arch/pkg/de-p1st-gnupg/README.md

148 lines
4.1 KiB
Markdown
Raw Permalink Normal View History

2021-04-29 12:09:36 +02:00
# gnupg
2021-04-29 15:02:25 +02:00
**TODO**:
* Currently using graphical pinentry ... this would mean dependend on X11/wayland
* could this be done with holo?
* default to terminal-pinentry
* `de-p1st-gnupg-x11` then changes the /etc/skel files to use graphical-pinentry
2021-06-15 12:39:36 +02:00
---
2021-04-29 15:02:25 +02:00
2021-05-31 17:32:20 +02:00
GnuPG german mini HowTo:
* [pdf](GnuPG_MiniHowto_ger_20200215.pdf)
2021-04-29 15:02:25 +02:00
2021-06-17 13:03:32 +02:00
`makepkg` and `pacman` use different PGP keyrings:
* [Two PGP Keyrings in Arch Linux](Two%20PGP%20Keyrings%20for%20Package%20Management%20in%20Arch%20Linux%20%7C%20Allan%20McRae.pdf)
2021-04-29 14:24:57 +02:00
One can use `/etc/gnupg/gpgconf.conf` to configure gpg and gpg-agent. However, not all options are available ...
```shell
gpgconf --list-options gpg
gpgconf --list-options gpg-agent
```
Using a smartcard:
2021-04-29 15:02:25 +02:00
* kuketz-blog.de: [gnupg-public-key-authentifizierung-nitrokey-teil3](https://www.kuketz-blog.de/gnupg-public-key-authentifizierung-nitrokey-teil3/)
* [gnupg.org -> Invoking-GPG_AGENT](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html)
2021-04-29 14:24:57 +02:00
## gpg.conf
Location: `~/.gnupg/gpg.conf`
2022-05-18 17:58:06 +02:00
* [https://riseup.net/en/security/message-security/openpgp/best-practices]()
* [https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf]()
2021-04-29 14:24:57 +02:00
## gpg-agent.conf
Location: `~/.gnupg/gpg-agent.conf`
```
# List pinentries: pacman -Ql pinentry | grep /usr/bin/
# If a graphical application shall use ones smartcard one needs to specify a graphical pinentry program.
pinentry-program /usr/bin/pinentry-gnome3
2021-06-15 00:28:52 +02:00
# Enable ssh to use a smartcard for authentication.
2021-04-29 14:24:57 +02:00
enable-ssh-support
```
Debug options:
```
debug-pinentry
debug ipc
verbose
log-file /home/__USER__/.gnupg/logfile.log
```
`gnupg` depends on `pinentry` and `pinentry-gnome3` is part of `pinentry`.
```
$ pacman -F /usr/bin/pinentry-gnome3
usr/bin/pinentry-gnome3 is owned by core/pinentry 1.1.1-1
```
## Graphical Login: /etc/profile.d/*.sh, bashrc, .zshrc.local
* Archwiki: [GnuPG#Configure_pinentry_to_use_the_correct_TTY](https://wiki.archlinux.org/index.php/GnuPG#Configure_pinentry_to_use_the_correct_TTY)
* These two shell lines are demanded by the gnupg documentation in the chapter `Invoking GPG-AGENT`
* man 1 gpg-agent -> EXAMPLES -> set env variable GPG_TTY in your login shell
2021-06-15 12:39:36 +02:00
One's interactive, non-login shell, should run this:
2021-04-29 14:24:57 +02:00
```shell
GPG_TTY=$(tty)
export GPG_TTY
gpg-connect-agent updatestartuptty /bye >/dev/null
```
## SSH_AUTH_SOCK: /etc/profile.d/*.sh, bashrc, .zshrc.local
* Archwiki: [GnuPG#Set_SSH_AUTH_SOCK](https://wiki.archlinux.org/index.php/GnuPG#Set_SSH_AUTH_SOCK)
2021-04-29 12:09:36 +02:00
2021-06-15 12:39:36 +02:00
One's interactive, non-login shell, should run this:
2021-06-15 00:28:52 +02:00
2021-04-29 14:24:57 +02:00
```shell
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
export SSH_AUTH_SOCK
fi
```
2021-06-15 11:13:24 +02:00
2021-06-15 12:39:36 +02:00
## Note about "interactive, non-login, shell"
2021-06-15 11:13:24 +02:00
2021-06-15 12:39:36 +02:00
The gnupg manual is talking about "login shell" but mentions "~/.bashrc",
2023-08-13 16:13:44 +02:00
so I assume they mean an "interactive, non-login, shell".
2021-06-15 12:39:36 +02:00
See https://wiki.archlinux.org/title/bash#Configuration_files
Correct files to set `SSH_AGENT_PID` and `GPG_TTY`:
* `/etc/bash.bashrc`
* `/etc/zsh/zshrc`
2023-08-13 16:13:44 +02:00
These do not work:
2021-06-15 11:13:24 +02:00
2023-08-13 16:13:44 +02:00
* `/etc/profile.d/99_gnupg.sh`
2021-06-15 12:39:36 +02:00
> `/etc/profile` This file should be sourced by all POSIX sh-compatible shells
> upon login: it sets up $PATH and other environment variables and application-specific
> (/etc/profile.d/*.sh) settings upon login.
* `/etc/X11/xinit/xinitrc.d/`
2021-06-15 15:17:52 +02:00
## Use smartcard on new computer
To be able to use a smartcard, one has to import and then trust the public key first!
```shell
gpg --import 94F3D3DDAC22802258FC044B6C47C753F0823002.pub
```
And then trust the key:
```shell
gpg --edit-key 0x94F3D3DDAC22802258FC044B6C47C753F0823002
trust
5
y
quit
```
or
```shell
printf "5\ny\nquit\n" | gpg --command-fd 0 --expert --edit-key 0x94F3D3DDAC22802258FC044B6C47C753F0823002 trust
```
or
```shell
echo "94F3D3DDAC22802258FC044B6C47C753F0823002:6:" | gpg --import-ownertrust
```
See also:
* [export/import ownertrust](https://superuser.com/a/1125128)
This could be done with a script [99_import_pubkey.sh](99_import_pubkey.sh)
placed inside `/etc/profile.d/`. When using `sddm` as login manager, then
the output of this script can be found in `~/.local/share/sddm/xorg-session.log`.