Things That Matter Most

Things That Matter Most

Context Managers in PHP

by

These days, I spend far more time writing and reviewing code in Python than I do PHP. It’s been a refreshing change of pace, and it’s fun to learn the different patterns present in various programming languages.

If you haven’t taken the time to look around to see what other languages or frameworks are doing, I’d highly recommend it.

One of the nicer patterns in Python is the Context Manager. In Python, certain objects and functions can be wrapped in a with block used to provide specific context to the code running within it. Opening files, for example, becomes remarkably easy:

with open('output.txt', 'w') as f:
     f.write('Hello world!')

The beauty of this pattern is the automated resource cleanup. You don’t have to manage (and free) file pointers manually. You don’t have to initialize and disconnect a database session. The context manager handles things for you automatically.

A database context manager could manage creating and closing a connection to the database itself (or the connection pool it uses). Or it could be used to wrap a transaction and automatically commit the results at the end of the block. Either way, you don’t have to manage things on your own.

PHP doesn’t have a pattern like this natively. I think adding a with construct would be a huge value add for the language, but my lower-level coding skills are a bit too rusty to code up a quick proof of concept. Instead, I can abuse generators and loops to simulate similar functionality with an existing system.

The Python example above used the open() function to demonstrate context management as applied to files. We can do something similar in PHP with the following helper function:

function open($file, $mode = 'r')
{
    $f = fopen($file, $mode);
    yield $f;

    fclose($f);
}

Since this function is a generator, we can use it natively inside a foreach loop. The thing is, we only ever loop once, so foreach in this example is really a parallel to Python’s with.

foreach(open('output.txt', 'w') as $file) {
    fwrite($file, 'Hello, world!');
}

Since the generator only yields once, we only get a single item to iterate across in our foreach loop. The loop will also automatically return back to the generator after it iterates, which gives us the opportunity to clean up our context and scope.

It’s a bit more verbose than the Python, and we have to build our own context managers, but it’s a much cleaner way to ensure we’re cleaning up after ourselves.

Taking things a step further, assume we need to work with a PDO connection. We want to connect to the database, do some work within a transaction, and automatically commit the result. Doing so imperatively would look something like:

try {
    $dbh = new PDO($dsn, $user, $pass, $options);
} catch (Exception $e) {
    die("Unable to connect: " . $e->getMessage());
}

try {  
    $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $dbh->beginTransaction();
    $dbh->exec("insert into users (id, first, last) values (5, 'Eric', 'Mann')");
    $dbh->exec('insert into authors (id) values (5)');
    $dbh->commit();
} catch (Exception $e) {
    $dbh->rollBack();
    echo "Failed: " . $e->getMessage();
}

The same operation, leveraging a context manager pattern, would be far simpler:

function transaction()
{
    $dbh = new PDO($dsn, $user, $pass, $options);
    $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $dbh->beginTransaction();

    yield $dbh;

    try {
        $dbh->commit();
    } catch (Exception $e) {
        $dbh->rollBack();
    }
}

// Now use the transaction
foreach(transaction() as $dbh) {
    $dbh->exec("insert into users (id, first, last) values (5, 'Eric', 'Mann')");
    $dbh->exec('insert into authors (id) values (5)');
}

This is more complex than the first example. The gist is that the setup and teardown code for the database connection and the transaction happens outside of your business logic. The transaction() function here could be in a separate file or namespace from the rest of your code, which keeps the execution logic clean and removes the need to worry about setup/teardown at all.

Files, databases, remote connections to resources, locks, threads. These are all intensive operations that could benefit from the use of this pattern – and which do leverage this pattern in Python and other languages.

Is this a pattern that would make a difference in your code? It’s certainly different than the way many of us write PHP today. How else might you leverage this pattern? Would it make more sense if we extended the language with our own implementation of with?

Release Freeze is Coming

by

I’d finished my turkey. Finished my pie. Then retreated to the other room with my laptop to finish my project.

