beta, but you'll need to sign an NDA.
Given that, I don't think we can issue public pull requests on this project, but there may be people working on a private branch already.
With Apple supposedly opening up Core NFC in iOS 13 (https://www.nfcworld.com/2019/06/06/362917/apple-includes-nfc-tag-writing-in-major-upgrade-to-core-nfc-framework/), does this change the situation at all or would you still need the Lightning connection?
I just ordered one today!
https://www.yubico.com/store/yubikey-5ci-security-keys
Yubikey just officially launched the lightning key; I also bought one and will tinker with it to see how feasible integration is here.
Saw the Yubikey 5Ci announcement as well and immediately had this project in mind. It would be really cool to integrate it with pass4ios! 🙌
Supposedly Yubico is releasing a SDK soon (December) to open up full NFC support on the latest iOS. Then it should be possible to support GPG over NFC yubikeys.
Adding Yubikey support might help to solve #295 issue. In my case, I need to only use my subkeys because I only add these on my Yubikey. My master key with certify capabilities stay offline. Having Yubikey support would solve it all.
I just find out passforios and it is really great :heart_eyes: ! It would be awesome to support GPG smartcard feature on a YubiKey device.
I currently own a Yubikey NEO (USB A + NFC). The GPG smartcard feature works great on desktop when the Yubikey is plugged-in on a USB port. I am not sure it is possible to get it working with NFC.
This StackExchange (https://unix.stackexchange.com/a/376138) suggests that it is possible and with Apple now allowing all apps to use the NFC capability with iOS 13.3 maybe this is possible.
I have a YubiKey NEO and a YubiKey 5 NFC. Only the latter works with the official yubico authenticator app it seems
I have a YubiKey NEO and a YubiKey 5 NFC. Only the latter works with the official yubico authenticator app it seems
Yubico Authenticator works with NFC for my yubikey NEO ;)
Yubico Authenticator works with NFC for my yubikey NEO ;)
On iOS? Interesting. I wonder why mine didn’t work then...
Yup, on firmware 3.5.0 (you can see that using Yubikey Manager). Maybe yours is older ?
Also just as an FYI for those reading this thread, Yubikeys and other FIDO compatible keys are now supported within safari on iOS on the latest version of iOS 13.1. You may need to enable webauthn in safari settings to do this. Try it out on the yubico website or passwordless.dev.
Yubico have a native iOS SDK that claims to support OpenPGP (it also supports just sending raw commands back and forth to the device): https://developers.yubico.com/Mobile/iOS/
I believe that this should allow one to decrypt secrets with private keys stored on the device.
There's an issue for examples for pgp in the library, to which the developers noted that another smart card implementation (PIV) is already present in the example app, and that it should be possible; one just needs to do the same thing Desktop/Android already does, simply following pgp specification.
Also here is another example app: https://github.com/YubicoLabs/YubiKit-iOS-Starter
Any update on that feature? :)
Any update on that feature? :)
Yeah good question. Would be interested in that feature as well.
New iOS user coming from Android. I'd love to use this, but am incredibly wary of storing private keys on a device that could easily be lost or stolen. Even with a secure passphrase, I'd rather my private key not fall into someone else's hands.
In the absence of this feature, are the keys at least stored securely? iDevices have some sort of secure enclave if I'm not mistaken. Are my private keys kept there? That might make me feel a bit more comfortable using this without my smartcard.
Thanks.
Would love to see this supported as well.
In the absence of this feature, are the keys at least stored securely? iDevices have some sort of secure enclave if I'm not mistaken. Are my private keys kept there? That might make me feel a bit more comfortable using this without my smartcard.
Yes, all keys and their passwords (if you let the app save them) are stored in the iOS keychain, so that only the app itself can access them.
Any progress on this. Would we be ever able to use yubikey through NFC on this app and not save our private keys on the device?
In the absence of this feature, are the keys at least stored securely? iDevices have some sort of secure enclave if I'm not mistaken. Are my private keys kept there? That might make me feel a bit more comfortable using this without my smartcard.
Yes, all keys and their passwords (if you let the app save them) are stored in the iOS keychain, so that only the app itself can access them.
This doesn't sound like it uses the secure enclave, so keys will be stored in iTunes Backups and can be extracted
The secure enclave doesn't support native GPG, so won't the sure enclave just be unwrapping the private key and that will be now be in userland memory for the remainder of GPG operations?
