Windows helpers for GnuPG tools suite - OpenSSH, WSL 1, WSL2, Cygwin, MSYS2, Git4Windows, Putty...

Overview

win-gpg-agent

Simple set of tools to make working with GPG and SSH keys easier on Windows 10.

GoDoc Go Report Card


Windows 10 has ssh-agent service (with support for persistence and Windows security) and I have been using it successfully for a while. However there is another set of tools entirely - GnuPG. It implements ssh-agent functionality (with somewhat more flexibility than original), supports smart cards, attempts to handle identity aspects of security and sometimes must be used (for example to sign git commits on some projects). All of that works reasonably well on Linux.

Windows usage is a bit more problematic as we have to deal with various non-cooperating pieces: GnuPG win32 binaries are somewhat deficient, OpenSSH port integrated into Windows 10 (console, terminal and all), Cygwin/MSYS2 ssh tools and WSL1 and WSL2 add challenges with specific binaries and different lifetime management requirements. Ideally we need to have Windows host to handle single set of secured keys (SSH and GPG) while transparently providing necessary interfaces to all other environments. This project aims to create simple set of tools to be combined with GnuPG binaries for Windows to do exactly that.

DISCLAIMER When using term GnuPG I am not referring to GPG4Win, but rather to basic GnuPG tools built from code base common for all platforms. GPG4Win includes this set (which could be extracted), but normally it is available from GnuPG ftp site ftp://ftp.gnupg.org. It also could be installed by using chocolatey command choco install gnupg. So no wonderful KDE GUIs ported to Windows.

I am still learning the full scope of damage one could cause by using GnuPG tools and I am certainly no expert here.

If you are interested in basic guides on how to handle keys using GnuPG tools - web is full of them and this project has nothing to do with it. This one is very good (albeit somewhat outdated). You could (and probably should) read set of excellent posts by Simon Josefsson: blog_1 blog_2 blog_3. To put things in perspective and select more practical place for PGP tools overall I strongly suggest studying this critique. It resonates a lot, especially after spending some time reading GnuPG code.

NOTE Eventually many pieces of functionality from this project will become obsolete. I am sure that gpg-agent on Windows will directly support Windows OpenSSH server - T3883. Microsoft developers will finally decide how they want to handle security on Unix domain sockets and will change OpenSSH port and many other wonderful things will happen. Until then we need to create specific translation layers to compensate for deficiencies. Assuan S.gpg-agent.ssh support in GnuPG code is presently broken under Windows (at least in GnuPG 2.2.25), so we have to resort to putty/pageant method instead (which today does not work in 64 bits GnuPG builds). And WSL2 requires additional layer of translation (with socat on Linux side and either HYPER-V integration service or helper on Windows end) since AF_UNIX interop is not (yet? ever?) implemented for WSL2.

SECURITY NOTICE: All the usual security caveats applicable to WSL, SSH and GPG apply here. For example all interaction with the Win32 world happens with the credentials of the user who started the WSL environment. In practice, if you allow someone else to log in to your WSL environment remotely, they may be able to access the SSH keys stored in your gpg-agent. This is a fundamental feature of WSL; if you are not sure of what you're doing, do not allow remote access to your WSL environment (i.e. by starting an SSH server).

COMPATIBILITY NOTICE: tools from this project were tested on Windows 10 2004 with multiple distributions and should work on anything starting with 1809 - beginning with insider build 17063 and would not work on older versions of Windows 10, because it requires AF_UNIX socket support feature. I tested everything with "official" GnuPG Windows builds 2.2.25 and 2.2.26.

Installation

Download from the releases page and unpack it in a convenient location.

Usage

  1. Install GnuPG and make sure it works. Create/import keys, setup smart cards, etc.

  2. If you are using Windows native ssh-agent - stop it. You may want to delete all keys from its vault - you will need those keys in gpg vault instead.

	Stop-Service ssh-agent
	Set-Service -StartupType Disabled ssh-agent
  1. If you would like to use Cygwin/MSYS2 ssh tools (as is the case by default with Git4Windows) you may want to consider placing gui.openssh: cygwin in agent-gui.conf file. NOTE that in any case you need to manage SSH_AUTH_SOCK environment variable value on Windows side. It has to point to named pipe for Windows OpenSSH to work and to Cygwin socket file for Cygwin/MSYS2 tools and both sets are using the same variable name.

  2. Run agent-gui.exe

Here is a diagram to show simplified relationship between parts: protocol

Unfortunately due to environment complexity it is difficult to provide simple step-by-step guide. I will try to explain what each piece does (as they could be used separately from each other) and then provide an example setup.

