This is heavily inspired by https://wiki.gnupg.org/AgentForwarding but is going to be friendlier
Setup
You need at least GnuPG 2.1.1 on both systems. To find out which one you have, simply run
%> gpg --version
For this recipe you also need OpenSSH >= 6.7. (If you have a version older than that refer to the wiki article mentioned above.) To find out which one you have, simply run
%> sshd --version
Put your key on the remote
Assuming you have a local private gpg key, run
%> gpg --armor --export <KEYNAME> > <FILENAME>
Then copy the public key to the remote host.
Then, on the remote host, import it into gpg.
%> gpg --import <FILENAME>
More on this here: https://www.gnupg.org/gph/en/manual/x56.html
gpg-agent forwarding configuration
On the local machine $HOME/.gnupg/gpg-agent.conf and add
extra-socket /home/<user>/.gnupg/S.gpg-agent.extra
enable-ssh-support
I am not quite certain the enable-ssh-support is actually required but it worked for me and I did not try without it.
On the local machine, run:
%> gpgconf --list-dir agent-extra-socket
This is the CLIENT_SOCKET.
On the remote, run:
%> gpgconf --list-dir agent-socket
This is the REMOTE_SOCKET.
Edit ~/.ssh/config (you can tweak HOST for your own usage)
HOST *
StreamLocalBindUnlink yes
RemoteForward <REMOTE_SOCKET> <LOCAL_SOCKET>
Test it
Connect to the remote server via ssh. Run:
%> gpg --no-autostart -K
You should see your key.
Troubleshooting
This has been very flaky in my case so I have to fiddle with it every now and then. (I doubt that StreamLocalBindUnlink is not getting the job done.)
On the remote, run:
%> gpg --no-autostart -K
If you get no output or “gpg: no gpg-agent running in this session”, then run:
%> gpgconf --launch gpg-agent
%> gpgconf --kill gpg-agent
Log out / login and try again. In my case it works then.
To further debug and make sure your ssh agent is creating the socket file on the remote host, run:
%> ls -l <REMOTE_SOCKET>
and see if the timestamp is the current time (assuming you just connected).