The secure enclave doesn't support native GPG, so won't the sure enclave just be unwrapping the private key and that will be now be in userland memory for the remainder of GPG operations?
I don't know enough about iOS keychain as I haven't worked with it before but I tried restoring a backup with the Pass for iOS app and all of my private keys were still there, which means that the secure enclave isn't wrapping private keys on disk, or maybe it is but when you do an iTunes backup the keys are unwrapped by iOS and re-encrypted with another key that isn't stored in the secure enclave. I'm just guessing though
No, that does not imply that the secure enclave is NOT wrapping keys. but as I said, the enclave does not support GPG, so this may all be security theater in that all GPG operations are performed in userland with the actual gpg private key. NFC yubikeys would be ideal!
The missing Yubikey support is what's keeping me from switching over to pass and passforios. Hoping to switch soon! :)
Any advances on this? Is there a way we can help?
+1 – hoping to switch soon to pass when I don't have to store a key on my phone.
Looking at the latest Yubikit, they do have a PC/SC interface to the key over NFC. Perahps we could 'hook this up' to the GPG library that pass uses to send GPG commands to the key?
I can have a look at doing this, if that sounds like the right approach.
Looking at the latest Yubikit, they do have a PC/SC interface to the key over NFC. Perahps we could 'hook this up' to the GPG library that pass uses to send GPG commands to the key?
I can have a look at doing this, if that sounds like the right approach.
@hexagonal-sun I just stumbled over this post while researching about PGP in iOS. Would love to see this as a PoC too. Besides the App seems quite interesting. 👍
Is anyone working on this? I wonder if some kind of funding (sponsorship, donations of hardware or maybe a bounty) might help to get yubikey support implemented sooner. Looking at the comments and reactions around this topic (here and on other issues) there should be at least some supporters for some sort of crowd funding. :thinking:
I would be willing to sponsor the development of this feature.
I would also be willing to sponsor development of this feature as well.
I would also love to sponsor the development of this feature!
Hi all, I spent several days studying and developing a prototype to support YubiKey. I have completed almost all primitives to implement this feature in the app. However, one important thing is missing that blocks my current prototyping. I'm frustrated.
The PGP library (gopenpgp
) we are using cannot handle the AEADEncrypted
type packet for session key decryption.
You can see this code snippet:
https://github.com/ProtonMail/gopenpgp/blob/3aafa3c549368db54703cf38372bfcc332a10f39/crypto/sessionkey.go#L307
Only the SymmetricallyEncrypted
type is supported. However, from my understanding AEAD encryption is used by gpg
and other OpenPGP compatible tool.
Therefore, we have two choices:
- Implement the
AEADEncrypted
type packet ingopenpgp
. - Use other application protocol supported by YubiKey (e.g., PIV).
I'm working on the first one. I need more time to understand the implementation details and come up a patch.
Once this issue is solved, I can continue to implement others like communication with YubiKey via PC/SC protocol, user interface, etc.
Thanks for waiting and supports in these years. We are getting close.
Hi all, I have exciting news. Please see the PoC video.
https://user-images.githubusercontent.com/1270392/147910946-7e2c5dd6-72cd-4f43-a261-e23e3f4a7e85.mp4
@mssun this is great news! Thank you so much for making this work! Would yubikey also work through the USB-C/Lightning ports, or is it NFC only?
Finally, I can buy an iPhone. 🥳
Like others, my master private key is stripped from authentication and encryption keys and stored completely offline.
And then I have moved the sign/encrypt/auth the subkeys to a yubikey, which are also used for pass
Does the current implementation of your app support this case or do I have to put a non-stripped key on yubikey.
I am asking since in the video I did not see app ask for a code to unlock the yubikey. If someone get access to your yubikey, can they just scan it to read your passwords? (assuming your iphone is unlocked) Or does the app asks for a pin to unlock the key first?
Sweet! I've written this off as "we'll never see something that properly supports gnupg on yubikey on iOS". Now I see this video and I'm super excited about it.
Yayyyy, congrats @mssun and thanks a lot for the work you do 🙏
Would yubikey also work through the USB-C/Lightning ports, or is it NFC only?