There are presently 3 executables included in the set: agent-gui.exe, pinentry.exe and sorelay.exe

agent-gui.exe

GUI wrapper for gpg-agent

Version:
	1.0.0 (go1.15.6)

Usage: agent-gui.exe [-dh] [-c path]
 -c, --config=path  Configuration file [agent-gui.conf]
 -d, --debug        Turn on debugging
 -h, --help         Show help

Is is a simple "notification tray" applet which does gpg-agent.exe lifetime management. When started it will

  • attempt to locate GnuPG installation and start gpg-agent with "proper" command line parameters.
  • make sure that gpg-agent will use pinentry.exe from the same directory where agent-gui.exe is.
  • make sure that it functions by communicating with it.
  • create AF_UNIX socket counterparts for Assuan sockets from gpg-agent (except "browser" and "ssh" ones) and handle translation. I have no use for "browser" and S.gpg-agent.ssh presently does not work on Windows.
  • create and service named pipe for Windows native OpenSSH. Note, that OpenSSH (native and Cygwin) and AF_UNIX socket and named pipe are using pageant protocol to talk to gpg-agent.
  • create and service Cygwin socket for Cygwin/MSYS2 build of OpenSSH. Note, that OpenSSH (native and Cygwin) and AF_UNIX socket and named pipe are using pageant protocol to talk to gpg-agent.
  • set environment variable SSH_AUTH_SOCK on Windows side to point either to pipe name so native OpenSSH tools know where to go or to Cygwin socket file to be used with Cygwin/MSYS2 ssh binaries.
  • create WIN_GNUPG_HOME, WSL_GNUPG_HOME, WIN_AGENT_HOME, WSL_AGENT_HOME environment variables, setting them to point to directories with Assuan sockets and AF_UNIX sockets and register those environment variables with WSLENV for path translation. Basically WSL_* would be paths on the Linux side and WIN_* are Windows ones. This way every WSL environment started after will have proper "unix" and "windows" paths available for easy scripting.
  • serve as a backend for gclpr remote clipboard tool (NOTE: starting with v1.1.0 gclpr server backend enforces protocol versioning and may require upgrade of gclpr).

You could always see what is going on by clicking "Status" on applet's menu:

protocol

Reasonable defaults are provided (but could be changed by using configuration file). Full path to configuration file could be provided on command line. If not program will look for agent-gui.conf in the same directory where executable is. It is YAML file with following defaults:

gpg:
  install_path: "${ProgramFiles(x86)}\\gnupg"
  homedir: "${APPDATA}\\gnupg"
gui:
  debug: false
  setenv: true
  openssh: native
  ignore_session_lock: false
  deadline: 1m
  pipe_name: \\\\.\\pipe\\openssh-ssh-agent
  homedir: "${LOCALAPPDATA}\\gnupg"
  gclpr:
    port: 2850

Full list of configuration keys:

  • gpg.install_path - installation directory of GnuPG suite
  • gpg.homedir - will be supplied to gpg-agent on start as --homedir
  • gpg.gpg_agent_conf - if defined will be supplied to gpg-agent on start
  • gpg.gpg_agent_args - array of additional arguments to be passed to gpg-agent on start. No checking is performed.
  • gui.debug - turn on debug logging. Uses OutputDebugStringW - use Sysinternals debugview to see
  • gui.setenv - automatically prepare environment variables
  • gui.openssh - when value is cygwin set environment SSH_AUTH_SOCK on Windows side to point to Cygwin socket file rather then named pipe, so Cygwin and MSYS2 ssh build could be used instead of what comes with Windows 10.
  • gui.ignore_session_lock - continue to serve requests even if user session is locked
  • gui.pipe_name - full name of pipe for Windows OpenSSH
  • gui.homedir - directory to be used by agent-gui to create sockets in
  • gui.deadline - since code which does translation from Assuan socket to AF_UNIX socket has no understanding of underlying protocol it could leave servicing go-routine handing forever (ex: client process died). This value specifies inactivity deadline after which connection will be collected.
  • gui.gclpr.port - server port for gclpr backend
  • gui.gclpr.line_endings - line ending translation for gclpr backend
  • gui.gclpr.public_keys - array of known public keys for gclpr backend

pinentry.exe

Pinentry program for GnuPG

        1.0.0 (go1.15.6)

Usage: pinentry.exe [-dh] [-c path] [--version]
 -c, --config=path  Configuration file [C:\Users\mike0\.wsl\pinentry.conf]
 -d, --debug        Turn on debugging
 -h, --help         Show help
     --version      Show version information

It is pretty mundane pinentry implementation, I tried to follow everything I could find from GnuPG documentation and pinentry code. Since it is using WIndows Credentials API to show GETPIN dialogs a lot of "visuals" from pinentry protocol are either useless or cannot be easily implemented (timeouts, display settings etc).