Years ago while I was still freelancing, I fell behind on a project and had to lug my laptop along with me to the family reunion/feast on Thanksgiving. This meant I had to forgo games with my cousins, football in the yard, and catching up with relatives so I could work. It meant I also got paid, but I wasn’t billing anywhere near enough to justify abandoning family traditions for my computer.

Never. Work. During. Holidays.

WordPress 5.0

The next version of WordPress is dropping sometime soon. It was originally scheduled for earlier this week, but has been bumped to (maybe?) sometime next week. That’s great. It’s shaping up to be a great release, but there’s still work to be done.

As much as I love to ship code, it needs to be “done” before it goes out the door.

Given the rapid pace at which new bugs are being discovered, triaged, and patched, I’m not convinced we’re ready for a release. Let alone a release candidate. This is despite the latest release candidate having been scheduled yesterday … with several open bugs still tied to the official 5.0 release deadline.

For the record: a release candidate is intended to be a version of the software you think is done done and ready for final review before the release heads out the door. WordPress 5.0 is not yet in a “finished” state. A release candidate should be releasable and we’re not there yet.

At the time of this writing, there were still 20 issues on the WordPress 5.0 milestone despite the release candidate having shipped …

We’re still chasing after an arbitrary deadline, and while we won’t be shipping things during the Thanksgiving holiday in the US, we’ll still likely be shipping during one of the largest travel seasons. Bumping things back to December is no better as we start treading on various other major holidays – Hanukkah is Dec 2-10, Christmas on the 25th, New Years … and I’m likely forgetting others.

WordPress 5.0 is going to be great.

It should still be held back until January at the earliest.

Release Freeze

To that end, I’m going to step up and set an example.

While I will be working during December and, more than likely, writing code for new features and projects I will not ship any new feature or product releases in December.

This will give me time to focus on family and treat hobby coding as what it is – a hobby. It will help me balance “work” and life and regroup at the top of the new year with fun projects and releases. It also means anyone who relies on my code won’t have to rush to report bugs or patch conflicts or do anything to support my release until they’re also done with a family break and well established into the new year.

This release freeze will include not adding any new release hashes to DGXPCO.

If you’re using my plugin to ensure any updates to WordPress are vetted and cryptographically signed, my commitment to waiting until January to release an update means, regardless of when WordPress 5.0 drops, your site won’t see an update until January.

I’ll likely be taking some time during December to queue up a bunch of new stuff, so rest assured that work will continue and new releases will ship. But know that nothing I do or release will result in your having to lug your computer along to family events.

I learned from that mistake. Let’s work together to keep anyone else from having to live through it as well.

I Won’t be at ZendCon

by

Next week kicks off the latest version of ZendCon in Las Vegas. Though I had, for a time, expected to be there … I won’t be. You should know why.

Speaking Habits

I really enjoy speaking in public. It’s been a regular part of my career for the past decade, and it gives me ample opportunity to connect with and learn from the communities I care so deeply about.

I tend to submit multiple talks to multiple events per year. On average, I think I’ve spoken at 4-5 conferences per year for the past 6 years – in one “season” I presented in some form at 14 events during the period of the year. This gives me a lot of time on stage, but even more time connection with members of the community.

It’s opened my eyes to quite a few things; one in particular is the lack of diversity (or at least the representation thereof) at many events. We have a wildly diverse community, but a fairly homogenous lineup of “experts” presenting on stage.

Representation matters. I got involved in tech because people I related to were standing on stage telling me that I could. I want everyone to have that opportunity. To have that experience. More often than not, this means I need to step aside and encourage someone else to stand in the limelight. That’s humbling, but perfectly OK with me.

And it’s why I won’t be in Vegas next week …

Acceptance

My original acceptance email was lost to the aether, but eventually the organizing team was able to make contact and confirmed that yes, I was invited to speak. They’d selected both a workshop on security and a shorter talk about promise-driven architecture in PHP.

