Changes

This is less likely to be the "next step" after the OpenPGP setup... Done with @lelutin during his onboarding, tpo/tpa/team#41599
anarcat · 87bef995
--- a/howto/yubikey.md
+++ b/howto/yubikey.md
@@ -835,54 +835,6 @@ YubiKey. If you are following this procedure because you have lost
 your previous YubiKey, you should actually make *another* copy of the
 YubiKey at this stage, to be able to recover when *this* key is lost.
-### Using the YubiKey on a new computer
-One of the beauties of using a YubiKey is that you can somewhat easily
-use the same secret key material material across multiple machines
-without having to copy the secrets around.
-This procedure should be enough to get you started on a new machine.
- 1. install the required software:
-        apt install gnupg scdaemon
- 2. restore the public key:
-        gpg --import $BACKUP_DIR/public.key
-    Note: this assumes you have a backup of that public key in
-    `$BACKUP_DIR`. If that is not the case, you can also fetch the key
-    from key servers or another location, but you *must* have a copy
-    of the public key for this to work.
-    If you have lost even the public key, you may want to read this
-    guide: [recovering lost GPG public keys from your YubiKey –
-    Nicholas Sherlock create](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/), untested.
- 3. confirm GnuPG can see the secret keys:
-        gpg --list-secret-keys
-    you should not see any `Card serial no.`, `sec>`, or `ssb>` in
-    there. If so, it might be because GnuPG got confused and still
-    thinks the old key is plugged in.
- 4. set the trust of the new key to `ultimate`:
-        gpg --edit-key $FINGERPRINT
-    Then, in the `gpg>` shell, call:
-        trust
-    Then type `5` for "I trust ultimately".
- 5. test signing and decrypting a message:
-        gpg --clearsign < /dev/null
-        gpg --encrypt -r $FINGERPRINT < /dev/null | gpg --decrypt
 ### Agent setup
 At this point, GnuPG is likely working well enough for OpenPGP
@@ -948,6 +900,54 @@ To sign Git commits with OpenPGP, you can use the following configuration:
 Git should be able to find GnuPG and will transparently use the
 YubiKey to sign commits
+### Using the YubiKey on a new computer
+One of the beauties of using a YubiKey is that you can somewhat easily
+use the same secret key material material across multiple machines
+without having to copy the secrets around.
+This procedure should be enough to get you started on a new machine.
+ 1. install the required software:
+        apt install gnupg scdaemon
+ 2. restore the public key:
+        gpg --import $BACKUP_DIR/public.key
+    Note: this assumes you have a backup of that public key in
+    `$BACKUP_DIR`. If that is not the case, you can also fetch the key
+    from key servers or another location, but you *must* have a copy
+    of the public key for this to work.
+    If you have lost even the public key, you may want to read this
+    guide: [recovering lost GPG public keys from your YubiKey –
+    Nicholas Sherlock create](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/), untested.
+ 3. confirm GnuPG can see the secret keys:
+        gpg --list-secret-keys
+    you should not see any `Card serial no.`, `sec>`, or `ssb>` in
+    there. If so, it might be because GnuPG got confused and still
+    thinks the old key is plugged in.
+ 4. set the trust of the new key to `ultimate`:
+        gpg --edit-key $FINGERPRINT
+    Then, in the `gpg>` shell, call:
+        trust
+    Then type `5` for "I trust ultimately".
+ 5. test signing and decrypting a message:
+        gpg --clearsign < /dev/null
+        gpg --encrypt -r $FINGERPRINT < /dev/null | gpg --decrypt
 ### Preliminary performance evaluation
 Preparation: