[trishankdatadog]

The GPG applet is inside the YubiKey and running entirely on there, to the best of my knowledge.

Update: new YKs with new firmware are apparently able to provide proofs that the keys were generated on hardware.

https://news.ycombinator.com/item?id=21523354

[tanderson92]

Oh that's great, alleviates my concerns, which was like, how do you know you're even asking the yubikey to do key generation rather than a malicious actor generating a private key and placing it on the yubikey. Thanks!

[trishankdatadog]

If you don't trust the hardware, then don't use it. I'm not sure what solution would fit your threat model, other than building your own.

[tanderson92]

I didn't say I distrusted the hardware, I said the very opposite. I said I didn't see how, before this attestation feature, you could guarantee your computer software even asked the hardware to generate the key.