ZendCon Twitter announcement of my attendance and presentations.
Original Twitter announcement that I’d be speaking.

I was ecstatic!

ZendCon is one of the larger PHP events every year. Better yet, it’s a super short flight from Portland – there aren’t very many high-profile events I can attend to spend time with my community in my neck of the woods. I immediately accepted the invitation and flagged my calendar so I could schedule my time away from the office.

But then … my conscience got to me.

Withdrawal

Don’t get me wrong, the speakers’ lineup for this event looks to bring in solid experts who will be presenting great content. However, it’s also the speakers’ lineup that led me to withdraw from the event.

At the time I was asked to speak, there were 37 other speakers listed on the website. This group of individuals consisted of:

  • 4 women
  • 2 (apparent) people of color

For those who don’t want to do the math, this meant the speakers group was 89% male and 95% white. Adding my name to that list did nothing to make those numbers better.

My presence as a speaker at ZendCon would have actively diminished the value of the event. I refuse to be another white, male face among a speaker list comprised overwhelmingly of white men. This is not reflective of our community, and my ignoring that feeling and speaking anyway would be a betrayal of that community.

I hold no animosity towards the organizers of or speakers at ZendCon. However, I will not participate in your event until you address this discouraging lack of representation.

Moving Forward

I’ve taken fairly strong stances towards many things. I will not participate in events that lack a code of conduct. I will not abide racists, sexists, ageists, ableists, or similar.

I will not participate in events that fail to address serious issues regarding diversity, representation, or inclusion in our community. It’s one thing to say “well, people didn’t apply …” It’s another thing entirely to actively encourage members of the community to engage.

Said another way – if members of particular subcommunities are not organically responding to your CfP in volumes that would make a diverse speakers’ panel easy, you have far deeper problems with your event than you realize and it’s likely something I will not engage with in the first place.

As I’ve said on many topics recently: we can do better. We must do better. Those to whom we leave our projects, businesses, industry, profession behind deserve that we do better. Everything we do today is paving the way for generations to come – I am committed to doing everything in my power to ensure that the future of our community recognizes, respects, and values diversity.

Right now, that means calling out an inclusivity issue and refusing to be a part of the event that’s done little to solve it. In my white, male, cisgendered privilege, one of the strongest statements I can make is to not participate. If that makes room for one more person who doesn’t reflect “me” to the world, it’s a net positive.

Mastodon: Social Media Made Social

by

March 23, 2008 was the day my friend Sean introduced me to Twitter. It was a foreign concept to me. A website that would forward text messages from you to a group of friends – and forward any messages they sent back to you.

I was hooked. Sean had called the system “crack” and, honestly, it was addictive. I didn’t have a smart phone (or a reliable laptop), so getting content via text message was brilliant! I started following more and more people and, eventually, exhausted my limited capacity to pay attention to anything.

Early Twitter was revolutionary. It helped connect me to people I barely knew and tied me in to the communities I cared about most. Twitter was how I got started in the open source community. It’s how I learned about and interacted with WordPress. It’s how I built my blog. How I started making a name for myself in the world.

Sadly, Twitter today is not the thing that early Twitter was. It’s grown up, and I don’t like the thing it’s grown up to be.

Twitter Today

I follow less than 300 people on Twitter as a rule. It keeps my timeline manageable, and it forces me to carefully curate the content I consume. Despite that, Twitter (the company) has found a way to corrupt that stream of content. It’s disgusting.

I use “likes” to bookmark content for later consumption, research, or reply. Many of my friends do this, too. The thing is, Twitter started using “likes” as a form of passive promotion – and feeding content liked by my peers into my feed as if it had been explicitly promoted by them. 1

Twitter today fills my feed with ads – most of which are flagged as “promoted” content. Some of which are not flagged in any way. The other day, I noticed advertisements for Accenture Security in my timeline, all retweeted by “null.” Attempts to suss out the identity of “null” failed, as the Twitter API merely told me “usernames are unavailable.”