I think it could be used as pinentry replacement on Windows even without agent-gui (for example to be called from WSL gpg if you decide to keep your vault there and ignore WIndows GnuPG completely) to show proper GUI dialogs:

protocol protocol

If you let it - it will save passwords in Windows Credential Manager as "Generic Credentials" providing decent level of convenience and integration:

protocol

Configuration file is almost never needed, but just in case full path to configuration file could be provided on command line. If not program will look for pinentry.conf in the same directory where executable is. It is YAML file with following defaults:

gui:
  debug: false
  pin_dialog:
    delay: 300ms
    name: Windows Security
    class: Credential Dialog Xaml Host
  • gui.debug - turn on debug logging. Uses OutputDebugStringW - use Sysinternals debugview to see
  • gui.pindialog.* - since gpg-agent starts pinentry which in turn calls Windows APIs to show various dialogs often due to the timing resulting dialog could be left in the background. Those parameters specify artificial delay and name/class for window to be attempted to be brought into foreground forcefully.

sorelay.exe

Socket relay program for WSL

        1.0.0 (go1.15.6)

Usage: sorelay.exe [-adh] [-c path] [--version] path-to-socket
 -a, --assuan       Open Assuan socket instead of Unix one
 -c, --config=path  Configuration file [C:\Users\mike0\.wsl\sorelay.conf]
 -d, --debug        Turn on debugging
 -h, --help         Show help
     --version      Show version information

This is helper program along the lines of John Starks' npiperelay.exe. Put it somewhere on devfs for interop to work its magic and combine with socat on WSL2 side and you could easily convert both Windows Assuan and Windows AF_UNIX sockets into sockets on WSL2 Linux end.

As an example (with proper path) following will translate Windows side Assuan socket:

( setsid socat UNIX-LISTEN:/home/rupor/.gnupg/S.gpg-agent,fork EXEC:"${HOME}/winhome/.wsl/sorelay.exe -a c:/Users/mike0/AppData/Roaming/gnupg/S.gpg-agent",nofork & ) >/dev/null 2>&1

And this (with proper path) will translate Windows side AF_UNIX socket:

( setsid socat UNIX-LISTEN:/home/rupor/.gnupg/S.gpg-agent,fork EXEC:"${HOME}/winhome/.wsl/sorelay.exe c:/Users/mike0/AppData/Local/gnupg/S.gpg-agent",nofork & ) >/dev/null 2>&1

You really have to be on WSL2 in order for this to work - if you see errors like Cannot open netlink socket: Protocol not supported - you probably are under WSL1 and should just use AF_UNIX sockets directly. Run wsl.exe -l --all -v to check what is going on. When on WSL2 make sure that socat is installed and sorelay.exe is on windows partition and path is right.

Configuration file is never needed, but just in case full path to configuration file could be provided on command line. If not program will look for sorelay.conf in the same directory where executable is. It is YAML file with following defaults:

gui:
  debug: false

Example

Putting it all together nicely - remote here refers to your wsl shell or some other box or virtual machine you could ssh to. Goal here is to have a setup which could be used the same way in different Linux instance with minimal changes and customization - be it native Linux install, something I ssh into or WSL distro running. We should be able to use a small set of safely stored private keys and be able to forward both gpg and ssh everywhere with minimal complexity (at least it should be manageable).

For my WSL installations I always create ~/winhome and link it to my Windows home directory (where I have .wsl directory with various interoperability tools from Windows side). I am assuming that gclpr is in your path on remote and you installed it's Windows counterpart somewhere in drvfs location (~/winhome/.wsl is a good place).

I auto-start agent-gui.exe on logon on my Windows box - no special customization is needed (except for gclpr public keys from various locations I would like to share my clipboard with)

In my .bashrc I detect what I have and where it runs using code like this:

