Bash script for setting or clearing touch requirements for # cryptographic operations the OpenPGP application on a YubiKey 4
Switch branches/tags
Nothing to show
Clone or download
a-dma Merge pull request #2 from tlium/checkxxd
Abort if xxd is not found
Latest commit acf0996 Dec 22, 2016
Failed to load latest commit information.
LICENSE Initial commit Oct 11, 2016 Fix typo Oct 11, 2016 Abort if xxd is not found Dec 20, 2016


A Bash script for setting or clearing touch requests for cryptographic operations in the OpenPGP application on a YubiKey 4


This tool has been superseded in functionality by YubiKey Manager (currently only the CLI side). However, some people have shown interest in keeping this script around for ease of use and because of its smaller surface / fewer dependencies.


  • gpg-connect-agent
  • pinentry (any kind, optional)


Run the tool as:

./ {sig|aut|dec} {off|on|fix} [admin_pin]

where the parameters indicate the following:

{sig|aut|dec} Signature, authentication or decryption key
{off|on|fix}  Value of the option
[admin_pin]   The Admin PIN of the YubiKey (optional)

Setting the touch option to fix will cause any subsequent invocation of this script on that same subkey to do nothing. The only way to reset this is by generating or importing a new key for that slot.

If the Admin PIN is not provided through the command line, the tool will ask the user for it. If a version of pinentry is available it will be used, otherwise it will fall back to reading standard input.

Personalization advice

To mitigate the fact that this tool needs to interact with the Admin PIN of a device, it is advisable to run the script after having generated/imported keys, but before doing the full device personalization. Specifically, using this tool on a YubiKey that still has the default Amin PIN (12345678) set.