I later found out that “null” was Accenture Security itself! A few days later, I saw other content “shadow promoted” in my feed; content retweeted by accounts I do not follow was showing up in my feed along with content I wanted. This is … problematic at best. Nefarious at worst.

Most likely nefarious.

Then there’s the fact that Twitter the company “owns” the platform. They control the content that does or does not appear. They conduct shadow bans of users. They lock users’ accounts with or without reason. 2 They refuse to lock other accounts, then publicly defend their non-action despite evidence.

I joined Twitter because it connected me to the communities I care about. I’m now leaving Twitter because it’s actively worked to damage those communities.

Introducing Mastodon

Some time ago, the tech community started moving towards Mastodon – a federated social network with a similar interface and use case to Twitter. Unlike Twitter, however, it’s not controlled by a single entity.

Every Mastodon community is a unique installation of the software on some server or servers managed by that community. Individual users belong to one or another community and interact with other users on that same site – exactly like Twitter.

Unlike Twitter, these disparate Mastodon installations can all communicate with one another. A user on mastodon.technology can follow a user on mastodon.social from any other community. The servers handle transferring and copying content from one installation to another. All you need to keep track of is your own account and the list of users you follow.

Again, unlike Twitter, no one company or individual is in charge of when, how, or why accounts are locked or purged. It’s a community effort. And, because it’s a community effort, for-profit companies can’t inject themselves into the workflow with ad buys or any of the aforementioned potentially-nefarious activity I’ve seen on Twitter.

I explained it to a friend using the WordPress community as an illustration:

Twitter is to WordPress.com as Mastodon is to WordPress.org

One is a monolith run by a single, for-profit company. The other is a piece of software created and powered by the community that allows individuals to democratize the otherwise monolithic system.

I run my blog on WordPress to own my own content and avoid answering to anyone else. As of this week, I run my own Mastodon instance so I can own my own social network and avoid the malicious interference of corporations with their own interests.

My instance runs on AWS and has closed registration to prevent abuse. It’s invite-only at the moment and is home to a few of my close, personal friends. If you want to join, drop me a line and we’ll talk about it. Server costs are shouldered by the entire community, and we operate on a rule of personal respect. Oh, and no Nazis.

What Comes Next

My Twitter account will stay around. For a while.

I won’t be actively using it much as I’m trying incredibly hard to force myself to cut the “crack” Sean introduced me to out of my life. I will interact with these communities primarily through Mastodon.

If you DM me or @-message me on Twitter, I’ll see it. It just might take me a few days (or weeks) to respond. If you contact me through Mastodon I’ll be as responsive as I used to be. Remember, it’s becoming my primary tool.

Blog posts will still auto-publish tweets for now. I might still cross-post meaningful content at intervals. But, come 2019, I will archive and remove my Twitter account.

Said another way, I will be removing my Twitter account on December 31, 2018. All new content and interactions will take place on Mastodon.

I invite you to join me!

There are a lot of Mastodon communities out there. Find one that fits you and join the conversation. Together, we can own our content. Together, we can have engaging conversations. Together, we can build a network like Twitter used to be. Like Twitter should have been. The network and community we deserve.

I’m on Mastodon. Are you?

Notes:

  1. I know it’s fed my content into others’ feeds as well. I once “liked” a racist tweet by a former colleague so I could draft a cohesive response later … someone took my action to be agreement and endorsement of their position. My mistake using the tool in such a way. Twitter’s mistake in conflating my bookmarking of content with endorsement.
  2. I’ve had my account locked once in the past year for no reason whatsoever. Twitter claimed I’d violated a rule, but refused to clarify which rule or how I violated it.

System76 Oryx Pro – First Impressions

by

The past few weeks have been exciting! I recently purchased the new Oryx Pro by System76 and have been absolutely loving the new machine. Here are some photos and first thoughts from my setup experience.