    # detect what we have
    if [  $(uname -a | grep -c "Microsoft") -eq 1 ]; then
        export ISWSL=1 # WSL 1
    elif [ $(uname -a | grep -c "microsoft") -eq 1 ]; then
        export ISWSL=2 # WSL 2
    else
        export ISWSL=0
    fi

    if [ ${ISWSL} -eq 1 ]; then
        # WSL 1 could use AF_UNIX sockets from Windows side directly
        if [ -n ${WSL_AGENT_HOME} ]; then
            export GNUPGHOME=${WSL_AGENT_HOME}
            export SSH_AUTH_SOCK=${WSL_AGENT_HOME}/S.gpg-agent.ssh
        fi
    elif [ ${ISWSL} -eq 2 ]; then
        # WSL 2 require socat to create socket on Linux side and sorelay on the Windows side to interop
		if [ ! -d ${HOME}/.gnupg ]; then
			mkdir ${HOME}/.gnupg
			chmod 0700 ${HOME}/.gnupg
		fi
		if [ -n ${WIN_GNUPG_HOME} ]; then
			# setup gpg-agent socket
			_sock_name=${HOME}/.gnupg/S.gpg-agent
			ss -a | grep -q ${_sock_name}
			if [ $? -ne 0  ]; then
				rm -f ${_sock_name}
				( setsid socat UNIX-LISTEN:${_sock_name},fork EXEC:"${HOME}/winhome/.wsl/sorelay.exe -a ${WIN_GNUPG_HOME//\:/\\:}/S.gpg-agent",nofork & ) >/dev/null 2>&1
			fi
			# setup gpg-agent.extra socket
			_sock_name=${HOME}/.gnupg/S.gpg-agent.extra
			ss -a | grep -q ${_sock_name}
			if [ $? -ne 0  ]; then
				rm -f ${_sock_name}
				( setsid socat UNIX-LISTEN:${_sock_name},fork EXEC:"${HOME}/winhome/.wsl/sorelay.exe -a ${WIN_GNUPG_HOME//\:/\\:}/S.gpg-agent.extra",nofork & ) >/dev/null 2>&1
			fi
			unset _sock_name
		fi
		if [ -n ${WIN_AGENT_HOME} ]; then
			# and ssh-agent socket
			export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh
			ss -a | grep -q ${SSH_AUTH_SOCK}
			if [ $? -ne 0  ]; then
				rm -f ${SSH_AUTH_SOCK}
				( setsid socat UNIX-LISTEN:${SSH_AUTH_SOCK},fork EXEC:"${HOME}/winhome/.wsl/sorelay.exe ${WIN_AGENT_HOME//\:/\\:}/S.gpg-agent.ssh",nofork & ) >/dev/null 2>&1
			fi
		fi
    else
        # Do whatever -- this is real Linux
    fi

My .ssh/config entries used to ssh to remote have port forwarding enabled for gclpr:

RemoteForward 2850 127.0.0.1:2850

On remote my tmux.conf includes following lines:

# --- clipboard -------------------------------------------------------------------
set -g set-clipboard off
if-shell 'if [ -n ${WSL_DISTRO_NAME} ]; then true; else false; fi' \
  'bind-key -T copy-mode-vi Enter send-keys -X copy-pipe-and-cancel "~/winhome/.wsl/gclpr.exe copy" ; bind-key -T copy-mode-vi MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "~/winhome/.wsl/gclpr.exe copy"' \
  'bind-key -T copy-mode-vi Enter send-keys -X copy-pipe-and-cancel "gclpr copy" ; bind-key -T copy-mode-vi MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "gclpr copy"'

And my neovim configuration file init.vim on remote has following lines:

set clipboard+=unnamedplus
if has("unix")
	" ----- on UNIX ask lemonade to translate line-endings
	if empty($WSL_DISTRO_NAME)
		if executable('gclpr')
			let g:clipboard = {
				\   'name': 'gclpr',
				\   'copy': {
				\      '+': 'gclpr copy',
				\      '*': 'gclpr copy',
				\    },
				\   'paste': {
				\      '+': 'gclpr paste --line-ending lf',
				\      '*': 'gclpr paste --line-ending lf',
				\   },
				\   'cache_enabled': 0,
				\ }
		endif
	else
		" ---- we are inside WSL - reach out to the Windows side
		if executable($HOME . '/winhome/.wsl/gclpr.exe')
			let g:clipboard = {
				\   'name': 'gclpr',
				\   'copy': {
				\      '+': $HOME . '/winhome/.wsl/gclpr.exe copy',
				\      '*': $HOME . '/winhome/.wsl/gclpr.exe copy',
				\    },
				\   'paste': {
				\      '+': $HOME . '/winhome/.wsl/gclpr.exe paste --line-ending lf',
				\      '*': $HOME . '/winhome/.wsl/gclpr.exe paste --line-ending lf',
				\   },
				\   'cache_enabled': 0,
				\ }
		endif
	endif
endif

Using SSH and Linux you could remote GnuPG extra socket as far as you want by adding something like this to you .ssh/config where you want it:

RemoteForward /home/rupor/.gnupg/S.gpg-agent /home/rupor/.gnupg/S.gpg-agent.extra

Just follow this guide - it will allow you to sign you git commits everywhere using single private key while keeping it in a single safe place (like smart card). You will still have to distribute and import public key in multiple places, which may be inconvenient but should be secure. You could read a bit more on that.