Yes. YubiKey 5Ci has lightning ports. I'm testing with YubiKey 5 NFC. I have both keys and will test them accordingly.
I am asking since in the video I did not see app ask for a code to unlock the yubikey.
This is a prototype. I just hardcoded the PIN code. There should be a prompt for the PIN code when decrypting message.
Does the current implementation of your app support this case or do I have to put a non-stripped key on yubikey.
Yes. I'm following this instruction (https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) to setup my experimental key. The "E" sub-key (encryption key) will be used to decrypt the message.
Wow @mssun this is amazing work! I was starting to lose all hope of this ever being done! I cannot wait to start testing this!!!
is SSH authentication also possible? I keep my password-store on github, and as such, need to authenticate SSH using my gpg/yubikey. Currently this is how it works on my desktop machines (gpg-agent feeds SSH_AUTH_SOCK) and how pass works on android (it uses openkeychain to allow you to use your gpg yubikey to authenticate SSH connections for refreshing your password repository).
Yes. I'm following this instruction (https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) to setup my experimental key. The "E" sub-key (encryption key) will be used to decrypt the message.
Wonderful news and great work, I just became (small) sponsor of you in github. Thanks 🙏 I can test it on iPad Air (in 2-3 weeks) if you'd like a tester for that.
is SSH authentication also possible? I keep my password-store on github, and as such, need to authenticate SSH using my gpg/yubikey. Currently this is how it works on my desktop machines (gpg-agent feeds SSH_AUTH_SOCK) and how pass works on android (it uses openkeychain to allow you to use your gpg yubikey to authenticate SSH connections for refreshing your password repository).
Yes, it's possible. Let me focus on the decryption first.
I can test it on iPad Air (in 2-3 weeks) if you'd like a tester for that.
Thank you! I'll let you guys known when it's ready for testing.
I have uploaded an initial implementation of the YubiKey to the TestFlight (version 0.13.0 (2)).
Setup process:
- Settings -> PGP Key: select YubiKey
- Settings -> PGP Key: select any key source options, only fill in the public key, leave the private key empty.
To setup YubiKey, follow this instruction: https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP
Limitation: only RSA encryption is supported now in the current implementation.
There're still a lot of things can be improved. Please comment in this thread for any suggestions. Thanks!
I joined the Testflight, but the version was 0.12.0 (62).
I joined the Testflight, but the version was 0.12.0 (62).
I just checked. The version is waiting for review.
0.13.0 is now available :tada:
Thanks a lot for this feature!
I just tried it, and I could set up the public key, and use it to encrypt messages (I was able to decrypt the message on GnuPG in my laptop). However, when trying to decrypt the message on the app, I got an error saying that it "failed to select application". The encryption key is an rsa2048 and in a YubiKey 5 NFC.
Edit: and using iPhone 12 pro Max with iOS 15.1.1.
Great work! I tested this and ran into a compatibility problem with different yubikeys. I have two yubikeys (well, several) that all have the same RSA4096 subkeys on them.
I have a yubikey 5 NFC (USB-A with NFC) and a yubikey 5C (usb-c with NFC) The regular USB-A one doesn't work, and always results in a "Failed to execute dicipher" error.
The 5C version works successfully every time!
If I put these in my computer and run gpg --card-status
I can see that the "version" (the burned firmware openPGP applet version on the yubikey itself) is 2.1 for the USB-A version and 3.4 for the 5C version. So perhaps there are some protocol differences you are not accounting for between an older yubikey and the most recent ones? This would be for the openPGP applet on the card itself, and I know there were lots of other changes between those versions such as the additional feature to encrypt with secp256k1 and ed25519 keys. and also a signing counter was added as well.
Also, might I suggest that the pin code have the option to be cached for a duration. It gets old typing it in every time during testing of this.
Thanks again for your efforts on this!
I have tested with YubiKey 5C NFC with rsa4096 key. I don't have a YubiKey 5 NFC at hand right now. @SoilRos @Logicwax, I think both of you have issue with the YubiKey 5 NFC. The wired thing is that one has the "selecting application" error" and other has "decipher" error.
Since Yubico doesn't document this, thought I'd post it here: Not all supported iPhones support the Yubikey NFC. I'm not sure of the entire support matrix, but my iPhone SE (1st Gen, running iOS 15) doesn't support the NFC Key. Support recommended me to upgrade to the 5Ci.
