1

I guess that what I want is a GPG equivalent to the ssh-copy-id function from SSH. Here is what I have tried, along with the output that I have recieved:

foo@bar:~$ ssh pi@192.168.0.42 gpg --export-secret-key A32D835B51CAF93AD264826E2C7AE63B68CDAB22 | gpg --import
gpg: directory '/home/foo/.gnupg' created
gpg: keybox '/home/foo/.gnupg/pubring.kbx' created
gpg: key F0A27839C3F40D2B42172A28124E5F88293B3719: error receiving key from agent: Inappropriate ioctl for device - skipped  
gpg: key 61322A2DACD3C52D35086D123704A5559C3E0456: error receiving key from agent: Inappropriate ioctl for device - skipped
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

For the record, here is the link to a relevant old SO question: How to transfer pgp private key to another computer?

UPDATE: I attempt to leverage --passphrase/--pinentry switches as suggested in the answer given by user ahi324. Here's how it looks:

foo@bar:~$ stty -echo && ssh pi@192.168.0.42 "gpg --batch --passphrase-fd 0 --pinentry loopback --export-secret-key A32D835B51CAF93AD264826E2C7AE63B68CDAB22" | gpg import; stty echo
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: can't open 'import'
gpg: key F0A27839C3F40D2B42172A28124E5F88293B3719: error receiving key from agent: No passphrase given - skipped
gpg: key 61322A2DACD3C52D35086D123704A5559C3E0456: error receiving key from agent: No passphrase given - skipped
gpg: WARNING: nothing exported

Indeed, the execution appears to get "stuck in limbo" after the appearance of output gpg: WARNING: no command supplied. Trying to guess what you mean .... Only after I hit Enter on the keyboard does the execution run to completion.

EricVonB
  • 238
  • 3
  • 11
  • Does this answer your question? [how to use gpg signing key on a remote server?](https://stackoverflow.com/q/30058030/7939871) – Léa Gris Jul 09 '22 at 21:25
  • Sorry, had a typo in my notes... Should be `--import`, as opposed to `import`. Otherwise, GPG interprets `import` as a filename. – ahi324 Jul 10 '22 at 05:02
  • @LéaGris, perhaps therein lies another possible solution. But the level of sophistication involved over there is too high for me. – EricVonB Jul 10 '22 at 06:16

1 Answers1

1

The errors you're receiving (error receiving key from agent: Inappropriate ioctl for device - skipped) indicate that your secret key is passphrase protected and that your GPG passphrase agent isn't compatible through SSH, which most aren't.

Three options come to mind:

  • Initiate the export from the source host (to facilitate interactive passphrase entry);
  • Leverage --passphrase/--pinentry switches (as suggested in the post your reference); e.g., stty -echo && ssh "$host" "gpg --batch --passphrase-fd 0 --pinentry loopback -a --export-secret-key '$key'" | gpg --import; stty echo; or,
  • Remove passphrase protection from the key (not necessarily desirable).
ahi324
  • 369
  • 1
  • 8
  • This is rather a conundrum then. The problem with the first suggestion is that the SSH server is on the source machine, and it is not necessarily permissible to establish an SSH server on the target machine. I don't see how to implement the first suggestion given the circumstances. The second suggestion seems way too complicated, and I am easily intimidated. 3rd suggestion seems like a bad idea. – EricVonB Jul 09 '22 at 20:24
  • also `--pinentry` is greatly reducing security to the point that it makes the pin code accessible to unprotected userland iostream at the shell level. Otherwise the gpg delegates the pin entry to a challenge response, to and from a secure device. The TTY terminal and IO input output in shell are not secure at all. – Léa Gris Jul 09 '22 at 21:20
  • If I might be so bold, don't be intimidated. The 2nd suggestion simply prompts for the password client-side as stdin for gpg. – ahi324 Jul 10 '22 at 00:15
  • `stty -echo` disables terminal echo'ing of terminal input (for password entry); while `stty echo` (re)enables echo'ing – ahi324 Jul 10 '22 at 00:20
  • `ssh "$host" "gpg --batch --passphrase-fd 0 --pinentry loopback -a --export-secret-key '$key'"` SSHs to the host named in $host and executes the double quoted command. (`--batch` disables interactive commands, `--passphrase-fd 0` instructs GPG to accept input from stdin [over SSH, in this case], `--pinentry loopback` redirects passphrase queries to the caller, `-a` ASCII-armors the output, and `--export-secret-key` you seem to know – ahi324 Jul 10 '22 at 00:20
  • `stty -echo && ...` says continue only if `stty` returns `0` (success); while, the `; stty echo` helps ensure that echo'ing is (re)enabling, even if something before it fails – ahi324 Jul 10 '22 at 00:23
  • @ahi324+ the local part (after the pipe) should be `gpg --import`. As the error messages told you, `import` is not recognized as a command and instead treated as the name of a file that doesn't exist. – dave_thompson_085 Jul 10 '22 at 04:52
  • Yes! It seems to have worked, which is easily confirmed by running the `gpg --list-secret-keys` command. Worth noting is that when the `stty -echo && ssh ...` command gets run, the operation doesn't immediately run to completion. Instead, and without providing any prompting or any further instructions, the process seems to wait for input consisting of the password of the requested secret key. – EricVonB Jul 10 '22 at 06:12