Credits

Icons used are downloaded from Icon Archive, they all allow non commercial free use and are copyrighted by authors.

Comments
  • Forward SSH key to Git4Windows

    Forward SSH key to Git4Windows

    Hello,

    thanks for this project. I was first using wsl-ssh-pageant directly which you linked in your "Thanks" section, but you project seems to be more integrated and can be called directly without any hack to prevent empty console windows. Using it as drop-in replacement works fine, however, git is still unable to pickup my key from neither CMD/PowerShell/Git Bash as it is not using the correct environment variable when it uses the ssh executable that comes with git. I have managed to get it work by setting the following: GIT_SSH_COMMAND="C:\\Windows\\System32\\OpenSSH\\ssh" Can this variable get added to the program or is this the wrong place to look and I have something else to configure?

    Thanks in advance

    enhancement question 
    opened by internetfreak 13
  • Randomly fails over time.

    Randomly fails over time.

    I tried the win-gpg-agent-relay script by calling it with foreground. In my observation, it randomly fails over time. When it fails, manually open sorelay.exe from wsl hangs forever, instead if giving a "Single path to socket should be specified as positional argument, we have 0 parameters instead" prompt.

    Opening other windows EXEs like wsl.exe and notepad.exe from wsl works like a charm. Is this a bug of sorelay, or a bug of calling exe in wsl?

    question 
    opened by leoleoasd 12
  • agent-gui doesn't find gpg-agent sockets

    agent-gui doesn't find gpg-agent sockets

    I've detected this problem with latest version of win-gpg-agent and version 2.3.2 of GnuPG. The socket files are no more created in ${APPDATA}/gnupg but inside ${LOCALAPPDATA}/gnupg. agent-gui passes the ${APPDATA}/gnupg as homedir to gpg-agent and it expects the agent creates the socket files there. But this version uses the LOCALAPPDATA, so agent-gui exits.

    PS C:\Users\alberto\Downloads\win-gpg-agent> gpgconf --list-dirs
    sysconfdir:C%3a\ProgramData\GNU\etc\gnupg
    bindir:C%3a\Program Files (x86)\gnupg\bin
    libexecdir:C%3a\Program Files (x86)\gnupg\bin
    libdir:C%3a\Program Files (x86)\gnupg\lib\gnupg
    datadir:C%3a\Program Files (x86)\gnupg\share\gnupg
    localedir:C%3a\Program Files (x86)\gnupg\share\locale
    socketdir:C%3a\Users\alberto\AppData\Local\gnupg
    dirmngr-socket:C%3a\Users\alberto\AppData\Local\gnupg\S.dirmngr
    keyboxd-socket:C%3a\Users\alberto\AppData\Local\gnupg\S.keyboxd
    agent-ssh-socket:C%3a\Users\alberto\AppData\Local\gnupg\S.gpg-agent.ssh
    agent-extra-socket:C%3a\Users\alberto\AppData\Local\gnupg\S.gpg-agent.extra
    agent-browser-socket:C%3a\Users\alberto\AppData\Local\gnupg\S.gpg-agent.browser
    agent-socket:C%3a\Users\alberto\AppData\Local\gnupg\S.gpg-agent
    homedir:C%3a\Users\alberto\AppData\Roaming\gnupg
    PS C:\Users\alberto\Downloads\win-gpg-agent>          
    

    image

    [12040] [agent-gui] Executing: C:\Program Files (x86)\gnupg\bin\gpg-agent.exe --homedir C:\Users\alberto\AppData\Roaming\gnupg --ssh-fingerprint-digest SHA256 --use-standard-socket --enable-ssh-support --enable-putty-support --pinentry-program C:\Users\alberto\Downloads\win-gpg-agent\pinentry.exe --daemon
    [12040] [agent-gui] Forcefully killing gpg-agent
    

    image

    enhancement question 
    opened by aluki 10
  • Authentication fails if more than 1 smart card is connected

    Authentication fails if more than 1 smart card is connected

    Hi,

    I am using a Windows Virtual Smartcard that is backed by my TPM and stores the client key for my OpenVPN tunnel. And I am using a ReinerSCT smartcard reader with an OpenPGP card to authenticate with win-gpg-agent on my SSH server. If I use them in isolation everything works great. But if I have both of those smart card readers connected then:

    does-not-work the agent only finds one key, which is refused by the SSH server.