I'm using a iPhone SE (second one) and it works with my Yubikey 5 NFC Version 3.4 and rsa4096 keys.
@mssun, thank you for your work on supporting NFC keys in Pass for iOS! This is appreciated.
I've constantly got a "Failed to execute dicipher" error with my Yubikey 5 NFC key, until I connected it to my mac and enabled all NFC applications with:
ykman config nfc -a
After this iPhone started to see Yubikey as NFC tag (one of the applications) and the beta version of Pass started to work.
After this, I disabled all apps except OpenPGP and PIV.
ykman config nfc -d FIDO2
ykman config nfc -d U2F
ykman config nfc -d OATH
ykman config nfc -d OTP
And it is still working for me.
Works perfectly for me first time with a Yubikey 5 NFC + iPhone X.
It would be a nice addition to have a setting to keep the PIN number in memory while the app is open so that opening multiple passwords during the same session doesn't prompt for the PIN multiple times.
@mssun, thank you for your work on supporting NFC keys in Pass for iOS! This is appreciated.
I've constantly got a "Failed to execute dicipher" error with my Yubikey 5 NFC key, until I connected it to my mac and enabled all NFC applications with:
ykman config nfc -a
After this iPhone started to see Yubikey as NFC tag (one of the applications) and the beta version of Pass started to work.
After this, I disabled all apps except OpenPGP and PIV.
ykman config nfc -d FIDO2 ykman config nfc -d U2F ykman config nfc -d OATH ykman config nfc -d OTP
And it is still working for me.
Yes, I forgot to mention that you have to enable OpenPGP for NFC using ykman CLI or YubiKey Manager first.
- ykman CLI: https://developers.yubico.com/yubikey-manager/
- GUI: https://developers.yubico.com/yubikey-manager-qt/
Getting "Failed to get encrypted MPI" on my iphone8+ with a YK 5 NFC.
Getting "Failed to get encrypted MPI" on my iphone8+ with a YK 5 NFC.
Hi @qbit, what's your key crypto algorithm?
rsa4096
yubikey firmware is: 5.1.1
@mssun That's right, I forgot to activate it. Activating the OpenPGP solves my issue with the "application" error and now I get the same as @Logicwax i.e. I get the "decipher" error.
Hi,
After some testing, I've found that Yubikeys with KDF enabled for OpenPGP will always fail with "incorrect PIN" error.
Disabling KDF solves this issue at this time, although an unsuspecting user may not realize that is the issue.
I've also found that users with multiple encryption subkeys and use Unix pass & pass for iOS will encounter issues in some cases.
If these users init pass with subkeys only, the yubikey they use with pass for iOS must use the first key in the init list.
Correct Unix pass setup: pass init yubikey1-subkey! yubikey2-subkey! offline-subkey!
Incorrect setup: pass init offline-subkey! yubikey2-subkey! yubikey1-subkey!
In the incorrect case, pass for iOS can encrypt new passwords correctly, and will be able to read passwords encrypted by itself. It will not be able to decrypt passwords encrypted by Unix pass.
Unix pass will be able to decrypt passwords encrypted by pass for iOS, as long as the same Yubikey used by pass for iOS is present.
My guess is that pass for iOS tries to decrypt the first packet only (meant for offline-subkey in this case). Unix pass will try to decrypt each packet sequentially until it arrives at one that works or corresponds to a plugged in Yubikey.
For encrypting, Unix pass will encrypt with all keys, and pass for iOS will encrypt with the yubikey key only.
Alternatively, if the user does not use subkeys in Unix pass, and uses User IDs (ex. "pass init [email protected]") the latest encryption key must be loaded into the yubikey used for decrypting in pass for iOS. Otherwise passwords encrypted by Unix pass cannot be read by pass for iOS.
Setups with multiple subkeys aren't common in normal gpg or pgp use, but they become a bit more common when using Yubikeys, especially when following online yubikey setup tutorials and having backup keys [https://github.com/drduh/YubiKey-Guide]
Tried with a Yubikey 5C NFC on an iPad Pro.
~~Seems I can't save my public key 🤔 It doesn't like it from the URL nor when pasted~~ Solved: the !
was important for the export 🤷
The app just crashes after entering the password (regardless of the password being correct 🤔). Could it be because I have the Yubikey set up to require a touch for decryption? Or possibly because of the USB-C restrictions?
