GPG Agent for Secure Enclave keys

[MrGossett]

This is similar to #992, but slightly different. #992 asks for support to use GPG keys as SSH keys. This issue is asking to use GPG keys stored in the Secure Enclave for GPG operations (i.e., sign, encrypt, authenticate).

I have enjoyed using Blink's feature to generate and store SSH keys in the Secure Enclave on my device. The ability to forward the local SSH Agent extends the usefulness of the feature. The combo has enabled me to SSH from my iPad to a cloud-based VM, and then git push from the VM to GitHub; the git push is authenticated at GitHub using SE keys that stay on my iPad, so there is no need to store keys on the VM.

I would like to have the same capability with GPG keys. This would let me take advantage of the security properties of the Secure Enclave on my iPad and other devices, and avoid storing keys on the VM. My main use case is GPG-signing git commits.

I couldn't find any iOS/iPadOS apps that act as a GPG Agent, and I wouldn't know how to expose those apps over an SSH tunnel in Blink. I'm not a Swift developer, but from a casual walkthrough of the code in SSH/Agent.swift, it seems like it would be plausible to implement a GPG Agent in the same way the existing SSH Agent was implemented.

[jcrites]

I would also be interested in using a similar capability for signing Git commits using GPG from an X.509 certificate stored in Secure Enclave.

• Scenario 1: Corporate managed environment where it's undesirable for users to have plaintext access to the private key – permitting it to be stolen or used outside company-managed devices.

• Scenario 2: An individual open source contributor wishes to sign their keys using either standard GPG keys or X.509 keys, stored in Secure Enclave (or other auxiliary hardware devices a la FIDO) without the risk that their signing keys can be stolen in a compromise of their device.