    Only if I manually through the device manager disable the Virtual Smartcard, which as far as I can tell is a whole virtual reader, then the agent finds 2 keys, and one of them is accepted from the SSH server: works

    I would ask that the win-gpg-agent can be configured as to which reader/smart card it should use. And if that is not possible, it should query all readers/smart cards for valid keys and present all of them to the SSH server in expectation that one of them is authorized to authenticate.

    enhancement invalid wontfix 
    opened by kwinz 8
  • After winget installation of gnupg win-gpg-agent to finding gnupg sockets (No systray for agent-gui)

    After winget installation of gnupg win-gpg-agent to finding gnupg sockets (No systray for agent-gui)

    Hello,

    When launching agent-gui.exe, I have no systray icon nor do I have any error poping. I tried launching it with '-d' option but no logs whatsoever.

    From process manager, I see the 'GUI wrapper for gpg-agent' for a few second before it disappearing

    EDIT: using release 1.3.2 from release zip

    enhancement question 
    opened by Nimamoh 8
  • "sign_and_send_pubkey: signing failed: agent refused operation" when waking the PC from sleep

    Hello,

    I am using your tool since I discovered it without any big issues. However, because I am always putting my PC to sleep when I'm done for the day I have noticed something which I didn't report yet (See reason below). After waking up the PC from sleep, the program is still running and working but the first ssh session I am trying to open afterwards always fails with this error message:

    sign_and_send_pubkey: signing failed: agent refused operation

    If I retry connecting, then the pinentry dialog pops up and after entering my master password I can connect to ssh just fine, every other session also works without any error (side question: Is it supposed to never ask for my pin even though I have set

    default-cache-ttl 7200 max-cache-ttl 28800

    in my gpg-agent.conf? If not, I'll open another report to track.)

    I don't know exactly if it's due to your tool or something within gnupg, that's why I haven't reported it although I encountered that problem for weeks now.

    Thanks for your answer in advance

    question 
    opened by internetfreak 7
  • Setting up gpg-agent remoting from Windows to Linux over SSH

    Setting up gpg-agent remoting from Windows to Linux over SSH

    I tried following your instructions, however I not only managed to "screw up" one of my remote ends. A reboot may solve the issue, but multiple people are using said machine and I don't have the luxury of rebooting it any time.

    In the spirit of minimal dependencies I wish to use to the build-in OpenSSH of Windows (which has served me well thus far). I have disabled the ssh-agent service I had previously and registered a scheduled task for running gpg-agent-gui.exe which starts fine. The config file I put beside it reads PS C:\Users\mate> gc C:\Kellekek\WinGpgAgent\agent-gui.conf:

    gpg:
      install_path: "C:\\Kellekek\\GnuPG"
      homedir: "${APPDATA}\\gnupg"
    gui:
      debug: false
      setenv: true
      openssh: native
      ignore_session_lock: false
      deadline: 1m
      pipe_name: "\\\\.\\pipe\\openssh-ssh-agent"
      homedir: "${LOCALAPPDATA}\\gnupg"
      extra_port: 2850
    

    On my local (Windows) box, gpg signature works without password prompt, as it had been remembered.

    PS C:\Users\mate> "" | gpg --clearsign
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    
    -----BEGIN PGP SIGNATURE-----
    ...
    -----END PGP SIGNATURE-----
    

    In my SSH config file I have an entry which reads

    host my_fav_host
            Hostname my_fav_host
            User mate
            ForwardX11 no
            IdentityFile ~/.ssh/id_rsa
            ForwardAgent yes
            AddKeysToAgent yes
            RemoteForward /run/user/1001/gnupg/S.gpg-agent C%3a/Users/mate/AppData/Roaming/gnupg/S.gpg-agent.extra
    

    The formatting of the local socket is as such because this is how gpgconf reports it.

    PS C:\Users\mate> gpgconf
    gpg:OpenPGP:C%3a\Kellekek\GnuPG\bin\gpg.exe
    gpg-agent:Private Keys:C%3a\Kellekek\GnuPG\bin\gpg-agent.exe
    ...
    

    Having C: in the path results in errors while trying to forward the agent.

    After I connect to the remote machine, I tried to conjure the proper socat incantation, but could not figure what should it be. The example at the end of the README uses WSL, hence it uses localhost:2850 (in the case of my config file), but how on earth would this yield meaningful results in the context of a properly remote Linux node? The sorelay sample invocation where the components are described also assume WSL usage, since it invokes sorelay through the winhome folder which only exists when the local end is Linux, not Windows. I tried the following paraphrase of things in the README:

    (socat UNIX-LISTEN:/home/mate/.gnupg/S.gpg-agent,fork EXEC:"c:/Kellekek/WinGpgAgent/sorelay.exe c:/Users/mate/AppData/Roaming/gnupg/S.gpg-agent.extra",nofork &) >/dev/null 2>&1
    

    However now when I try to list my secret keys or sign something, it sees no secret keys. Previously before issuing the socat command I had at least broken pipe error messages, indicating it wanted to use the agent, but couldn't. Unfortunately I found no traces of how to undo the effect of socat (or previous attempts that is).

