Hi Guilhem! On 23/09/2018 05:57, Guilhem Moulin wrote: > We already have some logic in place to wait until the source device is > present, so we can as well wait until the card is present.
Note that GnuPG now supports multiple card readers at the same time. The
solution will fail then. Furthermore, it also precludes showing the nice
prompt with /which/ smartcard to insert for people with multiple
smartcards. Further reflection might reveal other cases where it is
suboptimal or wrong... How about copying the whole homedir without
random_seed, but first checking to make sure there are only smartcard
keys as private keys? I think the following does that:
--8<---------------cut here---------------start------------->8---
#!/bin/sh
UNSAFEKEYS=$(gpg --batch --with-colons --homedir /etc/keys --list-secret-keys |
\
gawk -F: '$1=="sec" || $1=="ssb" \
{ if ($15 !~ /D27600012401.*/ && $15 != "#") { print $5 } }')
if [ -n "$UNSAFEKEYS" ]; then
echo "Non-smartcard keys found:\n${UNSAFEKEYS}\nAborting" >&2
exit 1
fi
--8<---------------cut here---------------end--------------->8---
It will only accept true OpenPGP smartcard keys (matched on ISO 7816
Application Identifier) or empty stubs (no secret key whatsoever). No
other secret key material should be necessary for this particular
application. Note that the dialect is dash; if run in bash, echo would
need -e.
Whatever the solution, I think it's a good idea to copy *.conf to the
GnuPG homedir as well (that's not an implementation detail, it's a
supported API).
I'm a bit worried that currently, the implementation detail that the old
pubring.gpg format is the same format as gpg --export is being used.
This is tripping up people upgrading to GnuPG 2.1, and I think it's a
better idea to avoid it here as well. The attached patch tries to do
this (but obviously doesn't combine well with the proposal of copying
the whole homedir, which would get this for free :-).
> By the way, I also added a local-bottom script to kill gpg-agent and
> scdaemon before execution is turned over to the init binary :-)
A good idea. If we copy a whole homedir, it might be needed to put the
homedir in its regular place for that. I suppose this is possible? I
think gpgconf can only manage daemons started with a default homedir.
Cheers,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
From 7957c591fccf3d5745bee4507a66b78ff4414a5f Mon Sep 17 00:00:00 2001
From: Peter Lebbing <pe...@digitalbrains.com>
Date: Sun, 23 Sep 2018 11:48:11 +0200
Subject: [PATCH] Use modern keybox format for gpg
---
debian/README.gnupg-sc | 4 ++--
debian/initramfs/hooks/cryptgnupg-sc | 4 ++--
debian/scripts/decrypt_gnupg-sc | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/debian/README.gnupg-sc b/debian/README.gnupg-sc
index 4320269d..2861eed0 100644
--- a/debian/README.gnupg-sc
+++ b/debian/README.gnupg-sc
@@ -36,9 +36,9 @@ decrypting the keyfile at initramfs stage
If the device is to be unlocked at initramfs stage (such as for the root FS or
the resume device), you need to copy the public part of the encryption
-key to /etc/cryptsetup-initramfs/pubring.gpg:
+key to a keyring named /etc/cryptsetup-initramfs/pubring.kbx:
-# gpg --export 0xDEADBEEF >/etc/cryptsetup-initramfs/pubring.gpg
+# gpg --export 0xDEADBEEF | gpg --no-default-keyring --keyring /etc/cryptsetup-initramfs/pubring.kbx --import
Then the provided initramfs hooks should do all additionally required
work for you when the initramfs is created or updated.
diff --git a/debian/initramfs/hooks/cryptgnupg-sc b/debian/initramfs/hooks/cryptgnupg-sc
index 57255fad..0a607ab8 100755
--- a/debian/initramfs/hooks/cryptgnupg-sc
+++ b/debian/initramfs/hooks/cryptgnupg-sc
@@ -39,9 +39,9 @@ copy_keys() {
RV=0
crypttab_foreach_entry copy_keys
-PUBRING="/etc/cryptsetup-initramfs/pubring.gpg"
+PUBRING="/etc/cryptsetup-initramfs/pubring.kbx"
if [ -f "$PUBRING" ]; then
- copy_file pubring "$PUBRING" "/cryptroot/pubring.gpg"
+ copy_file pubring "$PUBRING" "/cryptroot/pubring.kbx"
else
cryptsetup_message "WARNING: $PUBRING: No such file"
fi
diff --git a/debian/scripts/decrypt_gnupg-sc b/debian/scripts/decrypt_gnupg-sc
index 8bb9d81d..932e1bf0 100755
--- a/debian/scripts/decrypt_gnupg-sc
+++ b/debian/scripts/decrypt_gnupg-sc
@@ -1,6 +1,6 @@
#!/bin/sh
-PUBRING="/cryptroot/pubring.gpg"
+PUBRING="/cryptroot/pubring.kbx"
[ -f "$PUBRING" ] || PUBRING=
run_gpg() {
--
2.11.0
signature.asc
Description: OpenPGP digital signature