Anything I can check to help debug?
(my setup works fine on macOS and Android)
I've constantly got a "Failed to execute dicipher" error with my Yubikey 5 NFC key, until I connected it to my mac and enabled all NFC applications
Before I go down this route and try this, I should note my yubikey 5 NFC works fine with my android phone with Pass (using NFC of course). So I know NFC is enabled for GPG access at the very least.
@john-aperture I noticed this too, i get an error with any passwords encrypted to multiple GPG keys.
@mssun Here's an idea for a feature to include: on android openkeychain, I noticed that when setting it up new from a fresh install it has the ability to pull public key from the URL installed on my yubikey. So I was able to just hold my NFC yubikey up to the phone and it was able to grab my public key from the URL and automatically set it to that. Very very useful!
0.13.0 is now available :tada:
Are these binaries published anywhere? My region's app store only gives me 0.12.0
0.13.0 is now available tada
Are these binaries published anywhere? My region's app store only gives me 0.12.0
It is not available yet on the standard app store. You should be able to install it from Testflight.
opening the app installed from Testflight on an iPad Air (4th generation) running iOS 15.3.1 immediately crashes!
I'm trying. I set up a gogs server just for this, because I don't really want to put all my passwords onto github (even encrypted). Pass won't work with http?!? so I can't get by with using gogs only at home on my own wifi. Had to set up nginx as a reverse proxy with a letsencrypt certificate on a public domain too, because of that.
Next, needing authentication for my git repo is a chicken-egg problem: https is a pain (I need a password, which is why I want a password manager, but can't use it to store the password for its own git repo), and ssh ought to be using the yubikey too. (I use gpg-agent on my Linux systems to make that work.) But ok, I had to enter the password a bunch of times by hand just to get the repository set up. It was an empty repo, and I got some unintuitive error and had to create a dummy file. Then it wanted a .gpg-id, so I committed the one from my ~/.password-store/ into the git repo, and finally it's happy to let that repo exist.
Next, I'm having trouble importing the public key corresponding to the yubikey. I am not using subkeys and don't really understand how; perhaps I should be, but I don't have any, and there is no key-ID for the [E] key:
$ gpg --list-keys
/home/rutledge/.gnupg/pubring.kbx
---------------------------------
pub rsa2048 2016-09-05 [SC]
31EE016EE634BAE383048CB88FC20CD606533196
uid [ultimate] ecloud <[email protected]>
sub rsa2048 2016-09-05 [E]
sub rsa2048 2018-05-28 [A]
$ gpg --export -a 31EE016EE634BAE383048CB88FC20CD606533196 > yubi.pub
and then I use mobius-sync to get that file onto the iphone, and then try to select it in the testflight app. It says simply Error: Cannot import the key.
I have uploaded an initial implementation of the YubiKey to the TestFlight (version 0.13.0 (2)).
Setup process:
- Settings -> PGP Key: select YubiKey
- Settings -> PGP Key: select any key source options, only fill in the public key, leave the private key empty.
I installed the beta version a month ago and it worked perfectly for me. The beta has now expired from testflight so was automatically uninstalled for me (see #553).
Thanks as always for your work on this @mssun. Is there anything I can do to help get the beta refreshed or get this merged into a mainline release?
@mssun, could you, please, release the new version of the mainstream app that includes this awesome feature?
I also get the Failed to execute dicipher
error. I have NFC enabled for all applications. I have the YubiKey+Public PGP key as mentioned by @mssun. I have YubiKey 5C NFC with firmware 5.4.3. My keys are encrypted with rsa4096 and I more or less followed this guide to set it up. I thought the problem might be because off I have touch requirements on my YubiKey, but when removing the touch requirements, it still does not work. Does anyone have another suggestion that I could try to get it work?
@mssun Thank you btw for an amazing app!
@mssun any update of this feature? A proper pass client for iOS with Yubikey support is what's stopping me to migrate to iOS.
I tested the TestFlight beta, works great already!
rsa4096 + iPhone 12
@mssun any update of this feature? A proper pass client for iOS with Yubikey support is what's stopping me to migrate to iOS.