    I'm not a total sysadmin noob, but this level of network sorcery is beyond my comfort zone. However working Linux remotes from a Windows devbox is a constant, and I wanted to improve my dev UX of having to deploy my private keys remotely and unlocking them from the command-line by setting GPG_TTY and relying on the unlock timeout to not have to enter passphrases constantly.

    (ps.: is there a way to relate the GnuPG:PinGO=n/...... entries in the Credential Store to GPG key IDs?)

    question 
    opened by MathiasMagnus 7
  • pinentry.exe always shows prompts in the background

    pinentry.exe always shows prompts in the background

    Several times, I've done a check-in, then gone on with some other task not noticing that there's a pop-up hidden, waiting for my PIN. Signed commits are new to me, so I'm not used to having to do that.

    I know almost nothing about golang. This project is the first time I've even looked at golang source code, so take what I say with a grain of salt.

    I see in credui.go that you call win.SetForegroundWindow. I assume that your win.FindWindow works. I can't spare the time to figure out how to debug golang right now (sorry).

    I did find a couple of articles that might help. The problem might be that the process that launches pinentry.exe is not in the foreground. If it's not a GUI app, then this may not be practical to solve.

    https://github.com/skratchdot/open-golang/issues/16#issuecomment-693687428 https://stackoverflow.com/a/19136480/645431

    question 
    opened by jamiehankins 7
  • Distribution via scoop?

    Distribution via scoop?

    This is a great project! Works well for me and resolves my biggest complaints with the gpg-agent shipped with GnuPG. Any thoughts on distributing this via the scoop package manager? Since scoop provides a vanilla (i.e. not gpg4win) installation of GPG, I think this would fit well in that repository. I'd gladly work toward setting it up on there if you would like!

    enhancement question 
    opened by LostLaplace 7
  • Cant connect from Windows ssh (Native or Cygwinv

    Cant connect from Windows ssh (Native or Cygwinv

    Hi,

    I have been using win-gpg-agent for awhile. I recently updated to Windows 11 (might be the issue?), I can no longer use either the build in Windows SSH or the Git version and successfully auth.

    I tried updated to the latest version, but that gave me lots of trouble. I eventually installed gpupg via winget to get the latest version (rather than gpg4win) and now win-gpg-agent launches correctly. It works via WSL2 no problem. Putty also works. But SSH does not.

    I have enabled debugging and all I get is either: [36016] [agent-gui] [1635011577701496000] Accepted request from \\.\pipe\openssh-ssh-agent [36016] [agent-gui] [1635011577701496000] SSH handler returned error: EOF or [27764] [agent-gui] [1635011680847994800] Accepted request from C:\Users\adam.RGSDOMAIN\AppData\Local\gnupg\agent-gui\S.gpg-agent.ssh.cyg [27764] [agent-gui] [1635011680847994800] SSH handler returned error: EOF

    Depending on whether I have gpg-win-agent set to native (and use ssh.exe in the windows\system32\openssh folder) or set to cygwin (and use ssh.exe in git\usr\bin)

    Please let me know if theres anything I can provide to help with debugging, as the above doesnt feel like much to go on, but its all I have managed to figure out after banging my head against a wall for hours.

    question 
    opened by BadAd84 6
  • win-gpg-agent-relay can't work when the ssh-agent has no identities

    win-gpg-agent-relay can't work when the ssh-agent has no identities

    I use the Yubikey to store my private key, when I don't insert it into my computer, ssh-add -L will exit with code 1 because there is no private key in gpg.

    https://github.com/rupor-github/win-gpg-agent/blob/9ba9d9408bb8e969f0d0a9ba91905381c1440f7e/docs/win-gpg-agent-relay#L194

    Your script will exit in this case, is there a better way to check ssh agent?