Unboxing

First and foremost, it took a bit longer for my machine to arrive than I’d expected. I was one of the early pre-orders for the new machine, so the build took a while and shipping added a few days after that. This all being said, I am ecstatic about the build quality and the level of support I received even before my laptop arrived!

System76 Shipping Box

Several people had tried to warn me away from the new machine given the laptop’s size. When I got the box from UPS, I was … a bit worried they were right. It was huge.

The shrink-wrapped laptop inside an oversized shipping box.

But the laptop itself wasn’t nearly as large as the box. I was intrigued by this innovative packaging (though I’m sure System76 aren’t the only ones who use it). The laptop was undamaged and dwarfed by the shipping box. All of that extra space ensured nothing would jar the machine in transit.

  • Side-by-side with my Mac at work.
  • The Oryx Pro is just a tiny bit larger.
  • The Oryx Pro is just a tiny bit thicker.
  • That display finish reduces both glare and reflection. Major wins for working remote!

I had shipped the machine to my office so I didn’t have to worry about it walking away from my front door had I shipped it home. This had the added benefit of allowing me to do some side-by-side comparisons with my existing 15″ Retina MBP.

Yes, the Oryx Pro is a bit larger than the MBP. But not by much. Considering how much more power it’s packing under the hood (my MBP was one of the last models not to feature a separate graphics card), I’m not surprised. I’m happy with the built-in 10-key on the keyboard, and the matte finish on the display reduces glare and reflection when I’m working in oddly-lit environments.

The Oryx Pro is also lighter than the Mac. It’s a noticeable difference.

Setup

It was a challenge, but I managed to delay actually booting the machine until I got home. The setup was … just like what I’d expect from a Linux machine.

Standard Linux boot screen.

I was impressed by how quickly pop_OS! booted – and the backlit gaming keyboard wasn’t a bad addition, either.

pop_OS! installation start screen.

I’ve installed various flavors of Linux on various machines over the years. The installation always feels a bit rough, but pop_OS! felt much more like the friendly Windows/Mac first-boot experience many consumers would recognize. It walked me through language settings, wireless configuration, then was off to the races on its own. Except for the initial scrolling-shell boot screen, it didn’t feel like a “hacker setting up Linux” installation.

pop_OS! home screen

Installation was remarkably fast and had me using the computer in less time than it took for me to write this intro post. I enjoy the super clean home screen look, but it did take me a second or two to figure out how to find the app launcher. The “Windows Key”/”Command Key” workflow we know and love from Windows/Mac has bled over to the Linux world with a “Launcher Key.” I’m OK with that.

First Thoughts

The first software I installed included a browser (Firefox), email client (Thunderbird), my dev IDEs (IntelliJ and friends), and Docker. I took things a few steps further and set up Python with Tensorflow so I can work on some hobby machine learning projects.

My only gripes with the machine are related to the above:

  • The graphics card is new enough, and the pop_OS! CUDA support modern enough that I had to downgrade a few things to get Tensorflow to even compile. This wasn’t too much of an issue, but makes following “just install X” tutorials a bit useless.
  • The system doesn’t seem to ship with any video decoders by default. I had to install a couple of my own in order to stream from Amazon (as DRM-protected media needs special support)
  • The battery life while using the NVIDIA graphics card is sub-par. It’s usable, sure, but this is more a “portable workstation” than a “keep it unplugged” laptop. On Intel graphics mode, the battery is super! Just need to keep in mind which mode you’re using, when.
  • The built-in fingerprint reader is disabled by default and requires some beta software to configure. I haven’t installed it yet – I’m lazy – but look forward to it. I just wish all of the hardware were immediately operable out of the box.