I tested the TestFlight beta, works great already!
rsa4096 + iPhone 12
Does it work with NFC for you, you mean?
Tested ok with yubikey 5 and yubikey neo on ios 15.4.1 and rsa4096 key via RFC. Good work!
I have pasted public key and selected Yubikey for private key. Every time I am asked for Yubikey PIN, but when I enter pin (normally used for accessing PASS app) decoding error is raised. When I insert key to Mac, error attempts are counted (I have set 5 attempts for key)
I am able usa of pass application with yubikey daily with pair of keys.
Any thoughts somebody wha I am doing wrong?
Usage of iOS 15/16, rsa4096, NFC
I tried again with the newer beta: now that ssh is supported, I got the git repo downloaded. But I'm also getting errors with the yubikey neo (only supports rsa2048): usually "Failed to execute decipher", but sometimes other errors. It's the same one I use every day with USB, and NFC works fine with it on Android too.
I tried again with the newer beta: now that ssh is supported, I got the git repo downloaded. But I'm also getting errors with the yubikey neo (only supports rsa2048): usually "Failed to execute decipher", but sometimes other errors. It's the same one I use every day with USB, and NFC works fine with it on Android too.
wait, ssh is supported with yubikeys now?! How do you enable this? doesn't work for me.
as for ""Failed to execute decipher" problem, I get that if:
- I don't hold the key up to the upper right corner of my iPhone 13 pro (not the back, but literally has to be held up to the corner edge side almost touching it)
- if my yubikey isn't 3.4 GPG firmware.
- my .gpg-id file has multiple keys listed.
@mssun any chance we can have the pin# cached for the session, or maybe for a set amount of time? Having to keep typing it in everytime is really annoying.
also, is there any planned support for gpg-yubikey-ssh support? openKeychain on android really rocks with this feature, as you can use your yubikey for the git repo syncing and the password decryption.
@mssun any update of this feature? A proper pass client for iOS with Yubikey support is what's stopping me to migrate to iOS. I tested the TestFlight beta, works great already! rsa4096 + iPhone 12
Does it work with NFC for you, you mean?
Yes exactly. I also have multiple sub keys on the card and it works. It sometimes takes a few tries (getting unable to execute decipher) but in general it works.
wait, ssh is supported with yubikeys now?! How do you enable this? doesn't work for me.
No I just meant that, as described in my comment on March 20, it seemed that this app only worked with https; but now I can clone the git repo directly from a machine at home on my wireless network using an ssh:// URL, which for my taste is more secure (and less convenient, in that I can only do git transactions at home): I don't need to maintain a git server, don't need to expose it outside the firewall, don't need to figure out how to get gogs working with letsencrypt or something like that. (I found out that a self-signed SSL certificate is also not accepted, predictably, if I have gogs generate its own.) So thanks mssun for adding git-over-ssh. But for now I only used a password for the ssh connection, didn't set up a separate ssh key for this (which I might do later, when this app is working well enough to use).
as for ""Failed to execute decipher" problem, I get that if:
1. I don't hold the key up to the upper right corner of my iPhone 13 pro (not the back, but literally has to be held up to the corner edge side almost touching it)
Do you mean along the top edge, against the outer corner at a 45° angle, or up against the screen? Well I tried all three. I do have a case on the phone, I'm not going to take it off just for this; but it's not particularly thick, and doesn't cover the top edge either (the metal edge is exposed).
2. if my yubikey isn't 3.4 GPG firmware.
How do you check that, and is it possible to do something with it? I found
https://support.yubico.com/hc/en-us/articles/360013708760-YubiKey-Firmware-Is-Not-Upgradeable
3. my .gpg-id file has multiple keys listed.
That's not my case.
OK, I have tested properly today and my error after entering proper PIN is "Failed to verify PIN", when I write same pin on Mac everything works as expected. Any clues? Thanks!
"Failed to verify PIN" yeah I saw that error too, less often than "Failed to execute decipher".
any chance we can have the pin# cached for the session, or maybe for a set amount of time?
I agree, that's a good idea, and also what the pass app on Android does. (Especially important if NFC will always be somewhat unreliable, so that we have to try decrypting multiple times...)
@mssun Could you please update beta app with more verbose messages to be able to determine why app response "Failed to verify PIN"? Or do you have any idea why this happened?