Migrate Windows commit signing from gpg4win to YubiKey FIDO2 SSH

[ChipWolf]

Context

PR #73 designed Windows commit signing around Foxboron/ssh-tpm-agent, which turns out to be Linux-only (no Windows release artifacts, hardcoded linuxtpm.Open("/dev/tpmrm0") in utils/tpm.go, Linux-only landlock-lsm/go-landlock import). The ssh-signing scaffolding from #73 is in the repo with sshSigning.enabled: false, so it currently no-ops everywhere.

As a temporary bridge, this machine (lewin) was set up with gpg4win-based GPG signing:

• Ed25519 GPG key F7EC3626E60802E7C0B73AB5E08BCE4D957BA19A (GitHub key ID E08BCE4D957BA19A)
• No passphrase, no expiry
• Local config in ~/.gitconfig.overrides (excluded from chezmoi on non-Codespaces by .chezmoiignore)
• %APPDATA%\gnupg\gpg.conf: pinentry-mode loopback
• %APPDATA%\gnupg\gpg-agent.conf: allow-loopback-pinentry
• Uses Chocolatey GnuPG at C:\Program Files\GnuPG\bin\gpg.exe (the Choco-installed one, NOT Git-for-Windows MSYS2 gpg)

The trade-off is that the secret key sits on disk unencrypted — anyone with read access to %APPDATA%\Roaming\gnupg\private-keys-v1.d\*.key on lewin can sign as me.

Migration target

Reuse the FIDO2 resident key already documented in docs/yubikey.md (~/.ssh/id_ed25519_sk) for commit signing. SSH-format signing via gpg.format = ssh works on Windows with Windows-native OpenSSH and no extra agent install — ssh-keygen -Y sign directly invokes the YubiKey for each signature.

The sshSigning chezmoidata schema and home/private_dot_ssh/allowed_signers.tmpl from #73 are reusable as-is. Need to:

• Repoint home/dot_gitconfig.tmpl's Windows SSH-signing branch from ~/.ssh/id_ecdsa.tpm.pub to ~/.ssh/id_ed25519_sk.pub (or make the path configurable per-machine via chezmoidata).
• Drop the now-unused ssh-tpm-agent install/disable chezmoiscripts:
  • home/.chezmoiscripts/run_once_after_91_disable_windows_ssh_agent_windows.ps1.tmpl
  • home/.chezmoiscripts/run_onchange_after_98_ssh_tpm_agent_windows.ps1.tmpl
  • home/.chezmoidata/ssh-tpm-agent.yaml
• Rewrite docs/ssh-signing.md for the YubiKey FIDO2 flow (remove TPM/ssh-tpm-agent references; document ssh-keygen -Y sign over Windows OpenSSH, FIDO2 touch UX, key upload to GitHub).
• Update the ssh-tpm-agent bullet in AGENTS.md to describe YubiKey signing instead.
• On lewin: add the YubiKey signing pubkey to GitHub, update ~/.gitconfig.overrides to use gpg.format = ssh + user.signingkey = ~/.ssh/id_ed25519_sk.pub (or remove the overrides file once chezmoi-managed signing is wired through).
• Revoke the gpg4win Ed25519 key on GitHub and locally, delete the key blob from %APPDATA%\Roaming\gnupg.

Future option: build ssh-tpm-agent for Windows

If real TPM-backed signing on Windows becomes important later, the upstream google/go-tpm library does provide a tpm2/transport/windowstpm transport. A fork of ssh-tpm-agent that swaps linuxtpm for windowstpm and stubs out landlock-lsm/go-landlock on Windows is conceptually a 1–2 day project. Out of scope here; tracked separately if pursued.

References

• PR feat(ssh-signing): Windows commit signing via ssh-tpm-agent #73 (merged): feat(ssh-signing): Windows commit signing via ssh-tpm-agent #73
• Upstream issue Darwin and / or Windows support Foxboron/ssh-tpm-agent#93 (closed without Windows support)
• docs/yubikey.md (existing FIDO2 SSH auth setup)