I also immediately customized the home and lock screen graphics. I like the “unleash your potential” slogan, but the solid, non-gradient color schemes make the machine feel … old. I’ve used Ubuntu (both server-side and on the desktop) for ages and the solid full screens of orange and blue just feel unpolished and unprofessional. This is definitely a polished and professional machine, so it needs a modern look.

I’ve installed at least one game (Minecraft) and the play experience is incredible! I’ll be setting up Steam later for even more playtime. Writing on the rig is fantastic. The integration with 1Password is a bit rough, but their new 1Password X extension for Firefox makes things work smoothly. I also configured my Yubikey for use as both a GPG/SSH smartcard and a U2F security token – I had to customize some system interfaces to get U2F support, but this is well-documented on Yubico’s website.

At the end of the day, almost every problem I had was solved by reminding myself “this is a Linux system, I know this” and donning my sysadmin hat to find the right file and install the right software. I absolutely love this new machine.

If you work in software or manage linux machines in the cloud, I’d encourage you to take a look at System76 for your next personal machine. It’s head and shoulders above the rest of the field. You won’t be disappointed.

Configuring Yubikeys, GPG, and Keybase

by

Rather than use GPG and SSH keys housed on individual machines, I embed my GPG private keys on Yubikeys by default. This allows me to keep my keys somewhat portable (i.e. I can use them on multiple devices) while preventing my keys from leaking if anyone accesses my machine without my permission.

This is the same workflow I use with my team to enforce various cryptographic controls with our projects. A specific encryption key manages email encryption and access to git-crypt-protected credentials. A signing key manages email and Git commit signing. A separate authentication key manages SSH access.

It’s a strong way to protect our identities within the various tools we use, and one I recommend for just about any development team. To that end, a version of this article appeared in the March 2018 issue of php[architect], and I have an even longer version I distribute in person to developers.

Setting up your Yubikey

The goal of this walkthrough is to help you configure your GPG identity and port your keys to a secure hardware token – I recommend a Yubkey 4 (as it supports 4096-bit RSA keys). You can also use a Yubikey Neo, but this will only work with 2048-bit keys.

The basics we’re going to set up:

  • A 4096-bit master key that will be kept offline
  • A revocation certificate that will also be kept offline
  • 4096-bit sub-keys for encryption, signing, and authentication
  • Publication of keys to Keybase and other directories
  • Automatic signing of Git commits with the GPG key
  • Configuring gpg-agent to act as ssh-agent for remote access

I’d love to recommend everyone use the newer elliptic curves available in GPG as they’re powered by Libsodium and rapidly becoming a new industry standard. Unfortunately, the Yubikey hardware doesn’t yet support this family of cryptography, so we’ve got to stick with battle-tested RSA for now. Using a 4096-bit key size with RSA gives us equivalent protection to a 256-bit elliptic curve key, so it’s “good enough” for the moment.

Installing GPG

The following instructions require some format of GnuPG installed locally to behave. On Mac, this is as simple as running:



$ brew install gnupg2

On Windows, this requires installing GPG4Win.

If you’re running things on Windows, I’d highly recommend you reference Scott Hanselman’s amazing walkthrough as well. The instructions that follow are more targeted towards *NIX environments, but Scott’s article deals with some of the various edge cases that might pop up during Windows use.

Once installed, you can use either gpg2 or gpg from the command line to interact with the system (I’ll use gpg2 below as it refers explicitly to the version of GPG we just installed).

Creating the Keys

Master Key

To begin generating keys, start with:



$ gpg2 --full-generate-key

On the menus that follow:

  • Select (4) RSA (sign only)
  • Set keysize to 4096 bits
  • I typically set expiration to infinity (0) – use a reasonable value for your use case
  • Set your real name
  • Use your email address
  • Leave the comment blank
  • Use a strong passphrase – but make sure it’s easy enough to remember/type (you’ll need it later)

Make a note of the generated key fingerprint and key ID. The key ID will be used in subsequent steps.