    Thanks!

    enhancement question 
    opened by Editst 4
Releases(v1.6.3)
Owner
rupor
Code for experiments and hobbies lives here...
rupor
Bitcoin UTXO & xPub Management Suite

BUX Bitcoin UTXO & xPub Management Suite Table of Contents About Installation Documentation Examples & Tests Benchmarks Code Standards Usage Contribut

BUX 20 Dec 19, 2022
Go-ethlibs - A sandbox of helpers related to interacting with Ethereum nodes

go-ethlibs: Go Ethereum Libraries A sandbox of helpers related to interacting wi

Superpoetdev 0 Jan 30, 2022
Chrome-Password-Dumper - Chrome password dumper written in Go for Linux and Windows

Chrome-Password-Dumper Chrome password dumper written in Go for Linux and Window

null 6 Dec 19, 2022
collection of tools to gleam insights from a full bitclout node's data

bitcloutscripts collection of tools to gleam insights from a full bitclout node's data bitcloutscripts $ ./bcs bcs posts # print all posts

Andrew Arrow 4 Jul 11, 2021
Tools to help teams develop smart contracts on the Cardano blockchain

toolkit-for-cardano toolkit-for-cardano simplifies the development of Cardano smart contracts by providing teams with frequently needed tasks: Build T

SundaeSwap Finance 138 Dec 19, 2022
Flashbots utilities in Go: Blocks & Transactions API, and tools to spot bundle and block irregularities

Utilities for Flashbots Go API client for the mev-blocks API for information about Flashbots blocks and transactions Detect bundle errors: (a) out of

Chris Hager 39 Nov 26, 2022
FabricPing: Network tools for service fabric

FabricPing Network debugging tools for Service Fabric Install Windows powershell

Boshi Lian 6 Sep 25, 2022
siusiu (suite-suite harmonics) a suite used to manage the suite, designed to free penetration testing engineers from learning and using various security tools, reducing the time and effort spent by penetration testing engineers on installing tools, remembering how to use tools.

siusiu (suite-suite harmonics) a suite used to manage the suite, designed to free penetration testing engineers from learning and using various security tools, reducing the time and effort spent by penetration testing engineers on installing tools, remembering how to use tools.

Re 296 Dec 12, 2022
Putty-url-scheme - Open PuTTY as a url scheme

PuTTY URL Scheme Helper Open PuTTY as a url scheme Install download release bina

Dark495 4 Apr 25, 2022
Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)

OmniSSHAgent About The chaotic windows ssh-agent has been integrated into one program. Chaos Map of SSH-Agent on Windows There are several different c

YAMASAKI Masahide 51 Dec 19, 2022
Automatically update your Windows hosts file with the WSL2 VM IP address

Automatically update your Windows hosts file with the WSL2 VM IP address

null 1.4k Jan 9, 2023
A pair of local reverse proxies (one in Windows, one in Linux) for Tailscale on WSL2

tailscale-wsl2 TL;DR Running two reverse proxies (one in Windows, one in the WSL2 Linux VM), the Windows Tailscale daemon can be accessed via WSL2: $

Danny Hermes 30 Dec 9, 2022
Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.

Process Monitor for Linux (Preview) Process Monitor (Procmon) is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools

Windows Sysinternals 3.5k Dec 29, 2022
A simple implant which connects back to an OpenSSH server

A simple implant which connects back to an OpenSSH server, requests a port be forwarded to it from the server, and serves up SOCKS4a or a shell to forwarded connections.

Stuart 34 Nov 9, 2022
Package pinentry provides a client to GnuPG's pinentry.

Package pinentry provides a client to GnuPG's pinentry.

Tom Payne 9 Dec 9, 2022
A pledge(2) and unveil(2)'d tool for verifying GnuPG signatures.

ogvt A pledge(2) and unveil(2)'d tool for verifying GnuPG signatures. Success ./ogvt -file test/uptime.txt -sig test/uptime.txt.asc -pub test/adent.p

Aaron Bieber 2 Nov 25, 2021
Package pinentry provides a minimal client to GnuPG's pinentry

go-pinentry-minimal Package pinentry provides a minimal client to GnuPG's pinentry, which only depends on Go's standard library. It is a fork of githu

Tom Payne 4 Nov 20, 2022
Simple utility to set the WSL2 subnet to a specific range

WSL subnet utility This is a small Go utility to set the WSL2 host and subnet. It achieves this by: deleting the existing WSL network creating a new o

Michael Barber 9 Oct 22, 2022
Kaweezle (Alpine based WSL2 Kubernetes distribution) root filesystem

Kaweezle Root Filesystem Run Vanilla Kubernetes on Windows with WSL 2 and Alpine Linux Explore the docs » Report Bug · Request Feature Table of Conten

Antoine Martin 0 Jan 23, 2022
A suite of gRPC debugging tools. Like Fiddler/Charles but for gRPC.

grpc-tools A suite of tools for gRPC debugging and development. Like Fiddler/Charles but for gRPC! The main tool is grpc-dump which transparently inte

Bradley Kemp 1.1k Dec 22, 2022