Sub-keys

Start adding sub-keys by editing the key we just created. Make sure to substitute your real key ID when you see KEYID in the steps that follow:



$ gpg2 --expert --edit-key KEYID



$ addkey

On the menus that follow:

  • Select 4 – RSA (sign only)
  • Set keysize to 4096 bits
  • I typically set expiration to infinity (0) – use a reasonable value for your use case

Make a note of the generated fingerprint and key ID.



$ addkey

On the menus that follow:

  • Select 6 – RSA (encrypt only)
  • Set keysize to 4096 bits
  • I typically set expiration to infinity (0) – use a reasonable value for your use case

Make a note of the generated fingerprint and key ID.



$ addkey

On the menus that follow:

  • Select 8 – RSA (own capabilities)
  • Press s to toggle signing
  • Press e to toggle encryption
  • Press a to toggle authentication
  • Press q to save settings and create an auth-only key
  • Set keysize to 4096 bits
  • I typically set expiration to infinity (0) – use a reasonable value for your use case

Make a note of the generated fingerprint and key ID.



$ save

Publishing the Keys

If no one has your public key, they can’t verify your identity. Upload your public key to a keyserver with:



$ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-key KEYID

If you’re using Keybase, you can also add your key quickly with:



$ keybase pgp select --multi

Then select the appropriate key.

Add Additional Identities

It’s often more trouble than you care to deal with to manage multiple identities and keys. Instead, it’s easier to add secondary identities to the key we created above (i.e. your personal and professional email addresses). For example, my keys are bound to all of my online identities to make it easier for people to find me.

If you need to use GPG keys for personal emails/identities as well, you can add them with the following steps:



$ gpg2 --expert --edit-key KEYID



$ adduid

On the menus that follow, provide your real name, your email address, and an optional comment. You can add as many secondary IDs as you need. Once you’re done, commit the changes with:



$ save

Generate a Revocation Certificate for the Master Key

If your keys are ever compromised, you will need to revoke them with the public keyserver. Remember, if you lose your private key there is no way to revoke a key from the server so keeping a revocation certificate is a necessary step to proactively protect your security.

Generate the key easily with:



$ gpg2 --output KEYID.asc --gen-revoke KEYID

Specify the revocation reason that “key has been compromised” and store the generated certificate in a safe, secure, and preferably offline location. You might not ever need this certificate, but if you do having it in a trustworthy place is critical.

Transfer Keys to the Yubikey

Configuring the Yubikey

The Yubikey ships with two default PINs, one for administrative use and one for daily use (i.e. unlocking your key for signing/decryption).

  • Default PIN = 123456
  • Default Admin PIN = 12345678

We need to change both of these to non-default values:



$ gpg2 --card-edit



gpg/card> admin



gpg/card> passwd

First change the PIN (remember it needs to be 6-digits long).

Now change the Admin PIN (needs to be 8-digits lon)

Press Q to save and quit the password menu. Type quit and press enter to exit the card editing screen.

Export Backups

Exporting your secret key to a backup is vital if you ever need to recreate your Yubikey for any reason. Preferably, this storage location is encrypted and offline (i.e. an encrypted USB stick) and in a safe, secure location.



$ gpg2 -a --export-secret-key KEYID >> /some/secure/location/KEYID.master.key



$ gpg2 -a --export-secret-subkeys KEYID >> /some/secure/location/KEYID.sub.key

I have two Yubikeys configured with the same keys. One is the primary I use day-to-day, the other is a backup in case of emergency. By exporting your keys, you can re-import a key to another Yubikey if necessary.

You won’t likely need the backed-up subkeys any time soon, but if you ever want to sign someone else’s keys you’ll need the master key to do so. It’s a good idea to not keep your master key available – think of it like root access to your identity. Instead, using your master key should require intentionality – like getting something out of a vault across town.

It’s incredibly powerful; you should take care to protect it.

Actually Transfer the Keys

If you have other keys stored on your Yubikey, the following steps will overwrite them. It is impossible to extract a key from a Yubikey once it is there, so the previous step of exporting backups is vital if you ever need to recover a lost key or recreate your Key.

The following steps assume you created subkeys in the order specified above (signing first, then encryption, then authentication). If you followed a different order, your selections below might vary.



$ gpg2 --edit-key KEYID



gpg> toggle



gpg> key 1



gpg> keytocard



Please select where to store the key: 1 (Signing)



gpg> key 1



gpg> key 2



gpg> keytocard



Please select where to store the key: 2 (Encryption)



gpg> key 2



gpg> key 3



gpg> keytocard



Please select where to store the key: 3 (Authentication)



gpg> save

Once your keys are exported to the Yubikey they will no longer be present on your machine. Be sure to remove your master key (assuming it’s properly backed-up) as well to make sure your machine is safe.

Configure GitHub Commit Signing

Export a Public Key

To export the public signing key for use with GitHub, merely ask GPG to export it to a file (the key will have ASCII armor so it will remain human-readable):



$ gpg2 -a --export KEYID > KEYID.asc

Configure GitHub

  • Log in to GitHub
  • Go to your settings by selecting Settings from the dropdown by your avatar
  • Select SSH and GPG keys
  • Add a new GPG key, coping in the ASCII armored text exported in the step above

Configure Git

Adding a default signing key is straight-forward. Merely run:



$ git config --global user signingkey KEYID

This sets your key, but commits will not be signed by default (you must manually specify -S when committing to sign). To sign by default, run the following:



$ git config --global commit.gpgsign true

From this point forward, every commit you make will be signed with your GPG key (and will appear as “Verified” on GitHub). This has the advantage of proving that you and only you authored the commit (i.e. no one spoofed your identity in the commit logs).

Verified commit

GPG commit signature on GitHub

If for any reason you want to create an unsigned commit, add –no-gpg-sign in the command line when authoring your commit. This is useful if you’re working remotely and temporarily lack access to your Yubikey.

Configure SSH Authentication

SSH will still use your default id_rsa.pub key for authentication at this point. We have to tell the machine how to use GPG instead and, conveniently, GPG agent has a flag to do just that:



$ gpg-agent --daemon --enable-ssh-support --write-env-file ~/.gpg-agent-info

This command generates the environment variables necessary for SSH to use GPG for authentication and writes them to ~/.gpg-agent-info for future use. It’s easier, though, to add them directly to ~/.bash_profile for consumption with the following block:



# GPG Agent



if test -f ~/.gpg-agent-info -a -n "$(pgrep gpg-agent)"; then

  source ~/.gpg-agent-info

  export GPG_AGENT_INFO

  export SSH_AUTH_SOCK

  export SSH_AGENT_PID

else

  eval $(gpg-agent --daemon --write-env-file ~/.gpg-agent-info)

fi

This code will test for the file first and regenerate it if it doesn’t exist – if it does exist, it loads everything for you. From here on out, if you execute ssh-add -L to list out your loaded SSH keys, you will see one reported as an identity with your Yubikey’s card number instead of an email address or path name. If you want to grab your public key directly, run:



$ gpg2 --export-ssh-key SUBKEYID

Where SUBKEYID is the ID of the third sub-key you generated earlier. (This will often be the last key in the list if you run gpg2 --list-secret-keys as well.)

Next Steps

This walkthrough just covers the GPG features of your Yubikey. The hardware can also be used as a PIV card to house X509 certificates. It’s also a great 2FA device, supporting both OTP generation and FIDO’s universal second factor (U2F) spec.

I use my Yubikey daily to:

  • GPG-sign every email I send from my workstation
  • GPG-sign every Git commit
  • Authenticate to remote SSH servers
  • Encrypt/decrypt sensitive credentials on my machine
  • Respond to U2F challenges from services like GitHub and Gmail

How will you use your Yubikey?